Cyber Security - Secure Your Identity
Sep 15, 2008

We sometimes make decisions without thinking about how we would defend them. Remember the sign that used to hang in most print and copy stores: You can get it cheap, fast or good – pick any two.

When it comes to cyber security, picking fast and cheap may be attractive but may also be indefensible. So why do good people make bad decisions? Usually it is because we don’t ask the right questions. Time is often the problem. With security, we are more likely to be in a reactive than proactive mode. That was the case with the Western Hemisphere Travel initiative (WHTI), which has resulted in Canadian provinces planning enhanced driver’s licences (EDLs) based on U.S. specifications.

What do EDLs have to do with cyber-­security? Let’s start with the fact that a radio frequency ID technology is being used to transmit information through the air across a distance of 30 or more feet. This is meant to speed border crossing, because it allows agents to request and receive information about travelers before they reach the booth. That requested information is transmitted and stored electronically. Some systems have robust security, but do they all? When viewed systemically, how does this proposed process rate?

WHTI has been questioned by many experts on the basis of systemic security, as well as privacy. While it initially seemed to meet the cheap and fast criteria, that too may be hard to defend now, because the infrastructure to read the proposed EDLs cannot be used for the soon to be deployed e-passports. This has led many to question whether the money required for this program would be better spent on the deployment of those e-passports. This same question should be asked by Canadian provinces when they consider enhanced driver’s licences to meet WHTI requirements.

There are other questions that should be answered before governments move forward with EDLs, such as:

  • Are they sure the radio frequency identification (RFID) technology cannot be counterfeited?
  • Should the citizen be responsible for ensuring that no-one can read anything from their tag without their knowledge?
  • Is the citizen even capable of doing that?
  • Why are we considering the use of a technology designed to move goods, rather than more secure technologies designed for human identity management (as employed in e-passports)?
  • Will the government provide electronic data from a driver’s record that would not be available from a passport?
  • How long will a copy of the data be kept on American border computers?
  • Where else will they keep this data, and how will they protect it from both internal and external threats?
  • Will access to this data be controlled by a rights and privileges rules based system, using counterfeit and tamper resistant multi-factor identifiers?
  • Are we endangering consumer confidence in RFID by using it inappropriately?
  • Are there other ways to meet the requirement for expediency at border crossings?
  • Are we close enough to the introduction of e-passports that we could suspend this program?
  • Who pushed hard for this technology, and what did they have to gain?
  • Is the number on the EDL that links it to the holder’s record totally random, or are there things in that number that can help you know something about the person?
  • How many Canadians will apply for EDLs and does it warrant the cost of each province building them?
  • Is joint development more practical?
  • Will the financial sector be hurt by conflicting messages regarding the distance from which RFID cards can be read? The U.S. government says 30 feet or more. Canadian (and American) banks say that contactless RFID needs to be in close proximity and this is part of why contactless payment is secure.

Many of these questions have nothing to do with cyber-security, but customers and constituents view programs more by what doesn’t work than by what does. If your security plan plugs one hole but leaves another open, you won’t be praised for the one you plugged.

Hackers force us to secure our networks and data, but we often fail to recognize the internal risks, so we don’t adequately protect ourselves against inadvertent or intentional employee breaches. Security experts know this and so do the bad guys, so they exploit this hole in the cyber security net. When that happens, can you defend the money that was spent on external threats, if the data was compromised anyway?

The payment card industry has taken steps to protect customers by introducing Data Security Standards, developed to ensure financial data security. Do we not need to do the same to protect identity data, given the alarming growth of identity fraud? Could we leverage these standards for that purpose?

The financial sector has moved forward with new levels of security for Canadians. New chip-based credit and debit cards are starting to move into the market. Because they are counterfeit and tamper resistant, they raise the security bar. This protects us and puts pressure on the public sector to raise their security standards.

Online stakeholders include consumers, merchants, government regulators and law enforcement, among others. While the ability to conduct transactions electronically has significant benefits, identity fraud has eroded success and prevented the market from reaching its potential.

Until we can demonstrate our ability to secure client data, we are racing the clock. Canadians are apprehensive – and it slows in their slow adoption of e-government ­services and internet payment.

The online world must employ new ways of identifying users and their data. We must also remember that an online transaction almost always results in a database record that exists long after the online part is completed. Securing that record is just as important as securing the original transaction. If we are going to stop identity and payment fraud, and drive adoption of e-commerce and e-government, we must deal with both. That means identifying every party that can access data and controlling their rights and privileges.

It also means having a systemic plan and a threat/risk analysis that covers outsiders, employees, contractors and even ­visitors. When such assessments are good, they are rarely fast or cheap!

Not all organizations think about ­suppliers when assessing data risks, as ­witnessed when a U.S. organization bought 129 used PCs – all but 12 had personal or financial data on them. There are numerous stories of individuals and companies that have equipment such as hard drives replaced and are assured that the old ones are destroyed, yet they show up for sale at flea markets or other places.

Employees are a growing part of the problem. Sometimes it is accidental. There are many reports of employees recycling redundant equipment, not realizing that critical data had not been removed. In other cases, information was downloaded or emailed home so that it could be worked on after hours. Other times, organized crime has bought data from an employee or even placed employees in certain jobs.

Identity fraud is growing at an epidemic rate. We’ve seen 8 million credit card ­numbers compromised in a single hack. The private information of 180,000 Canadians was put at risk when a single hard drive was found to be missing from a 3rd party processor. The financial ripple effect of that was felt by both the public and the private sector. We must also stop the ability of organized crime and other criminals from escalating the current counterfeiting problem. To do that, we need to move away from magnetic stripe cards to more advanced card technologies and applications such as smart or optical cards.

In cyber security one is often surrounded by alligators, but remember that questions are an effective weapon. No matter how well you do your job, you will still be affected by the failure of others to ask and answer questions that drive successful programs. When they fail to ask those questions, you must.

You must also insist upon rules-based access to data, and counterfeit and tamper resistant authentication measures to enforce those rules. Governments and corporations around the world are including smart and optical cards in their cyber security. We must step up and do so or risk becoming the target of choice.

When it comes to cyber security, good trumps fast or cheap.

Catherine Johnston is the President and CEO of the Advanced Card Technology Association of Canada. She is also Chairman, International Smart Card Associations Network (ISCAN).
© FrontLine Security 2008