Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Trust in Computing_ Analytical Essay_FINAL_15.06.15
1. Trust in Computing
What is trust, and what is required to establish trust in cyberspace? Describe
how trust relates to the attribution problem in online communications, analyse
the extent to which trust can -- or cannot -- be built into hardware and
software, and, based on your analysis, explain how trust may be created or
destroyed by different IT stakeholders (esp. personal users, commercial
vendors, and government agencies).
Student: Louise Collins
Student ID: 198148266
Subject: US-China Relations
Subject Code: CISS 6022
Date: 15.05.2015
Word Count: 3027 (3387 including bibliography)
2. Introduction
The purpose of this essay is to investigate and discuss the vital role that trust plays in the
relationship stakeholders have with cyberspace.
Cyberspace and the implied trust on which it relies, is an enabler for the security of nations, the
viability and effectiveness of national economies and the well-being of communities and people.
Cyberspace is inherently anarchic and this impacts the way that trust is defined and applied.
Cyberspace has no governing body and no formal rules. The resulting assumption is that trust is
therefore highly dependent upon individual’s experiences in using the information systems that
constitute cyberspace.
The analysis in this paper is developed from technical texts and reports, data and material sourced
from scholarly articles, reports from industry bodies, a media documentary and press reports. In
addressing the essay question the paper firstly defines cyberspace and the concept of trust. This
includes an analysis of what erodes trust. The paper then assesses: the application of trust in
cyberspace, the capacity for its inclusion in software and hardware, it then evaluates the role that
each of the various IT stakeholders performs in the cyber trust relationship. The paper subsequently
draws some general conclusions about trust and its role in cyberspace.
How is Cyberspace Defined?
Richard Clarke and Robert Knake define cyberspace as all the computer networks in the world and
everything they connect and control1
. In 2008 the Pentagon assembled a team of experts who
defined cyberspace as “the global domain within the information environment consisting of the
interdependent network of information technology structures, including the internet,
telecommunications networks, computer systems and embedded processors and controllers”
2
.
People, governments, military, corporations, financial institutions, hospitals and other businesses
collect, transact, process and store information in cyberspace. Its effective operation is based on the
premise of trust.
What is Trust?
At its simplest trust is a facilitator of usage in cyberspace. On a conceptual level, trust helps reduce
the level of uncertainty that exists within the realm. It enables stakeholders to overcome any
concerns they may have about their interactions with the networks, services, providers, parties,
tools and devices that constitute cyberspace. Trust is synonymous with security in cyberspace. It is a
very human decision. Phleeger and Phleeger support this approach through their assertion that trust
is relative, that it is viewed in context of the user3
.
1
Richard A. Clark and Robert Knake, Cyberware:the next threat to national security and what to do about it, Group U.K, New York,
Ecco,Enfield, 2012, p13
2
P.W Singer and Allan Friedman, Cybersecurity and Cyberwar, What Everyone Needs to Know, Oxford University Press, 2014, p13
3
IBID p245
3. A key function of trust, given the nature and usages of cyberspace, is that it reflects “the trusting
party’s belief that the trusted party will support its plans”4
. An example of this would be the
expectation that the purchase of a good or service on-line by Party A, will be processed and provided
as required by Party B in a secure and confidential way. The fundamental element here is that trust
in cyberspace is reliant on systems behaving and performing as people expect them to5
. With this in
mind, trust is a vital factor in performing all activities in cyberspace. It is a reference point that can
be used by stakeholders for predicting behaviours as and when they interact with cyberspace.
On a practical level, for cyberspace to be regarded as a realm of integrity it must be synonymous
with security, performance, privacy. An absence of any one of these elements could result in a
reduction of trust by stakeholders.
Huang and Nicol, noted these elements whilst assessing the basis of trust for cloud computing - a
capability enabled by cyberspace. They went further by stating a spectrum of attributes, or sources,
for establishing trust. The sources of trust they listed can be found in Table 1 below6
:
Table 1: Sources of Trust
The outcomes of implementing the levels of competency highlighted must be that confidence,
integrity, and availability - and therefore trust - is established within the system.
What is Required to Establish Trust in Cyberspace?
What erodes trust in cyberspace?
In order to fully understand what is required to establish trust in cyberspace is it also necessary to
understand what erodes that trust.
4
Yonghong Wang & Muhindar P.Singh, Evidence Based Trust, ACM Transaction on Autonomous and Adaptive Systems, Vol5m No.3m
September 2010, p2
5
Fred B.Schneider, Trust in Cyberspace, Committee on Information Systems Trustworthiness, 1999, p1
6
Jingwei Huang and David M.Nicol, Trust Mechanisms for cloud computing, Journal of Cloud Computing;Advances, Systems and
Application 2013,2:9, Springer Open Journal, p6
4. As mentioned previously, trust depends largely on stakeholder’s experiences of its interactions with
cyberspace. It can easily be eroded by perceptions of insecurity. This is supported by the U.S
Committee on Information Systems Trustworthiness that likened the application of trust in
cyberspace as being:”….highly dependent upon people’s experiences in using a networked
information system”7
.
Perceptions can easily be influenced by attacks that exploit vulnerabilities in information systems.
Botnets can and have been used to access computers allowing monitoring and the capture of
personal data. The use and reports of malware such as the worm that attacked Microsoft Windows
in the early 2000’s8
, DDOS attacks in Estonia in 2007 and the spread of the cryptic Conficker worm in
20099
, the discovery of Stuxnet in 201010
as well as commentary on attacks on transaction systems11
- all combine to erode the users trust and level of confidence in cyberspace. Even surveillance
activities like those revealed by NSA informant Edward Snowden in June 2013 are counterproductive
to the concept of trust in cyberspace and deleteriously impact perceptions amongst a broad range of
stakeholders.
What are the solutions?
Given the complex nature of cyberspace, trust must exist on two levels. Singer and Freidman
expressed this as follows; ”The user must trust the system and the systems must know how to trust
the users.”12
Pfleeger and Pfleeger say that a user will trust system software if it does what is expected and
nothing more13
. Specifically, they state that a user will have confidence if an operating system
provides the following four services consistently and effectively. They are14
:
Memory protection
File protection
General object access
Authentication
For systems to trust users it is very much about establishing integrity. This is achieved in three main
ways:
Encryption
Digital Certification
Access Control Policies
7
Fred Schneider, Trust in Cyberspace, Committee on Information Systems Trustworthiness, National Academy Press, Washington D.C,
1999, p16
8
P.W Singer and Allan Friedman, Cybersecurity and Cyberwar, What Everyone Needs to Know, Oxford University Press, 2014, p44
9
Johannes M.Bauer,Michel J.G Van Eeten, Cybersecurity: Stakeholder, Incentives, externalities and policy options, Telecommunications
Policy, 2009, Volume 33, Issue 10/11 ,
http://www.sciencedirect.com.ezproxy1.library.usyd.edu.au/science/article/pii/S0308596109000986. Last accessed 13 June, 2015
10
BBC Horizon, Defeating the Hackers, http://www.dailymotion.com/video/x1mx144_bbc-horizon-defeating-the-hackers-hd_news,
49:05mins. Last accessed 14 June, 2015.
11
Josh Bavas, Australia Bank fall victim to multi-national hacking attack, ABC News, 17.02.2015. http://www.abc.net.au/news/2015-02-
17/banks-victim-of-multi-national-hacking-attack-security-firm-says/6130370. Last accessed 14 June, 2015
12
P.W Singer and Allan Friedman, Cybersecurity and Cyberwar, What Everyone Needs to Know, Oxford University Press, 2014, p46
13
Charles W Phleeger and Shari Lawrence Phleeger, Security in Computing, Prentice Hall, New Jersey, 2007, pp26-27
14
Ibid, p 242
5. Peter Singer and Alan Freidman state that “Modern cryptosystems rely on ‘keys’ as the secret way of
coding or decoding information on which trust is built15
. More specifically, they state that
asymmetric cryptography provides the fundamental means of, not only keeping information
confidential, but enabling the system to detect any tampering16
.
Related is digital certification. This is the digital signature that ‘ties together the notion of a digital
signature with key cryptography’17
. Singer and Friedman note the vital role certificate authorities
play as a source of trust in cyberspace18
. These authorities approve the ‘certificates’ that bind a
public key with the users’ identity. They are an essential part of the authentication process from a
systems perspective. Hence, they are also essential to establishing trust.
The access control policy is a matrix of subjects and objects that tells a system who can do what to
whom19
. It is a key measure for ensuring that a system and user can trust each other.
Trust and its Relationship to Attribution
Attribution relies on trust in a numbers of ways. Primarily it’s through20
:
Identification Trust – a level of assurance in the authenticity and integrity of a users claimed
identity.
Authentication Trust – verification and confirmation of a users proclaimed identity
Reputation trust – confirmation and evaluation of an entities standing in a community. It is both
mutual and bi-directional.
Attribution adds a dimension of complexity to cyberspace. This is because it is difficult to secure
and confirm the identity of an attacker even if all the trust elements are in place.
Primarily, this is because an ‘attacker’ can capture and utilise other computers - using botnets - to
obfuscate their attack. It is also difficult to ascertain the identity of the attacker, their nationality or
even the organisation or country that they represent. The information gathered about identity is
not the same as proof of identity.21
The proving difficulty was demonstrated during the DDOS attack in Estonia in 2007, mentioned
earlier in this paper. Here, the originating state claimed ignorance and an inability to stop the
assault.22
China too has used the issue of attribution to claim plausible deniability. When Mandiant
released its report exposing Advanced Persistent Threats (APTs) supposedly emanating from China
15
P.W Singer and Allan Friedman, Cybersecurity and Cyberwar, What Everyone Needs to Know, Oxford University Press, 2014, p47
16
IBID, p46
17
IBID, p47
18
Charles W Phleeger and Shari Lawrence Phleeger, Security in Computing, Prentice Hall, New Jersey, 2007, p89
19
P.W Singer and Allan Friedman, Cybersecurity and Cyberwar, What Everyone Needs to Know, Oxford University Press, 2014, p33
20
Ravi Sankar Veebhotia and Richa Garg, Managing Trust in Cyberspace, CRC press, Boca Raton, Florida, p247
21
IBID, 2014, p33
22
Chris C. Demchak, Peter Dombrowski, Rise of a Cybered Westphalian Age, Strategic Studies Quarterly, Spring 2011, p34
6. the Chinese Government responded by stating that it was “..unprofessional and groundless to
accuse the Chinese military of launching cyber attacks without conclusive evidence”23
.
In the current internet architecture there is no way for receivers to attribute the sources of traffic or
senders or for receivers to authorise senders. These deficiencies in attribution leave the internet
vulnerable to denial of service, spoofing, phishing and other attacks. With this is mind Singer and
Friedman describe ‘proving’ attribution as an “excruciatingly difficult task”.24
Accusations, the inability to positively attribute them, and the ability of ‘attackers’ and actors to
deny responsibility, seriously impacts trust. It can contribute significantly to worsening cyber
relationships between states.
What’s the Extent to Which Trust Can, or Cannot, be Built Into Hardware and Software?
Trust can be built into software and hardware systems in a number of ways. Predominantly this is
around the concept of authenticating identity through proving “something that you know,
something that you have and something that you are”25
. Something that you know is the password
or secret code, something that you have may include an ATM card, something that you are is
typically a biometric, a human characteristic such as facial, finger print or retina recognition. Other
examples are the de-facto authenticators that are used on mobile phones for receiving text
messages that contain one time codes26
. Pfleeger and Pfleeger state that trust can be built into
software systems if the software has been rigorously developed and tested27
.
The problem is that none of the mechanisms detailed above are guaranteed. They all carry
limitations. Passwords can be forgotten or stolen or even forged. ATM cards and mobile phones can
also be stolen. Biometrics can even be compromised through ‘amputated fingers28
’, though this is a
more unlikely scenario. Even rigorous development and testing can be open to interpretation and
poor implementation. Exploits such as time of day to time of use, zero day exploits or even
ambiguities or misunderstandings about security policy and procedures29
can also be used to exploit
vulnerabilities in software and operating systems.
Most organisations have approached cyber security by trying to put increasingly sophisticated
defences around their perimeter and within their internal networks structures30
. However, access
control mechanisms have also been shown to have some weaknesses. A graphic example of this was
illustrated by Edward Snowden’s leaks about the NSA’s PRISM program. Snowden was able to access
sensitive controlled data that revealed the extent of the NSA’s surveillance activities31
.
23
Mandiant, APT1, Exposing One of China’s Cyber Espionage Units, 2013, p1 ,
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf, Last accessed 1 June, 2015
24
P.W Singer and Allan Friedman, Cybersecurity and Cyberwar, What Everyone Needs to Know, Oxford University Press, 2014, p75
25
IBID p 32
26
IBID p32
27
Charles W Phleeger and Shari Lawrence Phleeger, Security in Computing, Prentice Hall, New Jersey, 2007, p244
28
P.W Singer and Allan Friedman, Cybersecurity and Cyberwar, What Everyone Needs to Know, Oxford University Press, 2014, p32
29
Charles W Phleeger and Shari Lawrence Phleeger, Security in Computing, Prentice Hall, New Jersey, 2007, p289
30
McKinsey and Company, Meeting the Cybersecurity Challenge, Insights and Publications, June 2011.
http://www.mckinsey.com/insights/business_technology/meeting_the_cybersecurity_challenge, Last accessed 14.June, 2015
31
P.W Singer and Allan Friedman, Cybersecurity and Cyberwar, What Everyone Needs to Know, Oxford University Press, 2014, p50
7. However, currently, codes like the RSA algorithm are effective and cannot be cracked. This is
because they consist of extremely large prime numbers32
. It is noted though, that that this may all
change in the future with the advent of quantum computing33
.
In cyberspace there will always be a way to steal someone’s identity or data. This simply reinforces
two things: the notion that data is both precious and valuable but that ultimately, trust is a very
much an individual human decision.
IT Stakeholders Roles in Creating or Destroying Trust.
In 2014 the ITU identified that cyberspace, because it lacks direct contact, required particularly high
standards of trust and that these standards are required among “individuals, institutions, countries
and systems”34
. Some of these are discussed in greater detail below.
Personal Users
There have been a number of examples of individual users destroying trust in cyber space.
Sometimes this is inadvertent such as the USB key that was used to install Stuxnet in an Iranian
nuclear power station35
. Singer and Friedman use a similar example of a military officer picking up a
USB and inadvertently enabling one of the largest cyber breaches in US military history36
. The most
challenging attacks exploit human vulnerabilities rather than technological ones. Increasingly
cybercrime is driven from social networking sites to craft phishing attacks or to enable
radicalisation37
. Such activities undermine trust in cyberspace.
Personal users can help establish trust through simple measures such as password control. More
importantly through maintaining awareness of the vulnerabilities inherent in cyberspace they can
make adjustments necessary to improve their security. By doing, so their level of trust will also
improve.
Commercial Vendors
Commercial Vendors have a significant role to play in enabling trust. They can do this by making
certain that they build and deploy the most secure systems and hardware possible, by implementing
thorough development, testing and risk management regimes. Inadequate protocols expose end
users to zero day exploits and other malware.
Commercial vendors are still able to be manipulated. The Snowden revelations exposed that the U.S
Government had targeted weaknesses, in iconic and highly regarded software and hardware
products provided by Microsoft, Yahoo, Google and Facebook for espionage purposes38
. These are
32
BBC Horizon, Defeating the Hackers, http://www.dailymotion.com/video/x1mx144_bbc-horizon-defeating-the-hackers-hd_news,
20:35mins. Last accessed 14 June, 2015.
33
IBID, 21.00mins
34
ITU, Building Trust in Cyberspace:Taking Stock, Looking Ahead, WSIS+10 Transcript, Geneva, Switzerland, June 2014, p4.
35
BBC Horizon, Defeating the Hackers, http://www.dailymotion.com/video/x1mx144_bbc-horizon-defeating-the-hackers-hd_news,
57:00mins. Last accessed 14 June, 2015
36
P.W Singer and Allan Friedman, Cybersecurity and Cyberwar, What Everyone Needs to Know, Oxford University Press, 2014, p32
37
McKinsey and Company, Meeting the Cybersecurity Challenge, Insights and Publications, June 2011.
http://www.mckinsey.com/insights/business_technology/meeting_the_cybersecurity_challenge, Last accessed 14.June, 2015
38
PRISM overview slides. IC on the Record. Office of the US Director of National Intelligence – Tumlr Site,
https://nsa.gov1.info/dni/prism.html, Last accessed 6 June2015
8. providers with whom nearly every end user would interact with nearly every day. Revelations such
as these do not instil trust in personal users, governments or even other service providers. The
disclosures contributed significantly to the deterioration of the cyber relationship between the U.S
and China.
Governments
Governments have a significant role to play in enabling trust – particularly when critical
infrastructure such as health care, financial, power and military systems are all dependent upon the
trustworthy and effective operation of cyberspace. On a government level the International
Telecommunications Union (ITU) identified four points for building trust in cyberspace. They
proposed that governments39
:
Ensure sufficient technical safeguards are implemented across networks.
Establish a legal and regulatory framework to enable better network management.
Enable and build digital awareness, particularly amongst end users.
Provide political assurances – explicitly making governments more accountable for violation of
personal data privacy and ensuring there are checks and balances in place.
Specifically, the ITU has stated that it believes that greater cooperation, amongst governments, is
needed to mitigate the risks posed by cyberspace and hence, the level of trust available within it.
What Can Be Concluded About Trust in Cyberspace?
Ultimately, the full utilisation of cyberspace - by all stakeholders - requires trust with an element of
risk, all within the midst of uncertainty. For over 3.14 billion internet users40
(and growing) it is a risk
worth taking.
Cyberspace is constantly changing. The technologies that apply in the future will alter the way
people use cyberspace as well as the rules that guide it. Likewise, user’s expectations of cyberspace
are also evolving.
Whatever occurs, trust matters! Its reach and importance in the ongoing development and usage of
the cyberspace is highly dependent upon it. Trust requires, and will continue to require, vigilance on
the part of all users, those who enable the operations of the internet and on Governments who
create the policies to enable its operation.
39
ITU, Building Trust in Cyberspace:Taking Stock, Looking Ahead, WSIS+10 Transcript, Geneva, Switzerland, June 2014, p15
40
Internet Users in the World: http://www.internetlivestats.com * Estimate as at June 14 2015
9. Bibliography
Richard A. Clark and Robert Knake, Cyberware:the next threat to national security and what to do about it,
Group U.K, New York, Ecco,Enfield, 2012
P.W Singer and Allan Friedman, Cybersecurity and Cyberwar, What Everyone Needs to Know, Oxford
University Press, 2014
Ravi Sankar Veerubhotla and Richa Garg, Managing trust in Cyberspace, CRC Press, Boco Raton, Florida,
2008
Yonghong Wang & Muhindar P.Singh, Evidence Based Trust, ACM Transaction on Autonomous and
Adaptive Systems, Vol5, No.3 September 2010
Fred B.Schneider, Trust in Cyberspace, Committee on Information Systems Trustworthiness, National
Academy Press, Washington D.C, 1999
Charles W Phleeger and Shari Lawrence Phleeger, Security in Computing, Prentice Hall, New Jersey, 2007
Chris C. Demchak, Peter Dombrowski, Rise of a Cybered Westphalian Age, Strategic Studies Quarterly,
Spring 2011
ITU, Building Trust in Cyberspace:Taking Stock, Looking Ahead, WSIS+10 Transcript, Geneva, Switzerland,
June 2014
Jingwei Huang and David M.Nicol, Trust Mechanisms for cloud computing, Journal of Cloud
Computing;Advances, Systems and Application 2013,2:9, Springer Open Journal
Hauke Johannes Geirow, Cyber Security in China: New Political Leadership Focuses on Boosting National
Security, Merics, China Monitor, Number 20, 9.12.2014
Mandiant, APT1, Exposing One of China’s Cyber Espionage Units,
2013http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
PRISM overview slides. IC on the Record. Office of the US Director of National Intelligence – Tumlr Site,
https://nsa.gov1.info/dni/prism.html,
BBC Horizon, Defeating the Hackers, http://www.dailymotion.com/video/x1mx144_bbc-horizon-
defeating-the-hackers-hd_news,
McKinsey and Company, Meeting the Cybersecurity Challenge, Insights and Publications, June 2011.
http://www.mckinsey.com/insights/business_technology/meeting_the_cybersecurity_challenge, Last
accessed 14.June, 2015
Craig A Shue and Brent Lagesse, Embracing the Cloud for Better Cybersecurity, Washington University
Publications, Cyberspace Science and Information Intelligence Research (Reference Text)
http://faculty.washington.edu/lagesse/publications/cloudsecurity.pdf