Tag Archives: cybersecurity

Ten things not to do when developing national cybersecurity policies

The Commonwealth Telecommunications Organisation held its 2015 Cybersecurity Forum on 22nd-24th April at the BT Centre in London.  During this, several of us thought it would be an interesting idea to draft a set of ten “not-to-do” things relating to various aspects of cybersecurity, and the first to be prepared (by Stuart Aston, Mike St. John-Green, Martin Koyabe and myself) is on ten things not to do when developing cybersecurity strategies.

We have deliberately focused on the “not-to-do” approach because we feel that such lists can serve as very useful simple reminders to people. As a check-list of negatives, they act as salient caviats for all those involved in developing cybersecurity strategies.

Our “don’ts” should be easy to remember:

  1. Don’t blindly copy another’s Cybersecurity strategy
  2. Don’t expect everything in your strategy to be under your control
  3. Don’t expect to remove all risks
  4. Don’t delegate your strategy to the IT experts
  5. Don’t focus your team only on the threats and the technology
  6. Don’t develop your strategy in a security bubble
  7. Don’t develop your strategy in a government bubble
  8. Don’t overlook the needs of your diverse stakeholders, particularly your citizens
  9. Don’t cover just the easier, tactical quick wins
  10. Don’t expect to finish after the first year

The full version of the recommendations, which includes the positive things that need to be done alongside the negatives, can be downloaded by clicking on the image below:

Ten things not to doDo print this off and share with colleagues you know!  I very much hope that it will act as a useful checklist for all those involved in cybersecurity policy making.


Leave a comment

Filed under Commonwealth, ICT4D, Politics

On “cyber” and the dangers of elision.

The use of the word “cyber” to refer to all matters relating to computers and the Internet has become ubiquitous.  Hence, the terms “cyberspace”, “cybergovernance”, “cybersecurity”, “cybercrime”, “cyberporn” and many other “cybers-” are commonplace, and feature prominently in current rhetoric about ICTs and governance of the Internet.

This has always made me uneasy for two basic reasons:

  • the original meaning of “cybernetics” had little to do with computers; and
  • there is a real danger of elision of meaning, when people use one cyber-word to refer to what other people use another cyber-word for.

A blog is no place for a detailed exegesis on these matters, but I have so often been asked about my views on them that I thought I would briefly summarise them here.

The meaning of “Cyber”
The word “cyber-” is usually seen as being taken from the concept of  “cybernetics”, which itself is derived from the ancient Greek κυβερνήτης, meaning steersman, pilot, or governor.  Hence, “cyber'” is fundamentally to do with governing or steering.  It is used in this sense to refer to the governance of peoples in the First Alcibiades, usually ascribed to Plato.

Cybernetics in its modern form came to be used in the first half of the 20th century to refer to control systems in biology, engineering, applied mathematics, electronics and other such fields, and so was always a very much broader concept than just relating to the field of computing.  As a discipline, cybernetics emerged in the late-1940s and 1950s, especially in the USA, the UK and France, championed by people such as Norbert Wiener and John von Neumann.  The importance of this is to emphasise that in origin, and even until very recently, “cyber-” has been associated with a very broad field of intellectual enquiry, across many disciplines, focusing especially on systems and their control mechanisms.

It therefore seems to me to be inappropriate for the term to have been appropriated quite so aggressively in the field of digital technologies, ICTs and the Internet, first because it causes confusion, and second because in some instances it is tautologous:

  • with respect to confusion, why do we need to speak about terms such as cybergoverance, cybersecurity and cybercrime, especially when there are other terminologies already in existence, such as e-governance, Internet governance, computer crime?  As discussed further below, the lack of consensus and agreement on terminology is problematic.
  • second, though, and of much more concern, it seems to me that the notion of cybergoverance is fundamentally flawed because it is tautologous.  If “cyber-” in essence is to do with governing, then all “cybergovernance” means is governing governance.

There have been many detailed critiques of the use of “Cyber-” in other fields, with Mark Graham’s critique of concepts of cyberspace in the Geographical Journal, being particularly useful.  However, few people have sufficiently emphasised this tautology in the notion of “Cybergoverance”.

Dangers of Elision
When concepts are used in such a slippery way, with meanings being appropriated and adapted so frequently, there is a considerable danger of misunderstanding, overlap, and ultimately of failure to deliver on practical action.  Moreover, behind every use of a concept there is also an interest.  This is very well illustrated by confusion over the terms cybergoverance, cybersecurity and cybercrime (or even cyber-goverance, cyber-security and cyber-crime).  All too often they seem to be used interchangeably, and there really must be clarity of meaning and understanding of such terms if progress in reaching consensus on these very important issues is to be made.  One person’s cybercrime is another’s cybersecurity, and an initiative set up to focus on just one aspect can readily seek to expand into another, thereby causing confusion, duplication of effort, and indeed mistrust.

Although, for the reasons above, I think that the term “Cyber-” should no longer be used at all with respect to work on the Internet, digital security, computer crime and the like, because it is far too broad, I recognise that unfortunately it is now in such common use that this plea will fall on deaf ears.  There are powerful interests who like this ambiguity, and wish to use such terms for their own ends!  Hence, let me offer a simple structure whereby some clarity might be injected into the discourse.  At least for me, there is a nested hierarchy of such terminology:

  • “cybergovernance” (ugh, the tautology still hurts me) should be used (if at all!) for the overarching notion of governance of ICT systems, including concepts such as Internet governance and e-governance;
  • “cybersecurity” can be seen as a subset of cybergoverance, and should be used to refer to all aspects of security with respect to ICT systems.  The concept of “cyber-resilience” can be seen as being closely allied to this, and might actually be a better term, since it is more positive, and takes away the sense of threat around security and the role of the military.
  • “cybercrime”, accordingly, is a subset of cybersecurity, focusing just on the aspects of criminality with respect to the use of ICTs.

Of course there is overlap between these terms, because fully to understand cybercrime, one needs to have a knowledge of cybersecurity, and to understand and act on that one needs to consider wider cybergoverance issues.

My preference is to abandon the use of this “Cyber-” terminology altogether and to use clearer more specific words for what we are talking about and seeking to implement.  Then, we might actually make some progress in ensuring that the poorest and most marginalised can indeed benefit from the potential of ICTs.  However, if these terms continue to be used, let’s first try to reach some better agreement on their bounds and contents.  Cybergovernance, cybersecurity and cybercrime are categorically different concepts, and the interests that seek so often to elide them need to be challenged!


Filed under Commonwealth, ICT4D

Passwords, PIN numbers and cybersecurity

Ever since one of my websites was hacked a few months ago, I have taken a much more personal interest in issues of cybersecurity.  Whilst I have spoken and written many times on the subject, it is only when things really affect you in a personal way that you begin to gain different understandings of the issues.  It represents a shift from a theoretical understanding to a practical one!

I thought I knew most of the various recommendations concerning password and PIN security, and that I had indeed followed them.  However, no digital system is ever completely secure, and the level of sophistication now being used by those intent on stealing identity data, particularly with respect to banking information, is becoming very much more sophisticated.

There are many well known organisations providing advice and recommendations, such as Sophos, Symantec and Kaspersky Lab, but there are rather few places where all of this information is brought together in a single place.  The level of insecurity, and the apparent disinterest among vast numbers of people in doing much about their digital security is not only surprising, but is also deeply concerning.  So, in this posting, I have tried to bring together some of the more interesting observations that have recently been made about passwords and PIN numbers, in order to try to persuade people to take action on this really rather important topic!

Most popular PIN codes and iPhone passcodes
There are numerous articles on the most popular PIN codes – in other words the ones that no-one should actually use! One of the best is Daniel Amitay‘s experiment, where he used Big Brother’s passcode set up screen as a surrogate to estimate iPhone passcode usage, and discovered that the top ten codes listed below represented 15% of all passcodes used:

  1. 1234
  2. 0000
  3. 2580
  4. 1111
  5. 5555
  6. 5683
  7. 0852
  8. 2222
  9. 1212
  10. 1998

None of these are surprising, given that they represent easily remembered structures around the keypad. The passcode 1998 features because it is a year of birth and as Amitay goes on to point out other birth years also feature highly among passwords.

What is perhaps even more worrying is that research by Sophos in 2011 suggested that 67% of consumers do not even use any passcode on their ‘phones, so that a passer-by can access all of the information on the ‘phone without even having to bother to hack the code.

Four digit codes are also commonly used by banks to enable customers to access money through cashpoint machines (ATMs).  Research summarised by Chris Taylor (on Mashable) notes that 27% of people use one of the top 20 PINs for their banking, with the most popular number (1234) being used by a massive 11%.  The top 20 PIN codes he lists are as follows:

  1. 1234 (10.7%)
  2. 1111 (6.0%)
  3. 0000 (1.9%)
  4. 1212 (1.2%)
  5. 7777 (0.7%)
  6. 1004 (0.6%)
  7. 2000 (0.6%)
  8. 4444 (0.5%)
  9. 2222 (0.5%)
  10. 6969 (0.5%)
  11. 9999 (o.5%)
  12. 3333 (0.4%)
  13. 5555 (0.4%)
  14. 6666 (0.4%)
  15. 1122 (0.4%)
  16. 1313 (0.3%)
  17. 8888 (0.3%)
  18. 4321 (0.3%)
  19. 2001 (0.3%)
  20. 1010 (0.3%)

Chris Taylor goes on to comment that although there are 10,000 possible combinations of four digits, 50% of people use the most popular 426 codes!  As he says, “Pick up an ATM card on the street, and you have a 1 in 5 chance of unlocking its cash by entering just five PINs. That’s the kind of Russian Roulette that’s going to be attractive to any casual thief”.

There is therefore  really quite a high probability that even without watching someone enter their PIN number and then stealing the card, or using sophisticated technology to ‘crack’ someone’s PIN code, criminals would have a pretty good chance of accessing someone’s bank account just by using the most popular codes above.  The implication for users is clear: use a PIN code that is not among the most common!

The situation is scarcely better with passwords that people use for their online digital activities. Numerous surveys have all pointed to the same conclusion, that a very small number of passwords continue to be used by large numbers of people.  These change a bit over time, and vary depending on cultural context and country, but the message is clear.  Even without sophisticated programmes to crack passwords, those wishing to access personal information can achieve remarkable success just by trying to use the most common passwords!  The most common passwords, in other words those to be avoided, are listed below:

Splashdata 2012

Sophos Naked Security 2010, based on leaked Gawker Media passwords












































































A slightly more sophisticated approach is that adopted by those wishing to break into networks by testing them automatically against a much larger number of different passwords.  One of the best publicised accounts of this was the Conficker worm, which used the passwords in the chart below to try to access accounts (Sophos, 2009):


Again, this clearly indicates that considerable care needs to be taken in choosing passwords, and ensuring that they are at the very least more complex than those listed above.

Tips to reduce the risk of fraud through mobile devices and digital technologies
Much has been written about sensible advice for reducing the risk of fraud through mobile passcodes, banking PINs and online login passwords.  Such tips will never eliminate really determined people from hacking into your identity, but a few simple steps can at least make it more difficult for the less determined.  These include:

  • Always secure your ‘phone with a PIN code, or better still a password (iPhone users can do this simply in Settings>General>Passcode Lock).  This will help to prevent all of your contacts, photos, e-mails and other personal information being accessed immediately by anyone who picks up your ‘phone.
  • Reduce the time before your ‘phone automatically locks so that it is as short as possible, preferably no more than a minute
  • Always use complex passwords, that preferably include lower case and upper case letters, numbers and special characters
  • Use passwords that are at least 8 characters and preferably more than 12 characters in length
  • Frequently change your passwords at random intervals, so that possible hackers are unaware when to expect changes
  • Use different passwords for different accounts, so that if one password is ‘broken’ this will not permit access to your other accounts
  • Think about using a service that tests the strength of a proposed password (such as The Password Meter, Microsoft’s password checker, or Rumkin’s strength test) – for the hyper-security-conscious person, it is probably best to do this from a computer other than your own!
  • Never, under any circumstances give your passwords or PIN codes to other people

Ultimately, passwords and PIN numbers are just part of a wider defence needed against digital theft.  Human action, be it using the ‘phone in an unsafe public place or unfortunately responding to a phishing attack, is still the cause of much digital grief.  As I write, Sophos has just for example reported a phishing attack through a security breach on the Ethiopian Red Cross Society’s website purporting to be a Google Docs login page.

If the worst happens, and you do lose a ‘phone there are at least two important things to do:

  • Ensure you have software on the ‘phone that can enable you to track it (as with the Find My iPhone app, or for Android ‘phones there are apps such as Sophos’ Mobile Security app)
  • If there is no chance of getting the ‘phone back, then remotely delete all of its content as swiftly as possible, remembering that if it has been backed up on a laptop or cloud facility, then all of the data can be restored at a later date.

Working together, and sharing good practices in personal digital security we can do much to help reduce digital identity theft.


Filed under 'phones, ICT4D general