The Splinternet and how it affects Cybersecurity design and planning

Introduction

The days of a global internet with relative openness are over as regulation and digital borders will rapidly increase in the coming years or start to become more impactful. Nationalism and concerns about digital colonisation and privacy are driving the "splinternet." Those forces are unlikely to reverse but only accelerate. The Western Nations will still back a relatively open internet model. A complex labyrinth of different regulations, rules and cybersecurity challenges will rule the internet of tomorrow, which will become increasingly difficult for corporations to navigate. Examples of these include EU actions on data protection and privacy with GDPR  or in the UK where the government is contemplating plans to essentially require age checks on all internet sites. (An oversimplification of their plans that are base on flawed thinking and  tackling the wrong problem)

What is the Splinternet?

There is no question that the arrival of a fragmented and divided internet is now upon us. The “splinternet,” where cyberspace is controlled and regulated by different countries is no longer just a concept, but now a dangerous reality. The Splinternet is, essentially, the splitting up of the internet into country-specific and region-specific internets focused on data sovereignty and data protection. It is a formidable challenge to businesses operating in multiple countries. Today, more than 30 world regions/nations impose Data Sovereignty regulations, including the EU, Brazil, China and India. Even California is imposing the California Consumer Privacy Act (CCPA).  This will have an impact on businesses since either they will have resources to adapt to each market they choose to operate in or they will restrict themselves to only a single market. This increased complexity will impact cybersecurity in different ways. Some measures such as acts pushed through by the EU including GDPR, ePrivacy Act and the Cybersecurity Act should improve have a positive impact on the security/privacy landscape but other measures may lead to the weakening of data/privacy protections for companies and users see Russia and China. 

Considerations for Cybersecurity design and planning


The global trend of the splinternet affects software and systems — a trend which is already having a major impact on cybersecurity. It all boils down to the issue of integrity. The widely accepted “CIA” security model comprises confidentiality, integrity and availability. Confidentiality is perhaps the most obvious element as it covers the threat of data theft which has exploded over the past few years. Availability is also front-of-mind for most organisations faced with Denial of Service and now ransomware attacks. However, integrity has perhaps not quite had the same billing as the other two of late.

That doesn’t mean it’s not still vital to any effective security strategy. Just think back to Stuxnet. It’s now commonly understood that US and Israeli State hackers developed the attack to slow Iran’s nuclear programme. They did this by targeting the centrifuges and the telemetry used by engineers to manage and troubleshoot systems at the Natanz uranium enrichment facility. The Stuxnet attack very effectively exploited the supply chain by first compromising a contractor’s computer, infiltrating his development environment and then injecting malware into the legitimate code they were writing to run on the Siemens industrial control system. In so doing, the state operatives exploited the inherent trust implied in the supply chain, and also made it very hard for the engineers to determine the root cause of the problem. This is what integrity is all about: ensuring that information is credible, accurate and trustworthy. Remove that, and you have a problem.

A recent Chatham House report, "Cybersecurity of Nuclear Weapons Systems: Threats, Vulnerabilities and Consequences," outlined an even more serious way in which integrity could be undermined by hackers.  It describes a scenario in which data manipulation, DOS attacks and “cyber spoofing” could “jeopardise the integrity of communication, leading to increased uncertainty in decision-making”. The outcome could be catastrophic, Chatham House warns, claiming that “inadvertent nuclear launches could stem from an unwitting reliance on false information and data.”

For organisations, this means a developing a renewed focus on ensuring integrity not of just their own systems and services but they will need to take account of their supply chains and 3rd-party systems and services that they rely on.

Integrity can be defined as an assurance that information remains unaltered from its intended state as it is produced, transmitted, stored, and received. Ensuring integrity may include ensuring the non-repudiation and authenticity of information as well.

Integrity assurance is a part of most security controls implemented and used today. Examples include the following:

  • Patching: improving processing integrity so exploits cannot compromise coding weaknesses
  • Antivirus: defending against code designed to compromise the integrity of systems and information
  • File/container permissions: defining the scope of who and what actions can be taken
  • Backups and version control: preserving original copies to defend against unauthorised changes
  • Encryption and digital signing: ensuring information cannot be stolen (encryption) or altered (digital signing)
  • Detection controls: for logging, monitoring, and intrusion detection systems (IDS) to discover unauthorised system modifications.
  • Hashing: a numeric value created by executing a hashing algorithm against a message or file. Hashes are created at the source and destination or at two different times (such as on the first and fifteenth of the month). If the hashes are the same, integrity is maintained. If the two hashes are different, data integrity has been lost.


Conclusion

With the rise of the splinternet and how it will affect cybersecurity design and planning will require companies and organisations to take into account the landscape, they are operating in a way they may not have considered before. For some, they will already be prepared to operate in this landscape while others will need additional steps to ensure their systems remain secure. Overall, any security measures that are mentioned in this post should in theory already be part of good practice followed by companies. If they are not carrying out those measures then they need to get their security policies in order before they can begin to worry about the security landscape the splinternet is creating.

Sources

https://worldview.stratfor.com/article/age-splinternet-inevitable-fracturing-internet-data-privacy-tech
https://techcrunch.com/2019/03/13/the-splinternet-is-already-here/
https://www.technative.io/winners-and-losers-in-the-age-of-the-splinternet/
https://www.secdata.com/splinternet/
https://thelanguageofcybersecurity.com/2019/06/11/term-of-the-week-integrity/
https://cybersecurityglossary.com/integrity/

Comments

Popular posts

Personal Interest - Unbuilt fleets of the Royal Navy

A personal interest post - Replacing the Tornado in the RAF

Personal Interest - Cancelled/Unbuilt British Army Projects