Asia Pacific Security Magazine, May/June 2017 by MySecurity Marketplace

THE REGIONâ&#x20AC;&#x2122;S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com May/June 2017

Piracy is only beaten but not defeated Robbery Training

Sky's not the limit - India's Space Programme

$8.95 INC. GST

Cyber Week in Singapore Demonisation spurs cybercrime in India

The three columns of IoT Security

Presents

BIGIT GOV 2017 EXPLOITING THE POTENTIAL OF TECHNOLOGY TOWARDS GREATER PUBLIC SERVICE DELIVERY

16 - 17 MAY 2017 | KUALA LUMPUR, MALAYSIA #BIGITGOV17

www.bigittechnology.com/gov2017 enquiry@bigittechnology.com

+603 2261 4227

Organiser :

OfямБcial Media Partners :

Contents Editor's Desk 5 Piracy is only beaten but not defeated

Robbery Training Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai

Drone terrorism - The ascent of evil

A Cyber Week in Sngapore

Cyber resilience for tomorrow

Demonetisation spurs cyber crime in India

Cover Feature - Welcome to the future

Sky's the limit

The three columns of IOT security

Artificial Intelligence in the financial services

The capability: Facial recognition privacy and regulating new technology

CCTV Feature Series - Digital video analytics

Women in Security - With Christine Zeitz

How to see the cyber and disappear completely

Your mum and IoT security

Cyber insurance: is it time to start the conversation

We must to more in the digital war against Islamic State

SUBSCRIPTIONS

Is the criminal law on terrorism financing too tough?

T | +61 8 6361 1786

Children of war - Rise of a nation of young Jihadists

Editor's book review

Art Director Stefan Babij Correspondents Jane Lo Tony Campbell Morry Morgan Jaye Prakash Sarosh Bana

MARKETING AND ADVERTISING T | +61 8 6361 1786 promoteme@australiansecuritymagazine.com.au

subscriptions@mysecurity.com.au

Page 12 - Drone Terrorism

Page 24 - Cyber Crime in India

Copyright ÂŠ 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | info@mysecurity.com.au E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views

OUR NETWORK CONNECT WITH US www.facebook.com/apsmagazine www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Page 40 - Facial recognition privacy

Correspondents* & Contributors

www.youtube.com/user/MySecurityAustralia

www.australiansecuritymagazine.com.au

Anoosh Mushtaq

Jane Lo *

Dr Monique Mann Tony Caputo

Nicolas Mayencourt

www.malaysiasecuritymagazine.com

www.drasticnews.com

www.chiefit.me

Morry Morgan |

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com

4 | Asia Pacific Security Magazine

Fraser Duff

Meena Wahi

Ron Bartsch

Additional Peter Flannery

J Prakash

Editor's Desk “While the benefits of IoT are undeniable, the reality is that security is not keeping up with the pace of innovation." - US Department of Homeland Security, Strategic Principles for Securing the Internet of Things (IoT), Version 1.0, November 15, 2016

ny business or government must have security before it can have productivity. Google’s Chief Economist was quoted to say recently that if we don’t have a productivity boost from technology we’re in real trouble. A few days later, Google announced "We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.” Not even the biggest company in the world is immune to the security problem every business and government is now facing. Many are relying on the fourth industrial revolution to enter into the build out phase and generate new market opportunity and economic growth. However, technology productivity will fundamentally rely on a ‘security and safety’ platform. And although it’s occurring in pockets, the indicators globally and across the Asia Pacific suggests the road to the Internet of Things is going to be a long, rocky one – indeed, people are already being murdered, live, online. In this issue, IoT & Technology Correspondent Morry Morgan reports on the three security columns for the Internet of Things. Risk Analytics is expected to become a US$26.32 billion market by 2020. Risk is big business, and the IoT phenomenon is likely to drive this industry well above those lofty predictions. Part of the reason is in the IoT’s rapid growth, estimated by McKinsey at 32.6% CAGR. The other is the lackluster attitude that many manufacturers of connected devices and IoT enabled products have towards security. And that’s because to date, there is no legal liability for manufactures to secure their products. Just this week, an Australian security company, Mercury ISS is reporting that it has created an exploit to access the software controlling more than 200 buildings, including sensitive government facilities, such as the Lucas Heights nuclear plant in Sydney and a Royal Australian Air Force (RAAF) base.

In Singapore, an INTERPOL-led operation targeting cybercrime across the ASEAN region identified nearly 9,000 Command and Control (C2) servers and hundreds of compromised websites, including government portals. The operation brought together investigators from Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam to share information on specific cybercrime situations in each country. Additional cyber intelligence was also provided by China. Analysis identified nearly 270 websites infected with a malware code which exploited a vulnerability in the website design application. Twelve of Singapore’s Top 50 sites were serving active code from risky “background sites” marked as Adult and Pornography, Gambling, Uncategorized Business and Economy or Content Delivery Networks. Visiting these top 50 sites resulted in active code from no less than 233 different background domains. The Indian government is striving towards a cashless economy by expanding the scope of digitisation across all activities. Yet cases of banking frauds from phishing, cloning charge cards, cyber stalking, hacking accounts and databases, and identity theft are already on the rise in India. Less than a fifth of the cases registered with the cyber police have been solved over the last four years. In Mumbai, the financial capital of the country, as much as 80 per cent of the crimes registered in 2016 has remained undetected. But moving to a cashless society may still be a good thing. A vulnerability has been discovered in GMV's Checker ATM Security. The defect allows an attacker to remotely run code on a targeted ATM to increase their privileges in the system, infect it and steal money. The software is used in more than 80,000 cash machines worldwide. The Trend Micro Forward-looking Threat Research (FTR) Team reported in February they have found tens of thousands industrial devices residing on public IP addresses, which could include exposed industrial robots, further increasing risks that an attacker can access and compromise them. The team found that the

software running on industrial robots is outdated; based on vulnerable OSs and libraries, sometimes relying on obsolete or cryptographic libraries; and have weak authentication systems with default, unchangeable credentials. There were five classes of attacks that were possible once the team was able to exploit any of the several weaknesses that were found in the industrial robot architectures and implementations. The attack classes were Production outcome alteration or sabotage, Ransomware-type schemes, Physical damage, Production line process interference and Sensitive data exfiltration. Given industrial robotics will be used across critical systems such as transport, medical, defence and energy markets, you don’t need too much of an imagination to consider the security and safety implications if they can be readily compromised. In this issue, we cover a wide array of topics across the security domain, including piracy, robbery, terrorism and cybercrime. Yet we have dedicated the cover feature to Tony Caputo’s ‘Welcome to the Future’ article, where he creates thought around where humanity has been and most importantly to us, in the here and now, where we are going. As Tony correctly points out, “the digital universe continues to engulf our existence, now exponentially with every passing year. If you do not have a digital strategy for digital transformation, and I’m not just talking about your company, I’m talking about you: you’re almost three decades behind.” And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Chris Cubbage Executive Editor

Asia Pacific Security Magazine | 5

Cyber Security

Piracy is only beaten but not defeated

A By J Prakash Singapore correspondent

6 | Asia Pacific Security Magazine

nagging reluctance to embarrass one another for fear of softening the Association of South East Asian (ASEAN) solidarity, poor economic growth and the lack of job opportunities appears to be contributing to a rise in pirate attacks in the seas and waters surrounding eastern Indonesia. But the problem could actually be larger. Not only is there the question of fading economic opportunities but lax enforcement of security measures is perceptibly feeding a scourge that has the potential to scale to what was seen a decade ago when Indonesia, according to an International Maritime Bureau (IMB) report finished second only to Nigeria and whose waters and seas around it were deemed too dangerous a place for ships and ship owners. On 20 Feb 17, the ReCAAP ISC, a multi-lateral information sharing body operating out of Singapore received report from their Vietnamese counterparts about an abduction incident that occurred on a Vietnam-registered ship, Giang Hai. The bulk carrier was sailing from Indonesia to IIoilo Port, Philippines when an unidentified number of pirates boarded the ship and abducted its six crew members and fatally shot one. The pirates destroyed navigation and communication equipment before escaping. The ship then headed to Taganak anchorage area, Tawi Tawi, Philippines and underwent investigations conducted by the Philippine authorities. Such incidents remain standard fare in South East Asia where ships are either boarded by pirates or robbed of their possessions, or in extreme cases such as the one that happened to Giang Hai of even having its crew maimed or even sometimes killed. Since the de-escalation of piracy off the Gulf of Aden, an effacing new focal point is emerging unseen and possibly unnoticed by the rest of the global community. Even as it remains in the shadows of the vastly lucrative maritime

trade criss-crossing the busy South China Sea shipping lanes, what has been especially worrying is the rising frequency of such attacks. The prospect of more of these raids can only but now mean an increase in insurance cargo premiums for the foreseeable future, and heightened security preparedness in the hire of security guards. Another prospect is the installation of security devices to stave off the increasingly, yet worrying tide of ship assaults and taking of hostages. Too Little Information and Too Little To Do Though the continued fall in piracy is good news outlines Pottengal Mukundan, Director of the International Maritime Bureau or IMB, ‘the kidnappings’, he adds with emphasis, ‘in the Sulu Sea between East Malaysia and the Philippines are a particular concern’. Speaking to APSM in a phone interview, Mukundan said the most encouraging news of all is that though pirate attacks across the western part and the hinterland of Indonesia have decreased, the nagging problem actually lies in the Sulu Sea. ‘The situation in the Sulu Seas is worrying’ he decries and that is only because of a very loose, diffusive, fragmented and informal system of where shipping and fishing overlap one another to present a very confusing and defying charade of hide and seek. There is, as he says, ‘a lot of fishing traffic’ in the region and that adds to the tide of confusion and clear-eyed analysis of what now is raising the ante in the Indonesian periphery of security operations. That leaves coast guard patrols in hot pursuit of pirates dead in their tracks with little or no chance of ever positively identifying or apprehending them. Because pirates disguise themselves as fishermen in the

Cyber Security

'The problem, as a matter of fact, according to Mukundan, has worsened to such an extent that even tugs and barges are attacked with their crew taken to southern Philippines where a militant insurgency that has been festering for decades recently made headlines in the beheading of captives and making a parade out of them.'

openly, an open secret making its rounds is that the body is downplaying the information sharing process much to the detriment of ship owners. That reluctance to precisely reveal all the information the body has, causes a whole host of problems from pursuing pirates into the shores of neigbouring countries to revealing ‘compromising’ information of one another. Yet the larger and the more pressing issue is with the entire socio-economic matrix within Indonesia proper itself that is feeding and fostering poverty, which in turn feeds into piracy. Indonesian president Joko Widodo has made it his administration’s goal to reduce poverty by the building of infrastructure links. That is a good start to cleansing the nation of the piracy menace but what has remained undocumented is how successful he will be given that he just has a few more years left in his term? Until then piracy in South East Asia will remain as it is: only beaten but never defeated.

vicinity of the Sulu Sea, security operations and security coordination on the high seas is frustrated and undermined by the extent of these fishermen turned pirates, taking to concealing their tracks. And that is worsened not just by corrupt practices but also through a very well-oiled and wellchoreographed regime of connivance by enforcement officials. A Worsening Situation The problem, as a matter of fact, according to Mukundan, has worsened to such an extent that even tugs and barges are attacked with their crew taken to southern Philippines where a militant insurgency that has been festering for decades recently made headlines in the beheading of captives and making a parade out of them. Yet the problem in South East Asia as it unfolds cannot be anymore starker than the tide of piracy the world saw off the Gulf of Aden over the last few years. Unlike the very brazen Somali pirates – except for the episode on 14th March when they resumed their wilful ways, in the hijack of the Aris 13, a Panamanian-owned vessel South East Asian pirates are in the business purely for money and that is for nothing more than that they are perceptibly lesser organised than their Somali counterparts. That explains why they mostly take to robbing their victims and drop the idea of ever taking hostages. In an ancillary it also explains why ship owners could quietly be abetting piracy by not seeking to report such incidences for fear of either alarming their shore masters or giving cause to insurers to justify raising premiums. Still unlike the times when ship owners wrapped their vessels with razor wires and hired security guards, none of those measures have ever been taken in South East Asia. Ship owners have often been leery on hiring guards for fear of causing casualties among their own crew or even of fatalities. Yet many have been quick to pin the blame on ReCAAP which they say is doing too little about the kind of information it is disseminating. Just like ASEAN ReCAAP too, is hamstrung by the politics of deference. Though it may not have said so

Asia Pacific Security Magazine | 7

Cyber Security

Robbery training Rigid Rigid adherence adherence to to aa compliance compliance approach approach not not only only be be unsafe, unsafe, but but leave leave you you liable. liable.

W By Fraser Duff and Peter Flannery

8 | Asia Pacific Security Magazine

hen people think of robbery, their initial thoughts may turn to banks, the traditional guardians of our hard earned dollars. This transparent position made banks a popular target for robbery. However over the years, banks well developed security protective measures have made them amongst the most difficult targets of all for robbery. That’s great for banks and those who work in or are customers of banks, as it has significantly reduced the frequency and likelihood of an attack. It has however, also meant that when robbery does occur in a banking environment, it most commonly involved weapons, with firearms statistically more prevalent in bank robbery than in any other robbery setting. It has also meant that many more robberies take place against organisations that are perceived as less protected/easier targets, and many more against individuals in public places. More than a hundred thousand incidents of robbery have occurred in Australia over the last two decades, and in that time a predominant response strategy has emerged… the strategy of ‘compliance’. There has been a common belief amongst safety and security experts that compliance is the best way to survive a critical incident such as robbery, and as such, training aimed to help people develop the knowledge and skills they needed to survive robbery focused on compliance related skills. The strategy was built upon the premise that whilst robbery is a confrontational crime of violence, it is first and foremost a crime of theft in which financial gain is the core objective, and violence therefore simply part of a method used to induce victims to not resist. The logic being; that submissive, non-threatening and compliant behaviour will, in all probability, afford you the greatest opportunity of survival. This belief is primarily based upon anecdotal evidence of

the connection between victim resistance and victim harm, combined with what therefore appears to be a good common sense approach. There are many examples of victims who have been non-compliant, predominantly driven by the goal of “social justice”, including; challenging, resisting, fighting, chasing and attempting to capture robbers in the commission of their crimes. Those victims have paid a high price, sometimes fatally for their error in judgment. So it seems the main premise behind compliance is the perception that victims have one of two options; to comply or not to comply. Since non-compliance is construed as offering resistance, which is naturally associated with increasing the risk, compliance is therefore assumed the safest option. It is timely however to re-evaluate and consider whether the ‘one size fits all’ approach for dealing with such unpredictable and significant threats is valid and reliable? It may be tempting to recommend this approach, teaching staff to just comply; with the corollary being...you won’t get hurt. But this may not be the case in all circumstances and could falsely lead staff to believe they are going to be safe. Our beliefs in this one size fits all approach for responding to robbery is supported when nothing goes wrong. But what happens when things do go wrong, and these volatile / unpredictable situations change? Consider all the different variables that can occur in a robbery, given no two scenarios are the same. For instance what happens if a customer gets involved / intervenes in a robbery, or you are caught out in an isolated, remote location on your own or the robber decides to carry out abduction? What about options such as escaping or staying within a secured area that offers increased levels of protection, or activating protective screens or barriers? And when might

Cyber Security

“You hear the robber scream out from the other side of the screen, “I f---ing warned you!”, and then you immediately hear a gunshot. You immediately fear the worst" using force and defending not only be a lawfully defensible response, but the best and safest response for a robbery related event? Let’s imagine you work in a bank, and your bank is equipped with ballistic screens when the following occurs: A tall man, wearing a black balaclava and armed with a firearm charges in, throws a bag across the counter at a colleague near you and yells, “Put the money in the bag. Put the money in the bag”. Initially he is pointing the firearm at your colleague. Your colleague complies and fills the bag. The male then yells “Next box” to her – indicating he wants the money from the next counter position. As the colleague moves, the male is pointing the gun around, and a male customer is right alongside him. The robber yells, “I’ll f---ingshoot him. Put the money in the bag. Don’t press the button. I’ll f---ing kill him”. You are hugely stressed. What you process as you watch the gun being pointed around, is that at a particular point, an opportunity arises in which you believe it is safe to activate the ballistic fly up screen, so you seize the opportunity to hit the button, and the ballistic screen activates, immediately putting up a protective barrier for you and others on your side of the counter. You hear the robber scream out from the other side of the screen, “I f---ing warned you!”, and then you immediately hear a gunshot. You immediately fear the worst! If this situation happened to you, what would you do? Turns out, this is exactly what happened in a Westpac bank robbery in February 2010. What actually transpired in those final horrifying moments was that the robber fired a single shot into the roof without physically injuring anyone, and then immediately fled. The customer who was standing alongside the robber on the unprotected side of the screen suffered post-traumatic stress disorder (PTSD) as a victim in that event and laid claim for compensation. You can imagine the trauma he experienced. And yet, did Westpac breach its duty of care owed to him as a customer through the non-compliant actions of the staff member who activated the ballistic screen? This was the position raised when this customer put their claim for damages forward. The affected customer argued that all bank staff should always obey a robbers instructions and remain compliant, but in this event they did not. So let’s contemplate a few very important questions. Should you always remain compliant in a robbery? What should training actually teach you? What does your workplace policy and procedure suggest or require of you and is this a best practice procedure? If you do have screens and you activate them, have you acted lawfully and justifiably? What response is best and safest in the circumstance? If we return to the actual incident that Westpac faced

in 2010 and the subsequent case filed by the unfortunate victim, we can find some very interesting answers with regard lawful obligations and reasonable expectations of staff facing such events. The initial outcome of the case was to deny the claim. It was challenged however through appeal, and the case has since been through the Supreme Court of ACT, Court of Appeal whereupon in Dec 2016 the following findings were confirmed. The appeal judges, in support of original judgement, found that: ‘There could be no duty of care owed to the customer by way of special arrangement in this circumstance, and that even if there were, it would not have been breached by the staff member’s actions in activating the ballistic screen’. The court/s ruled that; ‘the bank had no indirect control on what a person doing robbery would or could do in such situations, and therefore did not owe a duty to prevent harm from criminal activity of a third party, even though the risk of harm occurring in a robbery was foreseeable’. Regarding the affected customers suggestion that all bank staff should be trained to always obey a robber’s instruction, the court said, ‘Indeed such an inflexible instruction to staff, who are themselves likely victims of harm in an attempted robbery, would likely be a breach of the bank’s duty to staff, should compliance with that instruction be causative of their harm’. The claim has been denied. After having researched robbery events for many years both domestically and internationally and having conversed with large numbers of victims, you start to question if robbery training, which stringently and simplistically advocates compliance as the only response action for victims of robbery, is catering to the knowledge and skills that staff critically need in order to properly appraise the risk and then respond in the best and safest manner. When you challenge earlier assumptions, you start to uncover some hidden truths, truths that really belie your beliefs about what is right in a circumstance that could literally cost someone their life. Let’s take a look at another real robbery in which an individual sought compensation, and where the adequacy of the control measures undertaken by their employer were under scrutiny (Common Law tort of negligence and Statute Law OH&S at that time). For confidentiality purposes the victim and organisation will remain anonymous; however it presents a grave tale and gives rise to yet more questions. A young male person in his mid 20’s was working alone carrying out cash transactions with customers. During the mid afternoon he happened to notice 3 males loitering outside the building façade. He paid little heed to their presence given there were customers inside and he felt somewhat secure at the time. Later that evening however around 8.30pm he started his night lock up procedure. Just prior to leaving, he put the internal alarm system on and then proceeded to exit the building. Whilst key locking the front door he was verbally challenged from across the street by the same 3 males some 40 meters away. They threatened him not to move as they raced across the road to accost him. They forced him to unlock the door and then pushed him inside threatening him with a small revolver. Once inside they demanded he take them to the time delay safe located at the back of the

Asia Pacific Security Magazine | 9

Cyber Security

"Compliance still is an integral part of a response to robbery, however it needs to be considered in concert with contingency options and last resort measures to better prepare and protect victims in all arising circumstances." premises. Unknown to the assailants, the time delay safe was programmed to remain locked until the following morning.. The 3 assailants demanded the victim gain entry to the safe, regardless of the victim’s attempts to explain the procedure. The assailants didn’t believe him and continued to threaten him to open the safe making him repeatedly re-enter his access code. After continued failed attempts they accused him of withholding and denying them access. It’s at this point that their intentions changed and they started physically assaulting him, hitting him about the head with their fists and the butt of the revolver, near knocking him unconscious. Then the situation worsened, whilst on the floor after being beaten the assailants then proceeded to sexually assault him with the firearm. This attack was immediately followed up with a decision to abduct him. Now consider this! “What are their intentions; good or bad?” They grabbed him and forced him to walk down the street under the cover of darkness some 200 meters to a location where their car was parked. The driver entered the vehicle via the driver’s side door, whilst the two remaining assailants attempted to force the young male victim into the back seat from the footpath. It was at this point that he felt his life was in imminent danger and he believed that if he got into the vehicle then he would meet his end. With that in mind he lashed out breaking free from the grip of the remaining assailants. He fled down the street onto a main road and managed to hail a passing vehicle, which stopped and rendered him assistance. The assailants fled the scene and were never apprehended. It was two weeks after the attack that the young male victim finally told the Police the full story of his ordeal including the rape and abduction. The associated trauma of the event was so devastating for him and he felt such enormous shame and stress over what had happened that he couldn’t bring himself to tell anyone. Given the standard methodology in robbery training is; ‘be compliant’, what would have happened if the man in the incident described above had followed these instructions explicitly? Operating on a belief that his only option was to comply and be submissive to the will of violent criminals. This unfortunately is not an isolated incident; there are many robbery incidents where assailants don’t always do what we expect. Whilst robbery is a theft related crime of violence, it can and has combined with other serious crimes i.e., homicide, serious assault, grievous bodily harm, abduction, sexual assault and hostage taking. In July, 2014 in California, a gang of

10 | Asia Pacific Security Magazine

three armed robbers took three compliant female hostages as they left a bank robbery. In the course of their escape, they shot and injured two of the hostages, dumping them from their getaway car at speed during the pursuit by law enforcement in efforts to create a diversion to assist in their escape. The third hostage was killed in a final showdown with police. It’s robberies like these that force us to rethink what is the best and safest way for victims to respond when the situation they encounter doesn’t follow the linear path expected, and where their environment may have been designed to offer other options that maximize their physical safety and protection. After two years of design, a more holistic based approach was developed, ‘Robbery CTRM’. The aim of this new approach is to provide a risk based and recognition primed way of making decisions to enable victims to appraise their specific situation and quickly determine what actions are best in their circumstance. The standard one size fits all approach is likely to be; not only inadequate in skilling staff to respond appropriately to foreseeable risks within robbery, but depending upon its message, it is very likely to also leave employers liable. Compliance still is an integral part of a response to robbery, however it needs to be considered in concert with contingency options and last resort measures to better prepare and protect victims in all arising circumstances. What we now know thorough research of incidents, victim and criminal behaviour is that not all robberies are the same. Circumstance, environmental setting, other victim behaviour, criminal disposition and motivation and the affected state of robber’s varies greatly. The intention to carry out ‘just robbery’ can and has changed during an attack. Situations don’t always go as planned. Contingencies arise that exceed the boundary of current compliance based training approaches and inadequacies in this area can compromise safety. All situations require additional considerations around what’s best and safest in the changing circumstance. Consider the enormity of leaving victims to contemplate a range of behaviours and problem solve possible courses of action that they have never previously considered or discussed and to do so under actual traumatic conditions, with enormous stress and where their life is in the balance. Robbery is a crime of violence and the very nature of violence is that it can change what should otherwise be a ‘predictable’ course of events, resulting in a sometimes dramatic change in the risk profile. With greater access to information sharing and increased levels of understanding concerning the full ambit of risks that permeate this threat environment, there is a critical need to review current methodology. It requires us to consider more holistic approaches to a broader range of robbery circumstances so we can better serve the safety needs of all robbery victims. About the Authors Authors Fraser Duff and Peter Flannery, both have over 20 years’ experience in critical incident risk management and training. Together they have developed the Robbery CTRM (Counter Threat Response Model) methodology for critical incidents to help better protect those at risk. E-mail risk@ passmoreduff.com – references available on request

Cyber Security

16 – 18 May 2017 Asia World Expo, Hong Kong

JOIN THE DEBATE AT THE WORLD’S LEADING CRITICAL COMMUNICATIONS CONGRESS AND EXHIBITION NOW IN ITS 19TH YEAR

15% USING DISCOUNT CODE TAM2275APSM

ENDORSERS

GOLD SPONSORS

SILVER SPONSORS

Mission Systems

tmt.knect365.com/critical-communications-world #CCWorld

Asia Pacific Security Magazine | 11

Cover Feature

By Ron Bartsch

f 900g of weapons-grade anthrax were dropped from a drone at a height of 100m just upwind of a large city of 1.5 million people, all inhabitants would become infected. Even with the most aggressive medical measures that can realistically be taken during an epidemic, a study estimates that approximately 123,000 people would die—40 times more fatalities than from the 2001 World Trade Centre terrorist attacks. Chilling Scenarios The chilling scenario above was one that was put forward more than a decade ago by Eugene Miasnikov in his report “Threat of Terrorism Using Unmanned Aerial Vehicles” (2005). If drones in the hands of terrorists back in 2005 caused a plausible threat, imagine the threat that exists today. As science and technological innovation continues to rampage we often lose sight of how much the world has changed—and in this instance, the extent to which terrorists

12 | Australian Security Magazine

will go to in order to achieve their objectives. With this is mind, consider the following modern-day scenario. A terrorist organisation parks a small removals van in a crowded street of a major city under the flight path of a nearby international airport. The van’s canopy has an open top but the sides are high and its payload of half a dozen high-performance quadcopter drones are obscured from the view of passers-by. To each drone is attached an explosive device—not dissimilar to those worn by suicide terrorists. The day and time chosen have been well planned to coincide with the runway being used for take-off. The targeted aircraft—an Airbus A380—is departing with a full payload of passengers and fuel, possibly in excess of 500 passengers and over 250 tonnes of fuel. The aircraft lifts off and the drones are launched remotely and rapidly ascend. With the aid of the high-resolution cameras on-board, the controllers are able to direct the drones into the path of the A380’s four enormous engines. The situation described above is not inconceivable.

Cover Feature

If 900g of weapons-grade anthrax were dropped from a drone at a height of 100m just upwind of a large city of 1.5 million people, all inhabitants would become infected.

Hoping that such a deplorable act upon humanity would never eventuate is no deterrent to the minds of terrorists seeking to inflict maximum carnage and media attention. What is the scope of the drone terrorist threat? Outside areas of civil unrest and war zones, there are increasing instances of home-grown drone terrorism. In 2012 the USA came under threat when a graduate student from Massachusetts plotted to strap plastic explosives to small drones and fly them into the Pentagon, the White House and the US Capitol building. In Japan it has been reported that a drone carrying a bottle of radioactive sand from Fukushima landed at the office of the Japanese Prime Minister in April 2015. In the UK the Metropolitan Police has recorded over 30 suspicious drone flying incidents around London between 2015 and 2016. Unidentified drones have also been flown over various landmarks in France, including the US Embassy

and the Eiffel Tower. In 2016 at the Euro Cup qualifying match between Albania and Serbia the game was abandoned after a drone carrying a pro-Albanian banner was seen flying over the pitch. The incident caused brawls to break out between players, team officials and fans. An alarming report, â&#x20AC;&#x153;The Hostile Use of Dronesâ&#x20AC;? (Abbott et al., 2016) was released in the UK in 2016 and warns that terrorists wanting to cause chaos, such as attacking nuclear power stations, have the potential to convert drones that are currently commercially available into flying armed missiles. The report suggests that the technology of remote control warfare is impossible to control. A UK government counterterrorism adviser, Detective Chief Inspector Colin Smith, has warned that terrorists could use commercially available drones to attack passenger planes. The security expert warned that small quadcopter drones could easily be used by terrorists for attacks and propaganda purposes. Terrorists could fly drones into an engine or load them >>

Australian Security Magazine | 13

Cover Feature

...over 500,000 drones were registered in the first few months of October 2015. It has also been suggested that drone controllers should be subjected, at a minimum, to the same background check standards as persons granted unescorted access to security restricted areas of airports

with explosives to try to bring down a commercial airliner. Smith poses the question: “Are drone mitigation strategies going to be like the concrete bollards in front of airport terminals—something we can expect once the horse has bolted?” Recently in the US, the Department of Homeland Security issued a terror alert warning that drones could be used by terrorists to attack commercial aircraft after three drones were spotted in a single weekend in late 2015 flying above JFK International Airport. The sighting of the first drone was reported by the crew of a JetBlue flight arriving from Haiti. Just 2.5 hours later a Delta pilot, arriving at JFK from Orlando, reported a drone at approximately 1,400 ft. and only 100 ft. below the aircraft. The third report was from a Shuttle America flight arriving from Richmond, Virginia. And all this in the space of just two days. Combating the threat Aviation is generally regarded as the most strictly and extensively regulated industry. It is therefore logical to conclude that the solution for controlling this new form of aircraft will be found in passing relevant laws and regulations. However, attempting to legislate against random acts of stupidity is difficult, particularly in the fast-moving world of technology. Also, “don’t be an idiot” lacks legal clarity. Jonathan Rupprecht, a Florida-based lawyer specializing in unmanned aircraft, divides stupid drone owners into two groups, the “how high can it fly” group and the “I will fly it wherever I want” group. Obviously the latter grouping may also include acts of terrorism. It is the freedom and agility by which aeronautical activities can readily transcend previously restrictive

14 | Asia Pacific Security Magazine

geographic and political boundaries that truly differentiates flying from all other modes of transport. To harness this freedom for the betterment of all, aviation regulation provides the requisite authority, responsibility and sanctions. The regulation of aerial activities is as fundamental and rudimentary to the aviation industry as civil order is to modern society. In no other field of human endeavour or branch of law does there exist such a vital yet symbiotic relationship. International harmonization of aviation standards have been achieved through treaties. The Chicago Convention of 1944 is by far the most prolifically ratified international treaty. More than 190sovereign states have ratified this convention and in so doing have agreed, under international air law, to be bound by the technical and operational standards developed by ICAO. Compulsory registration of drones As drones become more common, many governments are considering a number of options to restrict their use. Registration of drones, as with cars, airplanes or even guns, is now being introduced all over the world with the FAA leading the way, and over 500,000 drones were registered in the first few months of October 2015. It has also been suggested that drone controllers should be subjected, at a minimum, to the same background check standards as persons granted unescorted access to security restricted areas of airports as is required under ICAO Annex 17. The UK and Australia are also building similar registration systems to follow suit. It’s far from clear how registration would mitigate an act of terrorism, as it is more of a system for tracking law-abiding citizen’s drones. David Dunn (2016), Professor of International Politics at Birmingham University, believes that any licensing system is unlikely to deter terrorists: Law abiding citizens are likely to register, but it would be very difficult to stop terrorists and other criminals from purchasing drones abroad and then using them here. Up until now it was expensive and required skill to be able to fly an aircraft—which acted as a form a regulation in itself. Now, you can fly these things relatively easily over people’s heads.

Cover Feature

In the UK the House of Lords has called upon the EU to introduce a compulsory registration system for the devices, but the plans have stalled. Drone owners currently don’t have to register their devices in the UK, but operators need permission from the British CAA to fly them for commercial purposes or over long distances. Currently in the UK, anyone can own and operate a drone for non-commercial purposes that weighs less than 20kg (3st 2lb). Mitigating the drone terrorist threat? As we have seen above, it is obvious that legislative restrictions alone on the use of drones would in most instances prove to be futile when it comes to acts of dronerelated terrorism. There has been very little indication that governments are prepared to prohibit the importation or manufacture of drones or even of limiting the payload capacity of commercial drones that are sold. Further complicating this issue is the fact that, in many instances, drones are purchased online. Creating a greater awareness in the broader community of the extent to which drones may be used by terrorists (and other criminals) including publicizing the dangers—without hysterics—may be a good start. Also, manufacturers and distributors of drones and training establishments throughout the world should be more vigilant of the possible use of drones for terrorist activities. By way of parallel, many governments have passed legislation requiring retailers of chlorine (for swimming pools) and household fertilizers to report certain sales or suspicious transactions. International arrangements regulating the export of drone technology could be refined and strengthened with terrorist activities in mind, with special attention on drones equipped with technologies that can evade radar or have high-performance capabilities. While the rapid advancement of drone technological development has created the problem it may also provide the solution. By far the most effective method of protecting targets from drone attacks may be with the installation (or possibly mandating) of geo-fencing or g-gate technology software. Pre-programing geo-fencing areas would mean that drones would be automatically shut down if they tried to enter certain sites. NASA is also currently working on a tracking system but a working prototype is not expected until 2019. Drone manufacturers could be required to install the GPS coordinates of government-mandated no-fly zones and have drones automatically shut down if they approach such a space. DJI, the world’s largest commercial drone-maker, is one of the leaders in geo-fencing technology. With drone sales in excess of US$1 billion in 2015, it recently released its geo-fencing software to restrict drones from flying near aerodromes and other restricted areas on a worldwide basis. The drones will no longer be able to fly near wildfires, prisons, power plants, near professional sporting events or areas the US president is visiting. It is proposed that all DJI drones will have the software installed by default. In practice, this means that drones will not be able to enter into, take-off or land in restricted areas. The software will automatically update with new information on restrictions, meaning drones will be able to

respond to changing environments such as areas of natural disasters or one-off sporting events. Other technological defences against the hostile use of drones are with the installation of security alert systems when drones appear in no-fly zones. One American company—DroneShield—has been awarded contracts to protect certain locations from possible terrorist attacks including the Boston Marathon. It is likely that this technology will be increasing utilized in security-sensitive sites and restricted areas. In the UK the Remote Control Project, run by the Oxford Research Group, has called on the British government to fund the development of military-style lasers to shoot drones down and the creation of jamming and earlywarning systems to be used by police. But such devices would require amendment of UK laws over the use of such jammers. Laser technology to destroy drones in many instances have failed to live up to expectations either struggling to stay fully powered for long periods or being disrupted by dust and fog. However, in the US, Boeing has unveiled its new laser-powered anti-drone technology. The Compact Laser Weapons System is a portable, tripod-mounted device armed with a high-powered laser that can destroy a quadcopter drone in a matter of seconds. The system is relatively inexpensive to operate and features an unlimited magazine, which means a many drones can be destroyed. However, this system will not be available for a few more years. About the Author - Ron Bartsch Ron is CEO of Innovating Australia and currently a presiding member with the Commonwealth Administrative Appeals Tribunal (AAT) having held this position on a part-time basis since his appointment in 2013. Ron is also a Senior Visiting Fellow at the Australian National University and the University of New South Wales and lectures in Business Law and Technology and International Air Law. Ron was admitted as a barrister in 1993 and then took up a senior management position with the Australian Civil Aviation Safety Authority and then later was appointed as Head of Safety and Regulatory Compliance for Qantas Airways Limited and held this position until 2009.

Asia Pacific Security Magazine | 15

Cyber Security

A cyber week in Singapore

T By Jane Lo Singapore Correspondent

16 | Asia Pacific Security Magazine

he last week of March in Singapore’s Cyber conference and events calendar got underway with the Asia ICS Cyber Security Conference (27th-28th March, SunTec Convention Hall). Supported by the Cyber Security Agency of Singapore, it gathered the international community of experts in Industrial Control Systems (ICS) Cyber Security for 2 days of conferences, dialogues, exhibitions and social events to exchange leading ideas and thoughts on cyber security issues related to ICS and SCADA Systems; This was followed by IoT Asia 2017 (29th – 30th March, Singapore Expo), officially opened by Dr Vivian Balakrishnan, Singapore’s Minister for Foreign Affairs and Minister-in-Charge of the country’s Smart Nation initiative, welcomed thought leaders, industry experts, decision-makers, leading technology companies and small media enterprises (SMEs) from around the world over the two-day event; The week concluded with the well-regarded BlackHat Asia 2017 (28th – 31st March, Marina Bay Sands Convention), which returned to Singapore for its fifth year. Security professionals and researchers in the industry gathered for a total of four days--two days of deeply technical handson Trainings, and two days of the latest research and vulnerability disclosures. Beyond the presentations, panel discussions and exhibitions on the latest technologies, vulnerability research and risk assessment approaches, a theme that is clearly emerging and receiving much attention of policy makers and practitioners is the need to clarify our understanding and strengthen Cyber-Physical Security Risks in the Industrial Control Systems.

A recent incident in the Industrial Control Systems (ICSs) was the Cyber-Physical attack on the Kiev’s power grid during a December weekend last year which cut off power in the residential areas for slightly more than one hour. This event fit a familiar pattern of some 6,500 cyber incidents in Ukraine that month. Early in December, the Ukrainian Ministry of Finance as well as the State Treasury and Pension Fund said their websites was temporarily downed by disruptive attacks. Transport and energy infrastructure, including railway and mining firms, were also targeted that same month. Though these news seized sensational headlines and became centerpieces in this era of cyber disruptions, they were thought to be driven either by destabilization motivations or intelligence gathering exercises, and had not resulted in maximum damage. Outage in the affected areas in Kiev lasted a little more than an hour. Nevertheless, the Kiev attack came a year immediately after the attack on Prykarpattya Oblenergo in Western Ukraine which left many without electricity for hours. The outage in Dec 2015 was the first cyber-physical attack since Stuxnet, a Microsoft Windows malware, degraded Iran’s uranium processing capability in 2010. According to Ukraine’s representative at a conference earlier this year, the investigations of the Kiev’s disruption revealed, for example, malicious software code which included modules to specifically harm equipment inside the electric grid. Mr Olekssi Tkachenko, Deputy Head of Analytical Division, Cyber Security Department, Security Service of Ukraine, pointed out at the Asia ICS Cyber Security conference, in his “Ukraine

Cyber Security

Experience” talk, that these are “disguised using special software (specialized shell-codes, RootKits, 0-day, vulnerabilities etc.), exploiting vulnerabilities that are unknown to general public and are not detected by antivirus software.” Intelligence Gathering and “Phising Investigators reported that the process to manipulate ICSs was very possibly facilitated with an initial-stage malware delivered through a technique known as “phishing”. The implanted malware obtained legitimate credentials to open back-doors. In this case, the credentials allowed the attackers remote-access via Virtual Private Network (VPN) to control the ICSs client software, and - with second-stage and additional malware – to eventually cause capacity damage to the ICSs. Phishing, is the extraction of critical information using deceptively crafted yet convincing messages. According to a Q2 2016 statistics from RSA FraudAction researchers, a new phishing attack is launched every 30 seconds. In that quarter alone, RSA identified more than 515,000 phishing attacks globally — a 115% rise over the previous quarter. This technique appears to be highly popular business model for malicious actors, costing global organizations $9.1 billion. Keith Turpin (CISO, Universal Weather and Aviation), at the BlackHat Asia 2017 conference, described phishing attacks to be “often highly targeted”. Significant reconnaissance (or information-gathering) using corporate websites, social media (Facebook, LinkedIN, Twitter) and public media is usually

conducted first to understand the organization structure, C-Suite executives, corporate logos, banners, headers. A friendly phone call to manipulate unsuspecting employees into divulging information is also not unusual. The next step in the attack cycle: the injection of the malware, is effectively executed using spoofed emails with Microsoft attachments (such as Excel, Word, Powerpoint). These are painstakingly constructed to be authenticlooking using available information gathered during the reconnaissance phase. Typically, the urgency for action and legitimacy of these deceptive requests derive from emails impersonating executives in key positions, prompting users to click on a malicious link or attachment. The community of internal and external users connected to the organization network are potential target “candidates” – from vendors of industrial equipment, integrators, support controllers, analysts, to executives. The Cyber-Physical attack This preparatory phase of implanting the first-stage malware, to obtain the necessary credentials to masquerade as legitimate users, was likely planned and conducted for several months to chart a plan of attack. With access to the targeted systems in the ICSs infrastructure gained, the actual attack on the physical plant was launched. According to the alert posted by U.S. Department of Homeland Security ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), “most breakers were tripped when remote human operators accessed the

Asia Pacific Security Magazine | 17

Cyber Security

Opening Keynote speaker Halvar Flake at BlackHat Asia 2017 Photo Credit: BlackHat Asia 2017

Control Systems” at BlackHat Asia 2017, pointed out that this means reliably controlling the marginal attack parameter and capturing the process feedback throughout the attack, as the physical reactions propagate through the system. To mitigate against this, Ms Krotofil highlighted takeaways such as locking away configuration files, to prevent illegitimate manipulation (in addition to hardening the distributed control systems, /supervisory control and data access servers). Oleksii Tkachenko – Deputy Head of Analytical Division, Cyber Security Department, Security Service of Ukraine. “The Ukraine Experience Part 2”. Speaking at the Asia ICS Cyber Security Conference 2017. Photo Credit: Asia ICS Cyber Security Conference 2017

dispatcher workstations and remotely took control of the terminals using legitimately installed remote access tools” and additional malware “erased selected files on target systems and corrupted the master boot record, rendering systems” to delay restoration efforts. Additionally, the manipulation of the industrial process to schedule unauthorized outages was carefully synchronized and coordinated with attacks on internal telephone networks, cutting off internal communications to prevent detection and early warnings. The prevention of early alarm triggers and timely response is crucial in a “successful” Cyber-Physical attack. Marina Krotofil (Lead Cyber Security Researcher, Honeywell Industrial Cyber Security Lab), in her talk “Man-in-theSCADA: Anatomy of Data Integrity Attacks in Industrial

18 | Asia Pacific Security Magazine

Interconnection between the “Cyber” and “Physical” worlds ICS are found in critical infrastructure sectors such as electric, water, oil and gas, manufacturing, food and beverage, and other industrial processes such as a chemical plant. Its evolution from physically secured isolated systems running proprietary control protocols, to resembling “traditional” information technology systems - with Internet protocol IP devices replacing these older generation proprietary devices, and running on standard operating systems and network protocols – had opened up whole new surfaces vulnerable to attacks. ICS components (e.g. mechanical, hydraulic) are highly interconnected and mutually dependent, acting together to achieve an industrial objective (e.g. manufacturing, energy), through a “process” that produces the industrial output controlled by the “controller” to ensure conformance with pre-configured specifications. This tight interconnection and dependency means that the digital logic executing in the ICS has a direct effect on the performance and reliability in the physical world, with implications for health and safety. Cyber Security hence is essential to the safe and reliable

Cyber Security

Singapore has launched the Singapore’s Cyber Security Strategy, in which “Building a Resilient Infrastructure in Singapore” forms a key pillar. As an international financial, shipping and aviation hub, Singapore also houses critical systems that transcend national borders, such as global payment systems, port operations systems, and air-traffic control systems. operation of these industrial processes. For example, the “controller” is operated via a HumanMachine Interface (HMI) and Remote Diagnostic and Maintenance tools built using myriad of network protocols on layered information system architectures. These are multivendor, non-homogenous and like any corporate network, legacy equipment adds to the complexities of integration. Inherent shortcomings that are forgotten, unnoticed or simply disregarded become back-doors for malicious actors to gain unauthorized access, become real vulnerabilities in these architecture perimeters. Industry good practices of Cyber Security are well documented - including standards such as procurement of

trusted systems; knowing who and what is on your network and contingency plans for safe operation or shutdown in an event of a breach. And basic implementation measures such as locking down unused ports and turning off unused services, isolating ICS networks from untrusted networks, hardening Remote Access functionality. At the same time, the tight interconnection and dependency between the Cyber and Physical worlds also requires assessing functional safety to consider the full product lifecycle in an industrial process. Standards are now starting to emerge and develop that offer a structured approach to functional safety and cyber security. Mr Heinz Gall, TÜV Rheinland, speaking at the Asia ICS Cyber Security Conference, elaborated on the IEC61508 Functional Safety and IEC62443 Cyber Security standards: ”If the hazard analysis identifies that malevolent or unauthorized action, constituting a security threat, as being reasonably foreseeable, a security threats analysis should be carried out. Should security threat surface, a vulnerability analysis should be undertaken in order to specify security requirements.” Consider a power system composed of power plants, power transmission, transformer line, power supply and distribution plants. In the lifecycle of installation – validation – operation - maintenance, cyber security is the defense against malicious actions to protect devices and facilities. Complementing this, is functional security, which “is the defense against random and systematic technical failure to protect the application,” said Mr Heinz Gall. Each of these “requires risk and threat analysis, need to specify safety and security levels, requires organizational and technical measures, and need to consider fault avoidance and fault control”. He further stressed that Cyber Security and Functional Safety assessments need to be taken proactively in the configuration of ICSs. Regulations typically lag the pace

Manuel Diez, TÜV Rheinland, “Always Be Safe”, speaking at the Asia ICS Cyber Security Conference 2017 conference. Photo Credit: Asia ICS Cyber Security Conference 2017

Asia Pacific Security Magazine | 19

Cyber Security

Dr Vivian Balakrishnan, Minister for Foreign Affairs and Minister-in-charge of the Smart Nation Initiative, speaking at KeyNote at IoT Asia 2017. Photo Credit: IoT Asia 2017

of innovation, competitive pressures and technological complexities, and require lengthy consultation time to be passed. Managing to the timeline of regulations or legislations may not adequately prepare organization for preventing major industrial incidents to occur. People, Policy, Technology – Weakest Link? While a single point of compromise in the network may open up extended access due to legacy access-controls linking the interconnected assets, it is also important to consider the “People” aspect. This was among the points brought up by Mr. Manuel Diez, TÜV Rheinland, speaking at the Asia ICS Cyber Security Conference. Clear roles and responsibilities (“who is doing what”) and training on “what not to do” are critical governance elements in a robust cyber security framework, said Mr Manuel Diez. Whilst technology and policies can be tirelessly reviewed, assessed and updated, human factor remain the weakest links. Establishing a mutual understanding of “IT” and “OT” teams (information technology and operational technology) is critical to combine Cyber Security and Functional Security in the long run. For effective collaboration to take place between the two, a shared ideology in security, anchored by a strong culture in communication will be necessary. Reconnaissance campaigns are getting more sophisticated and well-organised, and malware growing more complex, with obfuscations and anti-spam detection techniques such as embedding code in legitimate-looking displays, other codes or even music lyrics. Once these are embedded in the organization, it is often too late to eradicate. The first line of defense, therefore, is preventing the malware from penetrating and blending into the organization’s assets. Training on social engineering tactics, and phishing attack scenarios – such as not enabling macros in documents, opening attachments from unverified sources, checking the addresses when replying to emails should form part of the formal Cyber awareness policies. And these lessons are equally relevant to the operational technology teams who use tools which are highly susceptible to phishing attacks – such as the HMIs or other diagnostic tools to control the industrial processes. Without training on specific ICS threats and cyber security standards, they cannot be expected to maintain a secure ICS environment. Building a Resilient Infrastructure in Singapore The Ukraine incident highlights the need for critical infrastructure owners and operators across all sectors to implement enhanced cyber measures to reduce risks of Cyber-Physical attacks. Singapore has launched the Singapore’s Cyber Security Strategy, in which “Building a Resilient Infrastructure in Singapore” forms a key pillar. As an international financial, shipping and aviation hub, Singapore also houses critical systems that transcend national borders, such as global payment systems, port operations systems, and air-traffic control systems. Successful attacks on these supra-national

20 | Asia Pacific Security Magazine

CIIs can have disproportionate effects on the trade and banking systems beyond Singapore’s shores. Mr Lim Thian Chin, Head of Critical Information Infrastructure (CII) Protection at the Cyber Security Agency of Singapore (CSA) referred to the Cybersecurity Act within the Singapore’s Cyber Security Strategy, to be introduced later this year, which will: • Require CII owners and operators to take responsibility for securing their systems and networks. This includes complying with policies and standards, conducting audits and risk assessments, and reporting cybersecurity incidents. CII owners and operators will also be required to participate in cybersecurity exercises to ensure their readiness in managing cyber incidents; and • Facilitate the sharing of cybersecurity information with and by CSA. Recognising that cybersecurity breaches will happen despite our best efforts, the Act will empower CSA and sector regulators to work closely with affected parties to expeditiously resolve cybersecurity incidents and recover from disruptions. CSA has been and will continue to work closely with sector regulators, CII stakeholders and industry players in formulating detailed proposals for the new Act. A key principle is to adopt a risk-based approach to cybersecurity, and to build in sufficient flexibility to take into account the unique circumstances and regulations in each sector. In his concluding remarks at IoT Asia 2017 at the Singapore Expo, Dr Vivian Balakrishnan, Minister for Foreign Affairs and Minister-in-charge of the Smart Nation Initiative, he noted that, while the nation is embarking on a digital revolution, “we need to be mindful that cybersecurity is still the biggest elephant in the room. We have all heard of the cyber-attack on Dyn last year which brought down Twitter, GitHub, Amazon, Netflix, Pinterest, Etsy, Reddit, PayPal, and many other popular sites and services. In Singapore, StarHub told us that their subscribers experienced a similar attack. Internet-connected devices of StarHub customers, such as video cameras, routers and DVR players, were taken over by hackers and used for an attack on the domain name system. So critical control systems need to be protected even as we make them smarter. We need to ensure that our digital identity framework, our e-transaction platforms are secure and robust.”

Cyber Security

Cyber resilience for tomorrow

wo conferences during April in Singapore provided invaluable insights into the responses across three sectors to raising Cyber Risks in the digital economy. GTACS (Governance, Technology Audit, Control, Security), annual conference organized by ISACA Singapore Chapter, 24th25th April 2017, Marina Bay Sands Convention Hall, Singapore. SEA Asia 2017, driven by the Maritime and Port Authority of Singapore, 25th – 27th April 2017, Marina Bay Sands Convention Hall, Singapore. Business Continuity Planning, Sharing Threat Intelligence, and Raising Cyber Security Awareness – these are the Cyber risk management perspectives voiced by practitioners within the Financial Services, Health Care, and Maritime Industries respectively. The theme for GTACS 2017 is “Cyber Resilience for Tomorrow”, which emphasizes the need to go beyond defense to develop capabilities to respond and recover rapidly. Opening the conference, Dr Janil Puthucheary, Minister of State , pointed out that the pace of innovation and the digitalization of the economy are trends that require resilient Cyber Security to respond to increased threats. Through presentations and panel discussions, the Health Services Sector and the Financial Services Sector gave two interesting perspectives on “resiliency” to cyber attacks. Mr Muthukrishnan Ramaswami, President of the Singapore Exchange, in his Welcome Address, highlighted the need to conduct periodic Maturity Review of the Information Security Program, that “benchmarks capabilities against Regulatory and global standards and identifies areas for improvement”, and additionally, to establish an

“Information Security Key Operation Metric - a monthly dash board of both the External and Internal environments and facilitates an agile response where required”. Agility, is certainly an important characteristic of a rapid and effective respond and recover. However, how does an organization have a full understanding to ensure the adequacy of its resiliency program? This question was addressed in the discussion panel “Business Continuity management – Have we done enough?”. Representing the Singapore Exchange, Mr Stephen Lee, Head of Business Continuity Management, challenged us to ask ourselves first: “when preparing for, or when managing a disruption, do you consider the many components that are interlinked” – such as “Information Security, Crisis Management, IT Disaster Recovery”, “Incident Management”? He provided 3 specific guiding questions and widely accepted responses, and highlighted important considerations that may not have been obvious: “1. How do you define the role of information Security? Information security goals in an organization centres around Confidentiality, Integrity and Availability. A heavy emphasis is placed on prevention e.g. prevention of unauthorized modifications, users, access, etc. But Prevention is very important, but planning must assume that defenses have been breached, accompanied with appropriate responses. 2. How do you define the role of incident management? Responses to an unplanned interruption to an IT Service or reduction in the quality of an IT service.

By Jane Lo Singapore Correspondent

Asia Pacific Security Magazine | 21

Cyber Security

But - Failure of a configuration item that has not yet affected service is also an incident. How do you define the role of business continuity management? A major component includes testing and validation. Focus on continuity of critical operations. But - Tests must include looking for “weak links” and “vulnerabilities” before they break, not just when something breaks.”

Within the Health Care Sector, information sharing or threat intelligence sharing is critical to adopting a resilient cyber posture. Denise Anderson, President, National Health Information Sharing and Analysis Center (NH-ISAC), highlighted the use of STIX/TAXII (Structured Threat Information eXpression) / (Trusted Automated eXchange of Indicator Information (TAXII) in Threat Intelligence sharing in the sector. FS-ISAC (Financial Services – Information Sharing and Analysis Centre), NH-ISAC (National Health – Information Sharing and Analysis Centre), and the multi state ISAC are currently sharing operational data using STIX/TAXII; DHS National Cybersecurity and Communications Integration Centre (NCCIC) and US -CERT are currently publishing reports in STIIX / TAXII; and DHS’s free Automated Indicator Sharing (AS+IS) capability uses STIIX/ TAXXI to enable machine-tomachine communication.

22 | Asia Pacific Security Magazine

She also pointed to other areas of knowledge exchange such as Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) where information on tactics, techniques and procedures (TTPs) of adversaries, postcompromise, is gathered through MITRE research, penetration testing and red teaming. However, having threat knowledge and information doesn’t mean the organization have a threat intelligence program. That was a message of the panel discussion in the Health Care Cyber Security Break Out Session, “Building A Threat Intelligence Program”, (moderated by: Chris Tan, IT Risk Management & Security Associate Director, Merck & Co; panelists: Gregory Barnes, Global CISO, Amgen; Nambiar Jayapalan, Senior Manager, Information Security and Risk Management, Johnson & Johnson; Saverio Ortizzo, IT Risk Management & Security Director, Merck & Co). While introducing data into the industry ecosystem can help reduce breaches elsewhere, it is important to have a robust respond plan with in actionable items, adds value to the business, and where the organization is “not following the malware of the day”. Coincidentally, the GTACS conference was held during the Singapore Maritime Week 2017 (SMW) which saw visitors from over 80 countries. Driven by the Maritime and Port Authority of Singapore, Sea Asia 25-27th April 2017 presented a golden opportunity to hear the innovation

Panel Discussion: Business Continuity Management - Have We Done Enough? Moderator: Mr Victor Tay, Chief Development Officer, NTU Panelists: Dr Goh Moh Heng, President, BCM Institute Stephen Lee, Head of Business Continuity Management, SGX Kevin Kwok, Head of Risk, City Development Limited

Cyber Security

Denise Anderson, President, National Health Information Sharing and Analysis Center (NH-ISAC), speaking at GTACS 2017.

“Embracing a new world of smarter connected shipping at what cost?”, presented some startling statistics: “43% crew sailed on a vessel that has been compromised by a cyber incident; 90% crew had never received any cyber security training or

Peter Broadhurst, Senior Vice President, Safety & Security, Immarsat, asked the question “Embracing a new world of smarter connected shipping at what cost?”, presented some startling statistics: “43% crew sailed on a vessel that has been compromised by a cyber incident; 90% crew had never received any cyber security training or guidelines, 95% breaches are caused by human errors”. Mr Michael Montoya, Chief Cybersecurity Advisor, Asia Microsoft Enterprise & Partner Group, elaborated that crews’ daily activities onboard, such as emails checking, BOYD and plug-and-play electronic devices, are as vulnerable to cyber attacks as they are onshore, and they need help with raising their cyber safety awareness. “Companies must embrace technology… but as you expand your digital footprint, you do open yourself to risks in the form of cybersecurity. However, there are ways to protect yourself from that risk, and there are smart ways that you can implement that will allow you to continue on that maturity journey to put much better services and systems in place,” he said. The Minister of Transport concluded that, while how technological developments will pan out, no one knows. But “superior connectivity will be measured in multi-modal terms and maybe as much digital as physical,” he stated. As interconnectivity increases, so will the Cyber and Physical worlds. Where digitalization is an important driver of a viable commercial strategy, we will certainly be hearing more from the Maritime industry leaders who are approaching these technology developments from an innovation as well as a risk management perspective.

guidelines, 95% breaches are caused by human errors”. challenges and corresponding Cyber Security concerns facing a different industry - the Maritime industry. Singapore’s port and maritime industries need to gear up to deal with digitalization and disruption of global transport supply chains – that was the message of Mr Khaw Boon Wan, Coordinating Minister for Infrastructure and Minister of transport, at the official opening of Sea Asia 2017. The role of hub ports such as Singapore, the world’s largest container transshipment hub, are set to change as digitalization takes a hold. “The landscape is changing rapidly, digitalization is disrupting and transforming the global transport supply chains,” Mr Khaw said. Painting a picture of the new landscape, Mr Khaw said: “Nearer to home we are seeing the rise of multi-modal logistics infrastructure, and the growth of other hubs in Asia fueled by e-commerce. These trends have also sparked talk about the emergence of new trade routes and even multi-hub network in the longer term where no single hub will enjoy superior connectivity.” The panel discussion “The Fourth Industrial Revolution: Threat or Opportunity? The implications of Smart shipping and other new technologies for the future of shipping”, moderated by the well-known BBC correspondent Nik Gowing, discussed the implications for the industry as it undergoes disruption to become more efficient and the implications thereof such as increased Cyber Risks. Mr

Asia Pacific Security Magazine | 23

International

Demonetisation spurs cyber crime in India With the Indian government striving towards a cashless economy by expanding the scope of digitisation across all activities, the widening internet modes this will foster will need to be safeguarded from cyber crime and cyber fraud.

O By Sarosh Bana APSM Correspondent

24 | Asia Pacific Security Magazine

nline databases and transactions are getting increasingly vulnerable to hackers today with their ever innovative tools. Cases of banking frauds from phishing, cloning charge cards, cyber stalking, hacking accounts and databases, and impersonation are already on the rise in India, but detection has been weak in the absence of effective policing and monitoring, especially in individual cases. Less than a fifth of the cases registered with the cyber police have been solved over the last four years. In Mumbai, the financial capital of the country, as much as 80 per cent of the crimes registered in 2016 has remained undetected. As per Reserve Bank of India (RBI) data, banks in India reported 9,500, 13,083 and 16,468 cases related to cyber frauds like breach of accounts during 2013-14, 2014-15 and 2015-16, respectively. Pointing out that detecting cyber cases has become challenging as most such criminals use servers based out of India, the Mumbai cyber police see this situation presenting a severe hindrance in resolving the cases owing to the longdrawn procedures that are mostly beyond their jurisdiction. They yet say that they are continuously at work on cracking down online frauds and are monitoring the situation as best they can. Asked what challenges lay ahead for the city police in 2017, Mumbai Police Commissioner Dattatray Padsalgikar retorts: “Cyber crime is a threat.” Furthering the government’s drive towards digitisation will be the planned optic-fibre based internet connectivity across rural India, apart from a new initiative that aims to provide villages with tele-medicine, education, and skills through the use of digital technology. Another scheme is for a digital pension distribution system that will provide retired

defence personnel easier access to their funds and a similar initiative that will offer health information to senior citizens. Last November, the government took the drastic step of demonetising high denomination currency in an effort to crack down on black money and fake notes. As much as 87 per cent of the money in circulation was sucked out of the economy as a result. With diminished access to money even for their daily expenses, the public, especially the working classes who deal exclusively in cash, was traumatised. The government changed its tune, announcing that the withdrawal of the high value tender was also meant to usher in digitisation with the larger objective of financial inclusion of all. Following on this argument, it has hitherto replaced only part of the currency that it invalidated. This objective towards digitisation appears to be succeeding to a degree, with the numbers rising from 27.3 million credit cards and 739.3 million debit cards to 28.8 million credit cards and 818 million debit cards within two months of the demonetisation. Indians have always preferred debit cards over credit cards. While the total amount transacted through credit cards in January was Rs32,691 crore (Aus$6.8 billion), a 76 per cent rise over January 2016, that transacted through debit cards was Rs49,004 crore (Aus$10.2 billion), a jump of 235 per cent. India has traditionally and historically been more dependent on cash than most other countries. The penetration of banking services has been a niggardly 59 per cent, and there are only 202,801 ATMs (Automated Teller Machines) serving a population of 1.27 billion. India’s reserve money to broad money ratio, indicative of the scale of cash in circulation, is 0.18, deemed very high in

International

“In global terms, India was 13th on the list of malware detections in Q4,” FortiGuard Labs adds. It registered a rise also in Botnet activity, with an average activity level of 800,000 connections per day recorded by Fortinet sensors in Q4. Government was the most infected industry sector, followed by manufacturing”.

comparison with other emerging economies – 3.5 times that of China’s, triple that of Brazil’s and double that of Mexico’s. Compared with developed countries, India’s ratio is 2.25 times that of Japan’s, 2.5 times of the Netherlands’, 4 times of Canada’s, and 6.5 times of Sweden’s and South Korea’s. Anticipating technology to be a key driver of India’s growth, with the country embracing applications of technologies at an accelerated pace, Amitabh Kant, CEO of Niti Aayog - the present government’s version of the Planning Commission that it disbanded – believes that physical banking in India is almost dead. He adds that the country is adopting pervasive technologies so rapidly that over the next three to four years, digital transactions will move through mobile wallet and biometric modes, setting the stage for credit cards, debit cards and ATMs to eventually disappear. Recognising the trends that will have wide implications for all online systems like banking, financial, commercial and retail, the Finance ministry in its Budget for 2017-18 has proposed the Computer Emergency Response Team for Financial Sector (CERT-Fin) to curb hacking and secure online data. Underscoring cyber security as critical for safeguarding the integrity and stability of India’s financial sector, Finance minister Arun Jaitley informed Parliament that CERT-Fin will work in close coordination with financial sector regulators such as RBI and Securities and Exchange Board of India (SEBI) to further boost the moves towards digitisation. CERT-Fin will be a team of computer experts and computer scientists that will help secure the government’s online presence. Cyber experts, however, feel that much more will need to be done in order to safeguard computer networks and

payment gateways as India aims to go digital. Following one of the biggest ever malware-related security breaches of financial data in India that took place last October, the public sector State Bank of India and four private sector banks either replaced, or asked users to change the security codes of, as many as 3.2 million debit cards that were compromised. Several victims reported unauthorised usage from locations in China. The breach was found to have originated in malware introduced into the systems of Hitachi Payment Services, which provides ATM, point of sale (PoS) and other services. This enabled the fraudsters to steal information that provided them access to various accounts. FortiGuard Labs, the threat research division of California-based network security solutions provider Fortinet, observed a spike in attacks and malware in India in the months of November and December, that is, postdemonetisation. Its report, India threat analysis for Q4 2016, notes increased threat activities in that period, with ransomware trending particularly high, accounting for nine out of the top 10 malwares. Finance was the most attacked vertical throughout Q1 to Q3. There was a surge of attacks on telecommunications companies in the last three months of 2016 and the report saw this as a possible result of an increase in mobile transactions after demonetisation. “In global terms, India was 13th on the list of malware detections in Q4,” FortiGuard Labs adds. It registered a rise also in Botnet activity, with an average activity level of 800,000 connections per day recorded by Fortinet sensors in Q4. Government was the most infected industry sector, followed by manufacturing. According to the report, threat activity in India increased significantly over the last two weeks of December, caused by a surge of SSH (Secure Shell) Connection brute-force attempts, such a surge interestingly not seen globally. “The most attacked industry was Banking & Finance, which received more than 15 times the hits than the second-placed Technology industry,” it states. “Hackers are smart people and they know exactly what organisations are going through,” mentions Rajesh Maurya, Fortinet’s Regional Vice President for India and SAARC. “There’s only one way to get the better of them – be quicker

Asia Pacific Security Magazine | 25

International

Fortinet’s Security Fabric provides a powerful, integrated end-to-end security solution across the entire attack surface, linking different security sensors and tools together in order to collect, coordinate, and respond to malicious behavior anywhere it occurs in real time and more knowledgeable.” He believes sharing information is a prerequisite to get ahead of cybercrime, as a collection of companies working together to collect and share intelligence will always have better visibility into the threat landscape than one organisation on its own. Also, seeing new threats as soon as they emerge increases our ability to respond and protect valuable resources. Though a lot of raw data are available to organisations, most security infrastructures are not designed to effectively consume, correlate, and distribute the increasing volume of information available, remarks Maurya. “Fortinet’s Security Fabric provides a powerful, integrated end-to-end security solution across the entire attack surface, linking different security sensors and tools together in order to collect, coordinate, and respond to malicious behavior anywhere it occurs in real time,” he says. “It provides control, integration, and easy management of security across the entire organisation, from IoT (Internet of Things) to the cloud.” Contending that Budget 2017-18 did not allocate adequate funding for fighting cyber crime, cyber experts deem it critical for the existing cyber law framework to be revamped to bring in new encryption and privacy policies and regulate existing encryption services. They also see the need to fortify cyber law to effectively deter online fraudsters and detect and prosecute them without delay. However, they do not expect any improvement in the situation until the National Cyber Security Policy is fully implemented. Drafted in 2013 as India’s first policy on cyber security, it had been years in the making and was finally released last November by the Department of Electronics and Information Technology. Setting high goals for cyber security in India, the Policy covers a wide range of topics, from institutional frameworks for emergency response to indigenous capacity building. The Society for Cyberabad Security Council (SCSC), however, indicates that what the Policy achieves in breadth, it often lacks in depth. “Vague, cursory language ultimately prevents the Policy from being anything more than an aspirational document,” the Council notes in its review. “In order to translate the Policy’s goals into an effective strategy, a great deal more specificity and precision will be required.” Observing that precision most required is in definitions, SCSC maintains that since the Policy is not a statute, it lacks the legal precision expected of an act of Parliament and ends up with terms that appear ambiguous, “cyber security not the least among them”. “In forgoing basic definitions, the Policy fails to define its own scope, and as a result it proves remarkably broad and arguably unfocused,” the Council clarifies. It adds that while the pervasive and intrusive Central

26 | Asia Pacific Security Magazine

Monitoring System (CMS) has been justified on concerns of national cyber security, expanding the range of threats for it to address has the danger of providing a pretext for further surveillance efforts on a national scale. The World Economic Forum estimates the total economic costs of cybercrime worldwide at $3 trillion, while Silicon Valley-based consultancy Cybersecurity Ventures projects cybercrime to cost the world in excess of $6 trillion annually by 2021. Much of this explosive growth of cyber crime has been from illegal business that are safely conducted deep in a part of the internet that most people have never seen, and have little means to access. Also termed “darknet”, this section of the internet lies beyond normal web browsers, is cloaked in anonymity, and has become a haven for criminal commerce, including cyber crime. Just as legitimate businesses have employees reporting for work, threat actors and agents pursue their activities in much the same manner, the three broad segments of the threat marketplace being producers, consumers and enablers. Mitigating the risks associated with these cyber threats requires a comprehensive strategy that includes actionable threat intelligence.

T U E S D AY - T H U R S D AY

BASEMENT 2 to LEVEL 5 MARINA BAY SANDS, SINGAPORE

DAY SHOW!

www.CommunicAsia.com

Network. Learn. Explore. Asiaâ&#x20AC;&#x2122;s most encompassing trade show for the ICT industry will connect to more than 1,100 international exhibitors! On the show floor, establish valuable new relationships with industry players and learn from experts at the specially curated seminars and workshops.

Pre-Register Now

www.CommunicAsia.com Entry to the exhibition is free!

BORDERLESS BROADBAND

CLOUD & BIG DATA

CONNECT EVERYWHERE

A Part of:

IoT

SATCOMM

SECURITY & CYBER-SECURITY

SMART CITIES

Hop onto the free shuttle service to also visit BroadcastAsia at Suntec Singapore

#CommunicAsia2017 Organised by:

ENTERPRISE MOBILITY

Worldwide Associate:

Hosted by:

Incorporating:

Held concurrently with:

www.Satcomm-Asia.com

www.EnterpriseIT-Asia.com @ Marina Bay Sands, Singapore

In support of:

Endorsed:

www.Broadcast-Asia.com @ Suntec Singapore

Supported by:

Held in:

Cyber Security

Welcome to the future

A By Anthony C Caputo

28 | Asia Pacific Security Magazine

“boundary” can be defined as a line that marks the limits of an area; a dividing line, real or imaginary, separating a subject or sphere of activity. The keyword here is “imaginary.” Laws and rules (both man-made and by physics) were/are designed to create those imaginary lines, much like the sides of good versus evil, but humanity doesn’t follow laws and rules in black-and-white, especially now that there’s 256 shades of pixel grays. Human beings are too self-indulgent, self-possessed with personal needs and desires. Many of them twisted by a bombardment of media overload. A friend would give us a copy of a song or movie, first on tape, then CD/DVD, then emailed instantly. These new generations copy movies, games, books, and pass them along, creating gray areas to serve our selfish purposes. The digital invasion just made it all easier, leaving a disruptive path along the way. As organic machines, human beings are fed higher education’s left-brained logic and mathematical view of the world, which further fuels our descent into a universe of ones and zeros. We continuously neglect the right-brain’s thirst for creativity, music, love, compassion and beauty – the very things that make us unique not only in the world of animals, but in anything of our own creation. Sure, we can create pretty Smartphone’s that empowers our creativity, plays our favorite music and connects us to our loved ones, but is the technology empathetic, compassionate and protective? Can the Smartphone itself protect you and your digital assets and information? Of course not, because it really isn’t that smart – still needs your fingerprint, pass code and/or online ID.

Our continued thirst, first for survival (after all, the Internet was designed to survive a nuclear attack), then individualistic empowerment, marketing, entertainment, and for monetary gain to feed the capitalistic juggernaut inadvertently created a virtual universe of digital data, further deteriorating our own importance in the overall logistical corporeal world. This invasion of the digital universe destroyed all imaginary and physical boundaries, creating a level playing field for everyone and everything, from the convicted murderer researching legal loopholes, to the innocent school girl, desperate for a copy of her favorite boy-band’s album to the Uber driver and the monolithic Yellow Cab Company. Unfortunately, in order to keep up with the ever growing, rapid dissemination of data, and metamorphosis, through a myriad of new intuitive person-tomachine interface devices, we create even more data –much faster and better. If God truly created Man in his own image, than is God also an organic machine, or a version of our own image that resides in an alternative universe that moves so fast there is no yesterday or tomorrow and everything happens at once? Alternatively, like God with Adam and Eve, did we also see our own creations molded into something extraordinary, pure and righteous, but then, much like ourselves, our creations ran amok throughout human society, and evolved into the monstrosities we now see every day on the news? These new digital generations have blurred the physical boundaries, escaping into a virtual existent while driving in the real world, causing 25% of all the automobile accidents.

Cyber Security

The National Highway & Transportation Administration (NHTSA) has determined that texting while driving is equivalent to drinking four beers before getting behind the wheel, calling it “another potentially lethal distraction.” If a Smartphone was truly smart, with its ability to triangulate your location and speed, wouldn’t it know you’re travelling at 60 miles an hour and ask you if you’d like to hear a text from your mother and care to reply? On the other hand, Apple’s new Campus was designed without door thresholds so that engineers had less chance of getting distracted from their work as they walked. I’ve seen (as I’m sure you have) how this digital invasion has affected all aspects of human existence. Several months ago, working alongside a small crew helping renovate my “fixer-upper, “were a man and a woman who were glued to their Smartphones. They were texting, which is not completely unusual in today’s youth, but it became quite frenzied. They were warned, which only stopped them momentarily, until the woman began to sob (and not because we fired them). Unbeknownst to everyone around them, they were “a couple” and were having a lover’s quarrel, while working together, through text. It’s 2017, and I’ve realized that the digital invasion has succeeded, and humanity, as it once was, has fallen. The physical world is (or was) different. There used to be clear boundaries. There used to be barriers erected for structure and cohesion, for productivity and serenity. Limitations created by physics for the easy absorption of information and knowledge. In my youth, a single business letter, with a physical buffer for the time allotted for its creation, mailing and arrival, alongside the patience for its forthcoming reply was accepted as the reality. It was slow, deliberate, and concise and even though at the time I was frustrated that it was such a slow process, there was no alternative. Even then, there were the signs of how the digital universe was disrupting our own individual creativity as is was only several decades prior to word processing software that we created wonderful letters using calligraphy. Little did I know that I would mutate within the next twenty-five years, developing hyper speed superpowers, just to be able to mentally, physically and emotionally receive, respond and send up to a hundred emails a day. The building blocks of society, the boundaries setup by commerce, religion, physics, rules and laws have broken down. We blindly moved our existence into the digital universe, believing still in our imaginary boundaries, even though there was no one there to serve and protect. There is no such thing as 100% digital security –only real-time intrusion detection, and 100% high availability and fault tolerance. There are even cyber guards who identify an intruder and direct them to a “safe house” within this digital universe for further interrogation and deciphering. We still need to continue to feed the delusion of imaginary lines and without our virtual deadbolts, chains, guards and alarms; we are naked and vulnerable in this new world. Cryptography only tries to keep up with processor speeds – our own treacherous machines that could calculate trillions of computations per second, surpassing the human mind completely. Most of us didn’t even know our front door was wide open, until it was too late, and so millions fall victim to

identity theft, electronic robbery, privacy invasion, and life threatening cyber crimes. We never need be concerned about invaders from the other side of the world when we were just a small dot on a physical map. Now, we’re in the same bits and bytes neighborhood, mere nanoseconds away. The Second Amendment of the United States Constitution cannot even protect us as this alternative universe does not follow the same rules as our physical world. Its attacks may come in a blink of an eye – silent, intrusive, destructive. If you cannot protect what you own, you don't own anything. The digital universe stimulates a communal existence. It’s out there for all to see, copy, repurpose, regurgitate and even call it their own. In 2000, I collaborated on a book on networked media with an executive from Hollywood. He had the foresight to envision this new world and was correct on every speculation, but one; the ferocious speed and depth of change and disruption that lay ahead for all of humanity. We live in an age where a single device is your telephone, alarm clock, camera, video camera, compass, calculator, flashlight, personal computer, map, voice recorder, rolodex, television, and game console; where you can learn anything from the palm of your hand; where you can deposit a physical check into your bank account without a physical check; where businesses have a Facebook page and want to be liked; Smartphone video clips of cats getting tens of millions of viewers; hostages sending silent texts and videos of their captors; and police officers who would rather use their Smartphone at a crime scene than their police radio. A friend of mine in law enforcement once told me that if he left for work in the morning and forgot his gun – not a problem, but if he left for work in the morning without his Smartphone, he’d have to turn around and go back to get it. We’ve all done that, haven’t we? It’s not about forgetting our phone. There’s a phone we can use in the office, isn’t there? It’s all about The Data In 1990, before the Internet was a glimmer in anyone’s eye, Roger Fidler coined the phrase “Mediamorphosis,” which refers to the transformation of communication and media spearheaded by perceived needs, social and technological innovations. About the same time, after reviewing centuries of research data, Stanford professor and Futurist Paul Saffo suggested it takes 30 years for a new idea to seep into the culture. Well, its 2017, and if you do not have a digital strategy for digital transformation, and I’m not just talking about your company, I’m talking about you; you’re almost three decades behind. Unless you succumb to the digital universe and follow the latest calculation of the real world vs. the Internet calendar – then you’re about 120 years behind. The digital universe continues to engulf our existence, now exponentially with every passing year. Welcome to the Future. There really is no escape. We truly have all been assimilated.

Asia Pacific Security Magazine | 29

Cover Feature

AUSTRALASIA-PACIFIC DISASTER MANAGEMENT, RECOVERY & EMERGENCY COMMUNICATIONS FORUM 26 - 28 June 2017 Christchurch, New Zealand

SAVE THE DATE

Australasia-Pacific Disaster Management, Recovery & Emergency Communications Forum 26 - 28 June 2017 Sudima Hotel Christchurch Airport, New Zealand

2016 marked the seventh highest year in record with the combined economic losses exceeding the $200 billion threshold for the first time since 2013. The Asia-Pacific region accounted for the bulk of deaths from natural disasters in the last century, continuing to be the worldâ&#x20AC;&#x2122;s most disaster-prone region in 2016. To build a resilient Asia-Pacific requires a paradigm shift from a responserecovery governance to a risk-sensitive development approach, and a stronger regional co-operation for managing trans-boundary disasters. With this in mind, we cordially invite you to the Australasia-Pacific Disaster Management, Recovery & Emergency Communications Forum on 26 - 28 June 2017 in Christchurch, New Zealand to join the discussion with our stellar speaker lineup from the governments, academic and private sectors in the region.

www.claridenglobal.com/conference/disastermanagement-nz2017 30 | Asia Pacific Security Magazine

Cover International Feature

Sky’s not the limit India's Space Programme

ith its landmark simultaneous launch of 104 satellites recently, India’s space programme not only shattered the previous 37-satellite launch record by Russian space agency Roscosmos in June 2014, but emphatically signalled its intent to muscle into the multibillion dollar global space sweepstakes. Only three of the 104 satellites in the commercial launch were Indian, with as many as 96 sent by two American customers, and one each by Israel, the UAE, the Netherlands, Switzerland and Kazakhstan. The largest of them was India’s 714-kilo earth observation satellite, the other 103 being ‘nano satellites’ weighing a combined 664 kilos. K. Sivam, Director of the Vikram Sarabhai Space Centre, in Kerala, termed the launch immensely complex as it had to ensure that the swarming satellites did not collide into one another within the 11 minutes that they were released one by one. The load of satellites was lofted into their polar sun-synchronous orbits by the 44.4-metre tall and 294-tonne fourstage Polar Satellite Launch Vehicle PSLV-C37 of ISRO, the Indian Space Research Organisation, as it took off from its launch pad at the Satish Dhawan Space Centre (SDSC) on the Sriharikota islet off the eastern coast. ISRO’s feat sets an enviable benchmark for the other five space-faring nations, the United States, Russia, China, Japan, and Europe with its European Space Agency. Putting commercial satellites into space for a fee is a growing business sector, as countries worldwide seek greater and more hightechnology imagery and telecommunications. Of the $323 billion global space industry, its commercial support segment that includes launch services is alone worth $121 billion. ISRO Chairman A.S. Kiran Kumar stressed that the aim of the combined launch was not to set a record, but to help ISRO maximise its capability and expertise. “Last year we saw nine successful launches,” mentioned SDSC director P. Kunhikrishnan. “This year has begun with a remarkable event and we congratulate all the customers for placing their confidence in ISRO.” India’s space programme has realised spectacular capabilities on a shoestring budget. For instance, ISRO’s Mangalyaan Mars Orbiter Mission (MOM) launched in November 2013 cost just $73 million, compared to NASA’s MAVEN Mars mission, launched around the same period, which had a $671 million price-tag. India’s programme is also distinct from other countries in that it has a strong societal and humanitarian approach, with applications as in rural resources, agriculture, forestry, fisheries, telemedicine, tele-education, water and environment, weather forecasting, disaster management support and outreach through Direct-To-Home television.

Its track record of negligible failures and low launch fees and salaries makes ISRO a preferred partner for launching small satellites in low earth orbit. Antrix Corporation Ltd, ISRO’s commercial arm, has an order book worth $75 million and will be recovering half the commercial launch cost of the PSLV-C37 from the five foreign customers. While a typical PSLV mission costs $15 million, launching a satellite on Falcon 9, the launch vehicle of SpaceX of Elon Musk, costs $62 million, on Russia’s Proton, $90 million, on Arianespace’s Ariane-5 rocket, $140 million, which drops to about $100 million after subsidies, and on NASA’s intermediate-class Atlas V, $264 million. Prohibitive costs deterred NASA from flying its space shuttles from 2011 and it turned to the private sector, like SpaceX, for ferrying supplies to and from its International Space Station. India’s Department of Space (DoS) got a net allocation of Rs9,094 crore ($1.4 billion) for 2017-18, in comparison to NASA’s allocation of $19.3 billion, nearly the same as in 2016, but with a significant increase for its Space Launch System programme. Of the two San Francisco-based customers for the PSLVC37 launch, Planet Labs launched 88 Dove satellites for daily imaging of the earth, while Spire Global launched eight Lemur 2 satellites for collating ship tracking and weather data. This was the second launch of Dove satellites aboard the PSLV, after 12 of them had been launched last June. This is despite the fact that US companies are denied the use of Indian launch vehicles by the Commercial Space Transportation Advisory Committee, COMSTAC, that ruled that Antrix has an unfair advantage over the American private sector as it is an Indian government entity. This rule is, however, often waived, because India is by far cheaper than all its competitors, particularly in the launch of light payloads like nano satellites. The limitedness of the PSLV in launching payloads only upto 1.75 tonnes to sun-synchronous orbits (SSOs) of 600 km altitude and of the Geo-Stationary Launch Vehicle-II (GSLV-II) of lifting only upto 2.5 tonnes to Geosynchronous Transfer Orbits (GTOs) has restrained ISRO’s entry into the lucrative market for heavy satellite launches and also led it to pay heavily for the use of European rockets for launching Indian satellites above 2 tonnes. India will, however, soon breach these barriers with the imminent launch of ISRO’s GSLV-III, the country’s heaviest and most powerful launch vehicle designed to lift satellites weighing upto 5 tonnes to GTOs of 36,000 km. The agency is also preening itself for its second lunar exploratory mission, Chandrayaan II, scheduled for next year.

By Sarosh Bana APSM Correspondent

Asia Pacific Security Magazine | 31

Cyber Security

The three columns of IoT security

R By Morry Morgan IoT & Technology Correspondent

32 | Asia Pacific Security Magazine

isk Analytics is expected to become a 26.32 billion US dollar market by 2020. Risk is big business, and the Internet of Things (IoT) phenomenon is likely to drive this industry well above those lofty predictions. Part of the reason is in the IoTs rapid growth, estimated by McKinsey at 32.6% CAGR. The other is the lackluster attitude that many manufacturers of connected devices and IoT enabled products have towards security. And that’s because to date, there is no legal liability for manufactures to secure their products. Last year’s Dyn attack by the Mirai botnet, that involved over 100,000 independent IP addresses – presumably from unsecured modems and digital video recorders with default passwords – caused hundreds of thousands of US dollars in lost revenue for the affected websites. But those companies that manufactured the IoT devices, escaped scot-free. This is worrying, because unlike IT, IoT extends from the digital realm into the physical. In innocuous uses of IoT, a digital app can turn on a physical ceiling fan, and a digital sensor can regulate a farmer’s physical water pump. In these examples, the liability resulting from poor security is somewhat limited. Where risks begin to mount, however, is within larger IoT ecosystems, like transportation. Next year, if the National Connected Multimodal Transport (NCMT) Test Bed in Melbourne is on track, a digital camera mounted on a tram will be able to change the physical traffic lights, to help alleviate congestion. Little imagination is needed to see the possible worst-case scenarios, should these IoT enabled traffic lights be hacked. Understandably, the NCMT

project is cautiously starting with a 5 square km zone within Melbourne, to mitigate this risk. The IoT Alliance Australia (IoTAA) understands the seriousness of unsecured IoT devices and are actively discussing how to plug this gapping neglect of duty hole by manufacturers, with a combination of shaming and litigation. But until the laws are written, it’s important to understand the risks and liability associated with a breach of any of the three cybersecurity pillars – Accessibility, Confidentiality, and Integrity – and how they relate to the emerging world of IoT. Accessibility Accessibility is about being able to access data when, where and however it is needed. In IT, a Denial of Service (DoS) attack can crash a digital website or company’s server. In IoT, a DoS attack can crash a car. In July 2015, hackers, Charlie Miller and Chris Valasek, digitally cut the transmission of a Jeep Cherokee driving on a busy US interstate highway. The result could have been disastrous, or even deadly, had the attack not been launched by ‘white-hat hackers’ and the driver not been a Wired journalist in on the experiment. Thankfully, only Chrysler’s pride was injured. But that doesn’t mean this vulnerability has been solved. Like many IoT devices, ranging from digital video recorders, refrigerators, and even dishwashers, the patch requires technical know-how, and in the case of Jeep, a dealership mechanic. For many Jeeps, or in fact any Fiat Chrysler cars with the ‘Uconnect’ cellular connected computer installed,

Cyber Security

they will remain vulnerable indefinitely. And that risk is not limited to the individual drivers. The economy of a city, with hundreds or even thousands of vulnerable vehicles on its roads, is at the mercy of hackers and could potentially be held to ransom. On a smaller scale, suppliers of IoT enabled hardware could be liable, if a DoS attack results in a lack of accessibility that contravenes the vendor’s Service Level Agreement (SLA). Damages for loss of business and even damage to reputation are a potential liability. Confidentiality With IT, you might have your credit card numbers stolen. But with IoT your whole family might be starring in their own public ‘Big Brother’. Since its creation in 2009, the website Shodan, which touts itself as ‘the search engine for the Internet of Things’, has highlighted the thousands of vulnerable unsecured IoT devices, many of which are home webcams and baby monitors. While Shodan itself is not malicious in nature, it highlights how IoT has infiltrated our lives and is a serious threat to our privacy, particularly for the non-tech savvy. Take, for example, CNET’s warning in February 2015 that the newly launched Samsung Smart TV’s privacy policy states, “if your spoken word include your personal or other sensitive information, that information will be among the data captured and transmitted to a third party”. This threat to confidentiality barely made technology magazine headlines, but that all changed this year when a cache of Wikileaks documents accused the CIA and UK’s MI5 of conspiring to use this feature for their own clandestine operations. Most worrying was the general lack of outrage, which is a reminder of how laissez-faire the general population has become regarding confidentiality. Integrity Data doesn’t need blocked or stolen to be a security issue. It can also be modified, without the owner’s knowledge. In 2010, the Stuxnet cyber-weapon infiltrated the Iranian nuclear program. Rather than crashing targeted computers or searching for classified information, it escaped the digital realm to wreak physical destruction on a number of centrifuges. Instead of just spinning the uranium enrichment centrifuges at 63,000 rpm, Stuxnet modified speeds ranging from 120 to 84,000 rpm. In doing so, the centrifuges passed through critical speeds, also called harmonics, that resulted in slight, and damaging vibrations. The result of this digital attack, was the physic damage of approximately 1000 or the 10,000 IR-1 centrifuges at the Natanz Fuel Enrichment Plant, and huge delays to Iran’s ambition to become a nuclear power. To be fair, Stuxnet probably accessed Natanz via a USB drive, rather than an IP address, but it is still a good example of how integrity of data can be as damaging as confidentiality and accessibility. Worrisome indeed. But perhaps more so for Australian businesses, which Professor Michael Johnson, Scientific Director at the Optus/Macquarie University Cyber Security Hub, says are “known internationally” for having an “enormous

'...the total volume of data generated by IoT will reach a staggering 600 zettabytes (ZB) per year by 2020 worldwide. In comparison, traditional global data centre traffic will only reach approximately 15.3 ZB by the same year. It’s therefore predicted, that with this massive increase in traffic, that IoT attacks will reach 25% of total cybercriminal behaviour.' skills gap”. Johnson highlights that cybercriminals, in particular, target Australian banks more often than those in Singapore and Japan, because of the “lack of tech-aware standards”. And if the ‘Big Four’ Australian banks, all of which are in the Top 10 ASX listed companies, lack the means to reduce their risk of cyber-attack, then it is likely that this is more so for other listed and private companies here in Australia. Worse still, this risk in only growing. According to Forbes, the total volume of data generated by IoT will reach a staggering 600 zettabytes (ZB) per year by 2020 worldwide. In comparison, traditional global data centre traffic will only reach approximately 15.3 ZB by the same year. It’s therefore predicted, that with this massive increase in traffic, that IoT attacks will reach 25% of total cybercriminal behaviour. The Internet of Things, combined with Cloud computing, and ubiquitous broadband are the key technologies will improve how we live, work, and interact with one another, and will massively improve efficiencies and create new opportunities for business. But this is twoedged sword. The IoT-connected world expands the risk and liability, to include the physical environment, specifically health and safety. Heating, ventilation and air-conditioning (HVAC), medical devices, autonomous vehicles, and even basic industrial IoT sensors, just to name a few, could be our best friend, or our worst enemy. That outcome depends on measures taken to IoT-proof the three cyber security pillars.

Asia Pacific Security Magazine | 33

Cyber Security

34 | Asia Pacific Security Magazine

Cyber Security

26-28 JULY 2O17 ICC SYDNEY DARLING HARBOUR

THE INTELLIGENCE OF SECURITY The Security Exhibition & Conference returns to Sydney this July to reunite the security industry for three days of business networking and intelligence sharing. Offering inspiration and innovation to tackle your security challenges, you can source solutions from global suppliers whilst learning from local and international experts and connect with industry peers.

PRINCIPAL SPONSOR

LEAD INDUSTRY PARTNER

ORGANISED BY

Asia Pacific Security Magazine | 35

National

Artificial Intelligence in the financial services

W By Jane Lo Singapore Correspondent

hen the United Kingdom cast its decisive vote on 23rd June 2016 to leave the European Union, a membership in which it held for more than 40 years, the British pound slumped to a 31-year low as the final polling results sent shockwaves during the Asian trading hours. The losses extended to the European and US trading sessions as panicking investors fled to safe haven assets, and stunned traders caught short by the unexpected outcome rushed to cover their positions. On that day, the pound plummeted more than 10% to $1.33, from $1.50. While the financial markets absorbed the news and braced for further turmoil over the following days and weeks, no one was quite prepared for the “flash crash” that happened 3 months later, on 7th October, when the currency plunged within a few minutes from $1.26 to $1.15 – marking a fresh 31-year low. The blame swiftly shifted to “algorithm trading programs”, for triggering market orders that contributed to the massive pressure on the pound as political uncertainties mount. Algorithm-driven robot traders Algorithm-driven robot traders, a form of “Artificial Intelligence (AI)”, mimic real-life trading using logic, if-

36 | Australian Security Magazine

then rules, decision trees to behave in ways that resemble an expert trader. Initially developed to improve trading efficiency by minimizing the manual tracking of financial markets and laborious execution of order (and arguably, also to eliminate trader emotional volatility), these robo-trading algorithms have evolved. From simple sell-buy triggers, to devising trading strategies built on high-speed cross-asset-correlations and other complex mathematical calculations, they have acquired the potential to create systemically contagious impacts as trades from one algorithm could trigger signals of others (as we see in this Brexit example). The coding of the financial markets data tracking and profitable trades structuring is not new; what’s changed is that these algorithms fully harnessed the vast computation power available today to rapidly identify micro arbitrage opportunities across assets, markets, time zones and construct profitable trading strategies within fraction of a second. Processing power, and lots of data “Artificial intelligence” encompasses a vast range of technologies, ranging from problem-solving programs that copy human logical thinking process (as in this case

National

Algorithm-driven robot traders), to “machine learning” that improves these programs over time (“with experience”) using mathematical optimization techniques, to “deep learning” (or deep neural networks as formally referred to in academic research) which are composed of multi-layered neural networks that self-train with vast amounts of data. In the fields of speech and image recognition, for example, Amazon’s Alexa, Apple’s Siri, Microsoft’s Cortana, and the many voice-responsive features of Google – are enabled by the vast computation power as well as volumes of image, video, audio and text file data available on the Internet. There is no question that it is in the machine-vs-human game of chess where this impressive processing power has taken our appreciation of potential of AI to the next level. Deep Blue (IBM’s supercomputer) beat Garry Kasparov, the then world chess champion, in a six-game match in 1997, by using sheer processing power and massive data storage capability. Moving beyond merely programming how human experts think with if-then-rules and decision trees, Google’s AlphaGo (an application of two layers of deep learning nets – Deepmind combined with a reinforcement learning) played against Mr Lee Se-dol last year in the ancient Chinese game of GO. AlphaGo beat Mr Lee, perhaps the best player of the game, in four of the five games. These advances in AI are made possible by the increased computational power referred to as Moore’s Law and graphics processing units (GPUs) – initially built by Nvidiá for 3D visual experiences in gaming - which enable 20 to 50 times efficiency compared to traditional central processing units (CPUs). Google’s tensor processing units (TPUs), or Intel’s acquisition of Nervana Systems and Movidius, two startups that tailor-make technology for deep-learning computations point to how serious technology giants are viewing the potential in this market. Sheer processing power combined with the availability of realms of data are accelerating AI applications across industries. Besides robo-trading, we are seeing innovations in the areas of robo-advising, fraud detection and market behavioral analytics in the financial services. Artificial Intelligence in the Financial Services Robo-Advisors offer digital investment advisory services based on algorithms. By collecting the details of investors’ investment objectives, preferences, style and risk profile, the robo-advisers learn what investors are interested in and deliver customised advice by aggregating relevant research reports and market updates to suggest financial asset allocations. In addition to these data analytics approaches, roboadvising technologies such as Chatbots (robots that converse with humans) or Sentiment Analysis (the “irrational and qualitative” aspect of investment analytics, based on nonbalance-sheet components such as views sourced from Tweets or other social media) which improve the customer experience with natural language processing and unstructured data analytics algorithms, have also being widely deployed. This robo-human interaction technology is in initial phases of innovation. Robo-adviors are yet to understand subtleties in a conversation. “I am worried about my parents’ health” which may prompt a human advisor to review the risk profile and

"There is no question that it is in the machine-vs-human game of chess where this impressive processing power has taken our appreciation of potential of AI to the next level. Deep Blue (IBM’s supercomputer) beat Garry Kasparov, the then world chess champion, in a six-game match in 1997, by using sheer processing power and massive data storage capability." investment horizon of the customer, may not necessarily trigger the same response in a robo-advisor. A robo-advisor may also be limited in its information gathering ability: it may not ask about money held outside of its service, which could give a distorted picture of a customer’s financial health. These examples show that whilst there is still some way to go before a robo-advisor can fully function as fiduciary in the traditional sense, the volume and speed of the data being processed across several sources to deliver timely advice mean that innovations in these technologies will continue. Certainly, for those contemplating using robo-advisers, less biased advice combined with a wider selection of potential investments at a fraction of the cost of traditional service is an attractive proposition. Fraud Detection - AI machine learning techniques are also used to help in fighting cyber attacks, through automatic scanning, detection and response of network vulnerabilities. Similarly, by applying AI to volumes of data to spot suspicious financial transactions amongst millions of normal ones, AI could ease the burden on investigators in combatting money laundering, financial fraud and sanctions violations. With increasing regulatory scrutiny in these areas, financial institutions have adopted over-cautious attitudes, setting thresholds of traditional rules-based anti-fraud systems at levels that raise alert on practically everything resulting in unsustainable increase in false positives. Not only do legitimate customers face unnecessary probes, investigators also consume excessive time clearing these false positives. Adding to this workload is the manual building of the customer profile when swamped with structured and unstructured data about the subject, their social and commercial networks from in-house and other public and commercial sources. By replicating the way an investigator manages a case, AI automatically flags unusual/suspicious activity by mining data from a customer’s and peer group transaction history and thousands of “signature fraud patterns”. At the same time AI also learns new patterns or goes into corrective loop to ignore the ‘false positives’. For investigators facing the tedious job of manual data collation and rules update in the legacy threshold systems, AI not only reduces the burdens but also completes these tasks much quicker. Market Behavioral Analytics - In the fast-paced, high-pressure world of trading where it is not uncommon for millions of transactions to change hands across the global markets of FX, futures, or commodities, most would rank >>

Asia Pacific Security Magazine | 37

National

Nick Leeson and the collapse of Barings Bank, the United Kingdom's oldest merchant bank in 1995, as one of the most publicized cases of unauthorized trading. Trading in the futures markets on the Singapore International Monetary Exchange (SIMEX), Leeson was regularly using Barings' error account (accounts used to correct mistakes made in trading) numbered 88888 to hide his trading losses, a practice that remained undetected for at least 2 years. The unravelling was triggered by his attempts to offset losses when the 17 January 1995 Kobe earthquake struck sending the Asian markets and his trading positions into a tailspin. His new trades exacerbated the original losses, the total of which eventually reached £827 million (US$1.4 billion), resulting in Barings declaring insolvency on 26 February 1995. Recent cases of unauthorized trading included Jérôme Kerviel, a French trader convicted in the 2008 Société Générale €4.9 billion trading loss scandal. As a trader at the bank's Delta One desk, he created offsetting faked hedge trades to cover his losses. Three years later in 2011, in what was another incident of unathorised trading loss, Kweku Adoboli, as a Global Synthetic Equities desk trader at UBS, also practiced entering false information into the bank's computers to hide the risky trades he was making, which eventually cost the bank $2 billion. At the heart of rogue trading (or other types of fraud) are human incentives: those who want to profit for personal gain or who enjoy the thrill of excessive and unsanctioned risk taking, and those who are afraid to own up to losses. These incentives are reasons why flagging rogue trading is a challenge in-house using traditional methods. Bank employees do not reveal problems early because they are not incentivized to: they might get fired or lose their bonuses. Employers are not incentivized to be completely open with regulators because of adverse effects on their business. Algorithms and data-driven analysed by external teams of former traders, compliance staff, intelligence officials, and psychologists, to a certain extend solve this incentive problem: systems alert to suspicious activity that is employeeagnostic, supported by an external investigative team that is independent with minimal conflicts of interest. A Re-evaluation of Artificial Intelligence’s potential? Early this year, in a widely hailed new milestone for AI, Libratus, built by Carnegie Mellon University Professor of Computer Science Tuomas Sandholm and his PhD student Noam Brown, won $1.5 million in chips after beating four of the world’s best poker players in an extraordinary 20-day tournament. Training a machine with incomplete, hidden and misleading information to win is significantly more challenging than constructing layers of neural nets to beat humans at chess. Unlike chess where players see the entire board, poker players do not see each other’s hands. From performing probability calculations to manipulating table image, poker is a game where the outcome is tied to players’ actions based on psychology and game theory. The ability to interpret an imperfect set of information and “bluff ” is key to a winning hand – and building this ability into artificial

38 | Asia Pacific Security Magazine

intelligence had proven to be elusive. Libratus does this by self-learning: armed with massive computing power, it plays trillions of hands to refine its approach to arrive at a winning strategy. Critically, Libratus does this overnight and repeatedly over the 20 days without needing to “take a break”; whereas the poker pros face a very real physical challenge: they need to eat and sleep. The success of Libratus is special. It challenges our preconceptions about the limitations of AI, and takes us to previously unexplored possibilities: there is potential for applications from negotiating trade deals to devising cyber security defense strategies to setting national budgets – areas that we think of as strategic work with imperfect information. But, AI successes such as this have also raised concerns. Aside from data protection issues in Fraud Detection (will my personal investment data be anonymized for peer group profiling?), or threats of surveillance in Market Behavioral analytics (will the storing of my phone and electronic conversations be done in such a way that it meets legal requirements?), it is hard to escape our nagging suspicions that AI will soon replace us. The news that the world’s largest hedge fund, Bridgewater Associates which manages $160billion is extending AI beyond financial trading to build “a piece of software to automate the day-to-day management of the firm, including hiring, firing and other strategic decision-making” adds to the fears and insecurities felt by many of us. Arguably, the examples provided here – Algo trading, Robo-Advisors, Fraud Detection, Market Behavioral analytics – do not eliminate the human touch; AI merely collates data and draws out key information to allow for more efficient human decision making. An Accenture survey of 1,770 managers across 14 countries concludes similarly: “AI will ultimately prove to be cheaper, more efficient” and so will “free us from the drudgery of administrative tasks”, to allow us “to focus on things only humans can do.” However, some, including the Futurist Ray Kurzweil, disagree and believe that what we think of as strategic work or even creative work can be substantially overtaken by AI. Perhaps, the real question is not if, but when: are we decades in planning for the arrival of full AI systems without human guidance? Is it a quantum leap from today’s AI systems to performing strategic decision making? What research breakthroughs are required to make these feasible? The evolutionarily path is unlikely to be a linear one, and the complexities of human activities mean that some are easier to automate than others. But the rapid innovation of AI technologies mean that we should not dismiss the likelihood out of hand. While the debate rages on, we can plan to adapt to AI’s transformational impact in our future lives. For the time being though, we still hold some cards in our hands: there is no question that AI still needs our direction to set its objectives, programming, algorithms, codes and ultimately, to turn it on.

Cyber Security

03 - 04 July

•

Hong Kong

LEADERS TOMORROW OF

At (ISC)2 Security Congress APAC 2017, you’ll get to join thought leaders, (ISC)2 Asia-Pacific Advisory Council members, (ISC)2 Chapter leaders and over 350 InfoSec professionals for 2 days of knowledge sharing, strategic insights and networking with your peers.

50+ Speakers

2 Days 6 Tracks 35+ Sessions

Why Attend?

Tracks Include:

Invest in yourself in 2017 Learn the latest strategies and techniques to

Cloud Security

Critical National Information Infrastructure (CNII)

Meet regional experts & influencers face-to-face Enjoy a customized learning journey Earn up to 16 CPEs

Emerging Technologies & Security

Governance, Regulation & Compliance

Professional Development

Security Operations

if e

address cyber security threats

n sA rmy K

Regular Price: US$ 360

Visit apaccongress.isc2.org

5% additional discount for group purchase.

For Inquiries: (852) 2850 6953 securitycongressapac@isc2.org In Partnership with:

Supported by:

#ISC2congressAPAC Platinum Sponsor:

Gold Sponsors:

Silver Sponsor:

CCTV Feature

The Capability: Facial recognition, privacy and regulating new technology

I By Dr Monique Mann

n late 2015 the Commonwealth government announced that a national facial recognition system - the National Facial Biometrics Matching Capability or simply ‘The Capability’- would be implemented. This system will use existing identification documents, such as licences and passports, to extract and share biometric information between state, territory and national government databases. As is often the case in relation to technological developments, regulation and the legal system have lagged behind. Given limitations in Australia’s privacy framework, such as an absence of a constitutional bill of rights or a privacy tort, there are limited privacy protections in relation to biometric information, and those that do exist are subject to carve outs and law enforcement exemptions. Automated Facial Recognition Technology AFRT systems digitise, store and compare facial templates that measure the relative position of facial features. These processes extend privacy considerations beyond the capture of photographs as they enable automated sorting, database storage, information sharing and integration. AFRT can be used to conduct one-to-one matching to verify identity, or one-to-many searching of databases to identify unknown persons. It identifies individuals and provides a gateway to the large and ever expanding databases held by government, law enforcement and security agencies. Further, photographs (and therefore facial templates) from data rich environments such as social media can be mined

40 | Asia Pacific Security Magazine

and integrated into big data used for law enforcement and security purposes. AFRT can be conducted from a distance and can be integrated with existing surveillance systems such as CCTV (known as ‘Smart CCTV’), enabling tracking through public places. There have been recent moves to trial a Smart CCTV system known as ‘iOmniscient’ by Australian councils, including in a Toowoomba library. The Capability The Capability will initially involve the sharing of facial templates between agencies including the Department of Foreign Affairs and Trade, the Department of Immigration and Border Protection, and the Australian Federal Police, with access expanding to other agencies in time. For example, the Digital Transformation Agency is considering the possibly of The Capability forming the foundation of the new Trusted Digital Identity Framework, which will become the basis of identification verification for all interactions with Commonwealth Government systems and services. However, individuals who consented to providing a photograph to obtain a passport did not consent to their facial templates being extracted from that image to be used for law enforcement, security, intelligence or other purposes. This is an example of function creep, where information collected for one purpose is used for secondary purposes for which consent was neither sought nor obtained. The Capability is being established in a manner that

Cyber Security

does not require expanded police powers or the introduction of specific legislation. Interagency agreements will facilitate information sharing. This means it is being introduced through administrative processes outside of a legislative framework, and the increased scrutiny that entails. Concerning aspects of The Capability relate to integration with CCTV and other surveillance systems (municipal, state and federal government), the number of images that will be captured, and how this data will be used. Privacy Impacts and Protections The main privacy concerns associated with AFRT relate to how information is obtained, retained, shared between agencies, and how it is used. AFRT presents additional privacy risks as it can be used to locate and track individuals through widely implemented surveillance systems, and can be used to connect information across databases. Under the Privacy Act 1988 (Cth), sensitive information includes biometric information and templates. Sensitive information must only be collected with the consent of the individual concerned, unless the entity is an enforcement body and there is a reasonable belief that the information is necessary to the entity’s functions. Entities cannot use or disclose information collected for a particular purpose for a secondary purpose without the consent of the individual, unless the information is reasonably necessary for one or more enforcement related activities. These exemptions are significant as enforcement agencies or agencies with an enforcement function do not need consent, a warrant, or a court order to collect and retain photographs, to process this information to create facial templates and disclose or share this information with other agencies. Privacy rights in relation to the retention of biometric information have been upheld in the European Union under Article 8 of the European Convention on Human Rights. A series of high profile cases have reaffirmed that the retention of biometric information or photographs of individuals who had not been convicted of a criminal offence violates the right to private life. In Australia, there is no comparable precedent, no privacy tort and no constitutional protection of human rights. Therefore, in Australia, there are limited privacy protections relative to other comparable Western democracies.

application of surveillance and counter-terrorism powers. In Germany, the Hamburg Commissioner for Data Protection and Freedom of Information challenged Facebook’s automatic photo tagging, requesting Facebook deactivate the feature, suspend the creation of biometric templates and delete all stored biometric information collected without prior active consent. In response, Facebook deleted the facial templates that had been collected and suspended creating new templates for European Union citizens. The US Government Accountability Office conducted an inquiry into the Federal Bureau of Investigation’s (FBI) use of AFRT, finding that the FBI failed to update or release Privacy Impact Assessments, complete audits or conduct testing of identification accuracy, meaning that innocent people could become entangled in FBI investigations. In Australia, the Office of the Australian Information Commissioner (OAIC) is responsible for providing advice, reviewing complaints, conducting investigations and monitoring compliance in relation to the federal Privacy Act 1988 (Cth). However, the OAIC does not have a specific function or officer to oversee the collection, retention and use of biometric information. This means that in Australia no biometric-specific oversight mechanism currently exists. A pattern of hostility towards the OAIC, for example attempts to abolish, and reduce funding to the OAIC, has compounded the regulatory gaps in matters of privacy in Australia. The complex nature of biometric information, coupled with the way it is used by law enforcement and security agencies, and continuing developments in this field, indicate the OAIC may need additional resources and specialisation in biometrics.

"A series of high profile cases have reaffirmed that the retention of biometric information or photographs of individuals who had not been convicted of a criminal offence violates the right to private life"

Conclusion

Regulation and Oversight of New Technology

Considerable developments in the use of AFRT have occurred and urgent policy consideration is required to address legislative and regulatory shortcomings. The expansion of information collection and sharing by law enforcement and security agencies has not been matched with an expansion in oversight. There are broader implications for existing and emerging surveillance technologies. Ongoing developments in technology mean databases will continue to expand and information sharing will become more efficient. A re-evaluation of privacy protections in response to new technology is required, as are additional oversight mechanisms.

The expansion of data collection and information sharing by law enforcement and security agencies has not been matched with an expansion in oversight. Effective oversight of biometrics requires technical knowledge, resources, and the power to advocate for individual rights against strong claims to protect the community from crime and terrorism. Internationally, independent statutory commissioners have demonstrated an ability to limit the scope of AFRT and respond to concerns related to consent, retention and use of biometric information. The UK has created a Commissioner for the Retention and Use of Biometric Material to regulate the collection, retention and use of biometric information, provide protection from disproportionate enforcement action, and limit the

About the Author Dr Monique Mann is a Lecturer at the School of Justice, Faculty of Law at the Queensland University of Technology (QUT). She is a member of the Crime and Justice Research Centre and the Intellectual Property and Innovation Law Research Program at QUT. Dr Mann is also a member of the Board of the Directors of the Australian Privacy Foundation. This article has been adapted from UNSW Law Journal Vol 40(1) Adv – the original article and full references are available here: http://unswlawjournal.unsw.edu.au/sites/ default/files/04-mannsmith-advance-access-final.pdf Dr Mann acknowledges the contribution of Dr Marcus Smith who contributed to the original research on which this adapted article is based.

Asia Pacific Security Magazine | 41

CCTV Feature

Digital video analytics: Test results

B By Tony Caputo

42 | Asia Pacific Security Magazine

efore we discuss digital video analytics I need to explain, as painless as possible, why the following examples have inspired me to write this. You see, I’ve been working with digital imagery and video since the 1990s and I’ve come to understand that the image presented on your screen is made up of digital pixels. In the digital world of absolute mathematical equations, pixels are not measured in dots of Cyan, Magenta, Yellow and Black, like the offset printing process, but rather in bits and bytes. A digital pixel represents visual colour. There are 8-bits (1 byte) in a black and white image and 24-bits for a colour image (1 byte each for Red, Green and Blue). So, each pixel contains 256 shades of gray (for black and white) or 256 shades of Red and 256 shades of Green and 256 shades of Blue, or 16,777,215 colours for a colour image. If you’re wondering what happened to the Black in the transition from CMYK in print to the RGB of pixels, mix Red, Green and Blue paint together, and see what you get – black. The richness of the blacks is also defined by brightness and contrast in the digital world. This is why your 1080p television looks so much sharper and more colourful than that old CRT television, because the digital image has more pixels to pick up more detail and colour variables. However, more pixel depth doesn’t make a smarter camera, only a better-quality image. Now that you understand how the IP camera image

processor captures visual images in the analogue world, the next step is motion. Digital motion pictures are achieved the same traditional way Thomas Edison achieved motion back in 1901, with frames per second. The rapid succession of multiple snapshots of the field of view captures the colour changes at a rate per second providing the illusion of movement on screen. The real magic of digital video is the compression and decompression (Codec) algorithms. These codecs analyse motion within the multiple frames and dissects them into blocks, categorizing them into special frames and data for transmission. This is a necessity for the transmission of digital video because transmitting full 1080p frames per second (MJPEG) requires about 31 Mbps bandwidth (yes, thirtyone megabits per second), versus the H.264 codec, which can transmit the same quality imagery using only 2.5 Mbps. Further details on Codecs isn’t necessary for this post, but only to explain that Codecs do not care what is moving within the digital image to encapsulate that movement within its macroblocks. Its only function is to shrink the video stream for transmission and populate less storage space when recording. Digital pixels identify colour. Multiple frames create the illusion of motion. Codecs just shrink it for transmission and storage. The fact of the matter is, IP cameras are not very smart. They do not know what they are “seeing.” They

CCTV Feature

do not know what is moving; they just capture, replicate and transmit. They don’t know the difference between blowing snow and a person walking across the scene. This is why video analytics systems have failed in the past, because software only cares about the pixels so you’re limited in trying to understand what is actually being “seen.” Traditionally, analytical software is limited to the data received from these IP cameras, and so they analyse pixels (colour), motion (FPS) and once calibrated, begin to understand a difference between something that’s 10 pixels and 50 pixels in size, calculate the time between frames and determine that the 10 pixels maybe a person walking and the 50 pixels is a car speeding, if its calibrated as such. The moment the lighting changes (which changes the colour), or that person opens a giant umbrella, or that car slows down, it needs to be able to categorize shapes in order to remember that, “wait, that’s still a car.” So, you see, when I was assigned the task of testing and creating demonstration samples for Hitachi Video Analytics (HVA) Suite, I was quite apprehensive in accepting the project. I envision hours of frustration ahead of me because IP cameras and software are not that smart. I wanted the killer app (analytics) to be that smart. I envisioned re-purposing the tens of thousands underutilized security IP cameras into Smart City sensors. HVA not only surprised me, it impressed me. One of the first examples I created is below. When I realized HVA Object Detector could be calibrated to ignore moving objects, I remembered a use case from a decade ago that involved sending a real-time alert if there was a stalled vehicle or person at a railroad crossing. I recalled it took a freight train over a mile to stop and cost millions of dollars a day for delays, let alone the liability. HVA Object Detector ignored all movement, including any cars crossing the tracks and sent an alert when the person fell on the tracks. HVA Intrusion Detector includes a built-in filter for weather conditions. I inadvertently performed a test comparison between the analytics built into a camera and HVA by tapping into a video stream from a backyard camera which I had configured with its built-in analytics. The only method of calibration and configuration for the built-in analytics was adjusting its sensitivity. Although all the false positives from animals made me realize what a jungle the neighbourhood was (squirrels, cats, raccoons, possums), I eventually disabled the built-in analytics, as I was sick of getting email alerts with snapshots of rain and snow. After a while, the continued reducing of its sensitivity doesn’t alert you to anything but the huge afternoon shadows that cause dramatic changes in pixel colour. Absentmindedly, I did notice that I didn’t receive any false positives from the HVA Intrusion Detector, ingesting another RTSP stream from the same camera. That’s when I decided to create the example below. Simple area protection configuration, taken during snow fall. HVA ignores the snow, and the squirrel running around, and only alerts me when the person walks into the frame. HVA knows what snow is. The intelligence behind the snow, rain, haze and fog filter that’s built into HVA Intrusion Detector is also available in the HVA Video Enhancer module. Impressed, I decided to give it an even bigger challenge. How

about a Chicago-style snowstorm? Analyse This! To the left is the actual footage, crazy windblown snow creating white out conditions. It gets to the point at the end of the clip that there’s so much snow, it tricks the camera back to colour mode, thinking it was daylight. The clip to the right is the sample video processed through HVA Video Enhancer, which now can be ingested into other video analytic modules for better accuracy and performance. HVA really does know what snow is.The HVA Intrusion Detector sample clip below is configured for Perimeter Intrusion. A person must walk from the green zone into >>

Asia Pacific Security Magazine | 43

CCTV Feature

Protector is engineered for static fixed camera views, noticed how the persons-of-interest are still fully pixelated even when standing still? This stream is now available for input into other systems and/or analytics, such as Intrusion Detector or Object Detector while still protecting the privacy of individuals. The secured archived footage can only be seen by authorized personnel with the correct security clearance. You can even add a second layer of security using a Smart Card and transaction authentication number (TAN) for protection. I created over a hundred test samples for all the HVA modules (listed at the end). HVA is impressive because each module has its own analytical engine, engineered to do that specific function. It’s not one pixel analyser, and movement calculator that was built upon to do something more than its core capability. HVA also recreates three-dimensional space from a two-dimensional video image and then adds the 4th dimension (time) for improved performance. You can also calibrate length of its 3D learning phase and each scene with multiple illumination states – day, night, afternoon, which also improves its performance and accuracy. It really does add more intelligence to cameras and I've tried it on many different types from a generic low-end bullet camera to the popular Axis cameras (including the panoramic), to the top of the line Thermal camera. I could go on with other samples, but you get the idea. I was apprehensive at first, but I’m excited to have been a part of this new technology release, and the thought that my dream of the analytics killer app for Smart City has finally become a reality. The Hitachi Video Analytics Suite:

- Activity Visualizer - Camera Health Monitor - Face Collector - Intrusion Detector - License Plate Recognizer - Object Detector - Parking Space Analyzer

the red zone in order to be recognized as an intruder. Even though I configured the zones to be the same size, HVA’s ability to recreate a three-dimensional space from the twodimensional image, it understands perspective so it recognizes that the figure attempting to enter the facility is 1.8 meters tall, and an intruder at each door. A unique and very effective module is the HVA Privacy Protector, which enables the ability to protect the privacy of individuals and still allow for video monitoring for safety and security. I configured the HVA Privacy Protector example below with a couple layers. First, I wanted the ATM to always be pixelated, to protect PIN numbers, and the vehicles on the street, to protect license plates. Although HVA Privacy

44 | Asia Pacific Security Magazine

- People Counter - People Counter 3D - Privacy Protector - Queue Detector - Traffic Analyzer - Vehicle Counter - Video Enhancer

I N V I T A T I O N

EXCLUSIVE INTERPOL WORLD 2017 AUSTRALASIA POLICE & SECURITY PROFESSIONALS SINGAPORE DELEGATION INNOVATION TOUR

4-7 July 2017 | Suntec Singapore Convention and Exhibition Centre MySecurity Media is pleased to be the official and exclusive marketing agency for the region of Australia & New Zealand for INTERPOL World 2017. INTERPOL World 2017 provides a premium platform for public and private security sectors to discuss and showcase solutions to fast evolving global security challenges. The biennial exhibition and congress brings together law enforcement, government bodies, academia, international security professionals and decision making buyers to security solution providers and manufacturers. For more about the program visit - www.interpol-world.com

MySecurity Media will manage all logistics, such as flight/hotel bookings for the visiting delegation. 2015: 7,807 Visitors & Delegates 2017: 300 Exhibitors

Some of the main topics:

PREMIUM SPONSORSHIP OF INTERPOL WORLD 2017 DELEGATION AVAILABLE:

Email: interpol_world2017@mysecuritymedia.com Delegate Profiles: Chiefs, Heads, Directors, Officers, Security Professionals, Security Consultants, System Integrators. Visitor profiles: www.interpol-world.com/visiting

• • • • • • •

IoT, cybersecurity, big data analytics Biometrics Genetic & synthetics biology Safe cities Robotics Unmanned/artificial intelligence Face recognition

• Forensics

“We came to meet senior police leaders from other countries with a view to exchange criminal records, biometrics and fingerprints. We achieved ten new partners.” -Ian Readhead, National Police Chiefs’ Council, UK

news.com

Express interest in joining us at this exclusive event or visit www.interpol-world.com/visiting-delegation

interpol_world2017@mysecuritymedia.com

Asia Australian Pacific Security Magazine | 45

17th – 19th July 2017 | Shanghai, China BEST PRACTICES FOR CORPORATE SECURITY TEAMS TASKED WITH SUPPORTING AND PROTECTING COMPANIES OPERATING IN HIGH-RISK LOCATIONS AND INDUSTRIES

KNOWING IS NOT ENOUGH; WE MUST APPLY. WILLING IS NOT ENOUGH; WE MUST DO. BRUCE LEE

INTENSIVE ESCAPE TR AINING Anti-Kidnapping & CounterAmbush This full-day training drill tests your mettle against life-or-death situations your VIPs, Chief-suite Executives and other personnel may face in the fulfilment of their duties. Deploy with unerring confidence in demonstrable response techniques with this precision-training masterclass: 1. Risk Elimination Practices 2. Anti-Kidnapping Measures 3. Counter-Ambush Survival Techniques International Trainer: Nathan Hughes Training Director CSEC4, UNITED KINGDOM Former Firearms Instructor, Specialist Firearms Officer and Advanced Driver DEVON AND CORNWALL POLICE, UNITED KINGDOM

SHOWCASING PRESENTATIONS AND CASE STUDIES BY KEY DISTINGUISHED SPEAKERS Yang Yu Regional Security Director – Asia Pacific MICROSOFT, CHINA Dean Fitzmaurice Regional Security Director Middle East, India & Sub-Saharan Africa SNC LAVALIN, UNITED ARAB EMIRATES Li Hongliang Deputy Director of Security Management BGP INC., CHINA NATIONAL PETROLEUM COMPANY, CHINA Stanley Aloysius Director, Asia Pacific Safety & Security PAYPAL, SINGAPORE Patrick Wang Head of Security BEKAERT ASIA, CHINA Founder & Chairman SECURITY PROFESSIONALS ALLIANCE OF CHINA (SPAC), CHINA

Julius Badillo Security Cluster Lead – Philippines, Vietnam, Thailand DHL, PHILIPPINES Ruben Morales General Manager, Corporate Safety HONG KONG AIRLINES, HONG KONG Mark Niblett Vice President & Global Head of Security HALLIBURTON, UNITED ARAB EMIRATES Mark Sharp Director of Corporate Security SHANGRI-LA, HONG KONG Wynnford Medrano Director – Procurement, Property, Information Security and Business Continuity Management AXA, PHILIPPINES Nick Crouch Director, Global Safety & Security (EMEA, India and APAC) YAHOO! INC, SINGAPORE

WHO SHOULD ATTEND ATTEND THIS INAUGUR AL PREMIER CONFERENCE TO MAKE SURE YOU ARE • • •

• •

Protecting people, profit and brand Unlocking investment opportunities in high risk destinations Defending high value products and corporate assets from theft and damage Perfecting emergency response planning for your company Guarding valuable executives against threats in vital business destinations

Vice Presidents, Directors, Managers and Heads of: Corporate Security Business Resilience Physical Security Business Continuity Asset Protection Brand Protection Loss Prevention Cold Chain Investigations Sites & Facilities Risk Corporate Campus Security Contingency Intellectual Property Emergency Response Planning Business Travel Risk Crisis Management

High-value business interests can only be properly safeguarded with investment into the right corporate security, asset protection and travel risk programmes. marcusevans

large scale events

PAG E 1

Corporate Security

How to see the cyber and disappear completely After 20 years of research, we have condensed our hacking experience into two innovative products: A cyber radar system that visualizes, measures and controls the whole cyberphysical space, and a moving target security solution that makes data traffic and networks invisible to the outside world

Technology to the core

By Nicolas Mayencourt CEO of Dreamlab Technologies Group

Over the last 20 years, I have attacked and penetrated my client’s networks and infrastructures. When I started my business as a professional hacker in the late 90s, the topic was a marginal one, followed only by a small, peculiar but very skilled community. We literally penetrated our customer’s infra¬struc-tures to the core – to the bits and bytes. During these years, IT developed into being the most central element of modern societies, from running banks, telecoms or governments to our very own pocket smart phones. Nothing works without it – we are completely dependent. “Cyber” has become “physical”. It is part of the world we live in: houses, doors, cars, planes, trains ... But the technology used to transfer data over networks is still the same, with all its weaknesses and vulnerabilities. It was envisioned forty years ago in a research project within trusted peers. With the effect that, as Verizon states in its 2016 Data Breach Investigations Report, “no locale, industry or organisation is bulletproof when it comes to the compromise of data” . Insecure by design This technology has been developed to reliably transfer data. It has not been designed to be secure, private, or confidential. Therefore, cyber-crime has become a very profitable business,

48 | Asia Pacific Security Magazine

reporting an average cost of AUD 5,2 Million per data breach in 2015 . Politics are influenced by state sponsored cyber-activities. While there are still very serious allegations on the US Presidential elections back last year, decision was made by Dutch authorities to roll back electronic voting on the march 2017 government elections. Media reported that there were concerns on Russian interfering those systems . And without being fully aware of it, we are already critically exposed to the danger of remote killings by cyber terrorists, as allegedly disclosed by WikiLeaks on their latest dump of CIA papers . Time for a change in cyber defense For 20 years, I fought cybercrime. I discovered malicious attacks and tricky frauds, web-based criminal organisations, disguised terrorists. While studying their methods and “business models”, I began to ask questions: “What if we could change the concept of our networks fundamentally? What would it need to prevent attacks and crime once and for good?” One possible reaction (and not the worst) is: Back to manual / pre-IT methods (i.e. counting votes by hand in the Netherlands). Disappear from cyber-physical space by not using it anymore. But, this means surrender. Another one is the common practice of bug fixes, patches, hardening. But, this is no active defense, just a reaction and always one step behind the aggressor, as proved by the continuous stream of

Corporate Security

“After 20 years of research, we have condensed our hacking experience into two innovative products: A cyber radar system that visualizes, measures and controls the whole cyber-physical space, and a moving target security so¬lution that makes data traffic and networks invisible to the outside world”. about. Users are no longer directly visible to the outside world. All data traffic is encrypted. Any intruder moving laterally will inherently be spotted. Moving target security, writes the new rules of cybersecurity. It re-establishes full control to the network owner. _equilibrium is delivered as an easy overlay network, a software defined network, that is retrofit com-patible leveraging existing networks as a transport, but building atop the dynamic flow control and inspection, the stochastic network obfuscation with random topology mutations and cryptography to ensure that you are not just protecting the message, but the messenger too.

data breaches in all kind of sectors. I gathered my team of the best hackers worldwide and step by step we developed better ideas. And we elaborated the reactions into solutions: Make the cyber¬-physical space fully visible and / or disappear completely. “See the cyber-physical space” We developed “cyobs ”, a cyber radar system that makes all vulnerabilities and dependencies of the own cyber-physical space fully visible, measurable, and thus controllable. Only what is known can be protected. cyobs serves as a command information system that makes it possible to manage information security over wide expanses and to the edge of it. At Government level, cyobs helps armed forces and security services to protect points of access and territories against cyber threats and cyberwarfare.

About the Author Nicolas Mayencourt has 20 years of professional experience in Information Technology. He is a Cyber Defense specialist of the 1st generation. As a member of the board of ISECOM he defined todays security standards. Dreamlab Group is an internationally operating think tank, lab, and network, focussed on cutting-edge security. Part of the Group are cyobs, the word’s first Cyber-Radar System, _cyel, the moving target security pioneer, Kolab, the world’s only secure com¬munication and groupware. Furthermore, Dreamlab developed tools for advanced cyber forensics. For over 20 years, Dreamlab is securing its customers data and infrastructures, and fighting cybercrime – worldwide.

“Hide the cyber-physical space” To protect your own cyberspace, the only thing you need to do is: make it invisible. Because you cannot attack what you cannot see. You cannot destroy what you cannot find. You cannot steal what you cannot catch. Instead of preventing intrusion into a static network, the network becomes a proactive, dynamic system of moving targets. This is what our innovation, _cyel equilibrium , is all

Asia Pacific Security Magazine | 49

Cyber Security

Your mum & IoT security

O By Morry Morgan IoT & Technology Correspondent

50 | Asia Pacific Security Magazine

n October 21, 2016 the USA suffered one of the largest cyber attacks of its kind. But this wasn’t the Russians. The culprits were much more terrifying. Thanks to the boom in Internet of Things (IoT) devices and poorly configured innate security features, the culprits were ordinary and naïve mums and dads spread across 164 countries. To be more precise it was their 500,000 plus unsecured routers, digital video recorders (DVRs), security cameras, and even refrigerators that caused the outage – turned into ‘zombies’ by a botnet called Mirai. These mundane appliances, albeit with Internet connectivity, were one minute keeping vegetables fresh or recording an episode of Game of Thrones, and the next sending look up requests with the combined volume of 1,100 gigabits per second; all to a single IP address. Had the victim been a lone website, as was the case in December 31, 2015 when the BBC was hit by a Distributed Denial of Service (DDoS) attack from ‘New World Hacking’, only a small number of users would have been inconvenienced. But the Mirai botnet was more strategic. It attacked the Domain Name Service (DNS) provider, Dyn, based in New Hampshire, and in doing so made the websites of Amazon.com, AirBnB, Netflix, and over 70 other significant companies, invisible for six hours. The IoT had successfully been used for evil, at a cost to companies of roughly $110 million in potential lost revenue. Mirai represents a new type of threat for the interconnected world. By its very nature, IoT creates the condition for rapid proliferation of botnets that often have, as was the case for Mirai, scanning programs that automatically search the Internet for unsecured devices. They then infect,

replicate and then hibernate, until a command is given to awaken and unleash cyber chaos. Worse still, IoT DDoS attacks originate from thousands or even hundreds of thousands of devices worldwide, whose owners are completely ignorant that they are accomplices in a crime. And even if they did know, many IoT devices have no simple patch, update, or virus scanning functionality, meaning the IoT device will be part of the problem until it is replaced. That could be years or decades. In the mean time, the exponential growth of IoT devices is estimated to reach 20 billion by 2020. One solution lies with the regulation of manufacturers. Frank Zeichner, the CEO for IoT Alliance Australia (IoTAA), says that modems in Australia that are “behaving badly” are visible to Internet Service Providers (ISPs) and that these ISPs are responsible for sharing this information with the Australian Communications and Media Authority (ACMA). But while vulnerabilities are being reported, “currently in Australia they are not being acted upon. There are no teeth in responding to this threat.” Zeichner believes that it’s just as important to get information out to the consumers regarding the vulnerability of their routers, cameras and IoT enabled white goods. But he adds that this education will take time and investment. “If Harvey Norman sales people don’t know about the vulnerabilities, then their customers aren’t likely to know either.” This is made further challenging by the eagerness of many manufacturers to release ‘smart’ products without complete understanding of the repercussions of lax security. Evidence to this is last week’s warning that an IoT dishwasher, produced by German white goods giant

Cyber Security

“HackerOne, one such bug bounty coordinator, has over 100,000 registered freelancers and boasts that 75% of companies that sign up to the service receive a bug report in less than 24 hours." Miele, was ‘prone to a directory traversal attack’. These types of attacks let hackers access directories and data, such as sensitive configuration files, and potentially hijack the machine and infect it with malware or a botnet like Mirai. In a worse case scenario, the Miele dishwasher would still give you spotless plates, but could simultaneously crash your favourite shopping website. Zeichner hopes that the ACMA can encourage IoT manufacturers to follow a code of conduct on security, with a kind of ‘Heart Foundation Tick of Approval’ for those abiding by the rules. Failing that, he believes that “badly behaved manufacturers should be made public and suffer the consequences to their reputation.” And he hopes that as the IoTAA grows, from its membership of 140 companies, 450 individuals, as well as observers from both State and Federal governments, its recommendations become full-blown legislation. At which point, the second solution becomes available – legal action. In the United States, where IoT regulation is slightly ahead of Australia, the Federal Trade Commission (FTC) has filed a complaint against the Taiwan-based computer networking equipment manufacturer, D-Link Corporation and it’s US-subsidiary. The claim, submitted in January, states that the company “failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras.” This is despite the company stating on its website that the hardware was “easy to secure” and had “advanced network security.” This was clearly not the case; D-Link was a favorite target of the Mirai botnet. Further, the company’s inadequacies in security have been documented as far back as 2009. The hardware-hacking site, Hackaday.com, has it’s own section on D-Link, with step-by-step guides on how they’ve hacked the company’s many routers over the years. The FTC’s action is a warning shot across the bow of the IoT industry, although it will be a while before the outcome is known. In the mean time, the agency is also trying to be part of the solution by launching the ‘IoT Home Inspector Challenge’ - a kind of ‘bug bounty’ for freelancers, with a grand prize of US$25,000 for the best tool that helps “protect consumers from security vulnerabilities caused by out-of-date software”. The FTC hopes to employ the collective skillset of the IT community, which has been a model used by the likes of Facebook, Google, and the original ‘bug bounty’ pioneer, Netscape. Some companies have also profited from this outsourcing trend, developing a solid business model of rallying ready-for-hire ‘white hat’ hackers. HackerOne, one such bug bounty coordinator, has over 100,000 registered freelancers and boasts that 75% of companies that sign up to

the service receive a bug report in less than 24 hours. That efficiency will be necessary with the exponential growth of IoT products, combined with ignorance and too often callous behavior of manufacturers. Of course, there is one other possible solution to ensuring IoT security, although Zeichner is quick to add that the consequences could be damaging to the entire industry. “Cyber-security insurance in the United States currently sits at about 3%, and there’s an indication that this will grow. And since insurance companies don’t like paying up, they will look to sue the culprits of the security breach.” Their targets are not necessarily going to be the hacker, or the manufacturers who have skimped on security. It’s also possible that they will ignore the distributors and wholesalers, who have ‘aided and abetted’ in distributing susceptible IoT devices. The most terrifying scenario is that these insurance companies, in their goal to recoup losses, could target those harbouring the infected routers, DVRs or Miele dishwashers. They could be coming for your mum and dad.

Asia Pacific Security Magazine | 51

Cyber Security

Cyber Insurance: Is it time to start the conversation?

B By Meera Wahi

52 | Asia Pacific Security Magazine

usinesses are investing in security to manage cyber risk. They wish to safeguard the digital boundaries of their enterprises to prevent external agents from finding a way through their cyber defences. External agents, on the other hand, are continuously trying to access the digital networks, assets and transactions of businesses for malicious gains. Such attempts, classified as cyber incidents, are unauthorised, uninvited and unlawful and frequently successful. Businesses embrace digital technologies for their increased efficiency over dated alternatives, as well as to provide greater value propositions for the customers. However, despite these benefits, acceptance of the risks and liabilities that come with operating in the digital world is necessary, and only taking place now. In this process, general security measures are implemented usually starting with firewalls, anti-virus software, cloud and email security, data encryption, and cloud storage. Additionally, there are NIST framework and compliance, PCI compliance, penetration testing, patch management practices, regular password management, and staff training. The approaches above lend to operational resilience and, in conjunction with implementation of business continuity planning and incident response, the enterprise believes it has fulfilled criteria of fiduciary responsibilities and selfsustainability.

Privacy With the digital world comes customer data, big data and analytics. In implementing digital strategies to target and understand these data subsects, businesses continue to collect large amounts of third-party data from multiple sources. The gain is the insights into customer behaviour, and behavioural data to help corporations serve consumers more effectively. Data comes with obligations to protect privacy of personal data and consumer identity, as well as privacy of digital storage, sharing and/or disclosure of data. If said obligations are not met, businesses can be held liable for privacy breaches, with the consequence of regulatory fines. Risk Management Having summarised current concerns of operating in the digital world, let us visit cyber risk. Cyber risk like others must be measured and managed. Risk can be managed either through elimination, mitigation, transfer â&#x20AC;&#x201C; or by acceptance. How are businesses managing cyber risk? Due to increased investing cyber security controls are becoming more sophisticated. However, cybercrime and other cyber incidents are increasing as well. Cyber risk cannot be eliminated entirely, yet ongoing

Cyber Security

mitigation of cyber risk, as well as to risk transfer through insurance. A risk strategy must explore all options available and must be driven by ROI principles. Cyber risk brings financial, compliance, reputational and operational risk. A straightforward investment in security may miss out on the impact of such risks. Businesses, after having achieved a risk register, must then offer an insurance register for all risks. This register must be paired with a specific insurance policy for every risk scenario that the business feels is appropriate. Thus, conversation on insurance cannot be ignored in any cyber risk management situation, as it is an intrinsic part of the total strategy. An insurance broker is as much a part of cyber risk consulting as a security vendor or consultant. Coverage & Benefits

investment in security is necessary. However, investment is justifiable until incremental returns on the security expenses do not produce equal mitigation of risk, thus incurring diminishing returns. Risk transfer is possible through outsourcing data, yet general law does not allow outsourcing of liability or ownership of data. Furthermore, risk transfer is also possible through insurance. Insurers accept risk on behalf of the insured, for a premium and certain pre-defined conditions. If an event occurs that causes loss to the insured, then a claim can be made to the insurer. In my conversations with security consultants and vendors, I commonly heard, â&#x20AC;&#x153;insurance works against what security vendors or consultants do. If they do their job well, then their clients would never need insurance.â&#x20AC;? So when is the right time to speak about insurance? The process of risk management starts with a business listing all cyber risks as part of a risk register, which rates and defines risk according to their impact and probability. Each risk then corresponds with a specific strategy, aimed at providing proper solutions, whether that be elimination, mitigation, acceptance or transfer. The conversation at this stage concerns implementing security controls and relates to elimination and

Insurances for business are covers for indemnity or liability. A business may wish to offset costs where a damage or loss has occurred with which the business needs to spend money. Costs associated with restoration of a business to full operation is covered by indemnity insurance. Liability cover is provided for incidents where a business may be in breach of a legislation and may incur legal action, payouts or regulatory fines. Businesses in their operating environment must abide by legislations. Cyber insurance is an insurance of indemnity and liability expenses related to cyber incidents. It also pays for crisis response expenses, such as forensic testing, public relations and mandatory notification expenses. With passing of a mandatory disclosure bill in parliament, crisis response became a necessity of cyber insurance and a must-have for businesses covered by the privacy act. Cyber insurance comes with an expert panel of legal, forensic, IT and PR experts. They are made available to the business within twenty four hours of an incident report. All expenses related to the claim are borne by the insurer, and any out of pocket expense can be claimed. Insurance saves a business time, money and expensive payout in managing a data breach. A business, depending on their size and risk profile, can get one million dollars in coverage for ten thousand dollars delivering a high return on investment. Conclusion Recognising that cyber risk has to be managed through all components of a risk management strategy would lead to robust discussion on cyber resilience. Businesses must include all available options whilst continuously investing in security. About the Author Meena Wahi is the Director, Cyber Data- Risk Managers a specialist insurance brokers for cyber insurance, data breach, Intellectual property, reputational loss insurance. Meena has been engaging with stakeholders in the evolving cyber risk space since 2011. She has an MBA from Monash University.

Asia Pacific Security Magazine | 53

Cyber Security

Cyber Cover Security Feature

We must do more in the digital war against Islamic State

C By Anoosh Mushtaq Chair and founder of The Raqīb Taskforce.

yberspace is now officially a war zone, and Islamic State (IS) has the capability to dominate the virtual front line. Abu Bakr al-Baghdadi, the leader of IS, has it all figured out. His slick social media campaign has put the terrorist group out in front in this critical future battleground. Now, IS can have a devastating impact worldwide, regardless of the physical territory they capture or hold. Rather than relying on territorial gains on the ground, IS can covertly and successfully operate in cyberspace – recruiting members and inspiring lone-wolf attacks as they go. Compared to other terrorist organisations, IS boasts a uniquely sustained success with its digital strategies. Al-Baghdadi recognises that social media is a valuable and powerful way to disseminate messages quickly. The use of social media by terrorist organisations is not a new phenomenon: AQAP and al-Shabaab have maintained Twitter accounts since 2010. However, under al-Baghdadi’s leadership, IS has become distinctly effective at the ‘social media blitz’ – using techniques to spread messages rapidly to an audience that is beyond their immediate reach. Since many IS Twitter accounts have reportedly been shut down, IS has been forced to look elsewhere to maintain a powerful online presence for propaganda and recruitment. This is why encrypted applications have become hugely important to the group. It was reported in January 2016 that IS built their own Android messaging application called Alrawi to ensure that communications within the group stay secure. However, reporting from multiple sources as recently as December 2016 suggest that Alrawi isn’t actually used. Instead, WhatsApp and Telegram are the mobile messaging applications currently favoured by jihadists because of their security features. Telegram offers the ability to destroy messages with a timer feature, and protects messages from hacker attacks. WhatsApp provides end-to-end encryption and the assurance that calls are secure. In general, embracing mobile messaging applications with encryption capability is an intelligent shift in IS operations that regularly makes it difficult for counter terrorism agencies to detect the group’s movements. This presents IS with a covert way to orchestrate terror attacks. French jihadist Rachid Kassim, who is behind several terror plots in Europe, used his now-defunct Telegram channel Sabre de Lumière (Sword of Light) to call for the assassination of journalists, political figures and religious scholars, as well as lone-wolf attacks in European countries. His call didn’t go unanswered: He’s been linked via Telegram

to jihadists who have either plotted or carried out these kinds of atrocities in Europe. According to Prime Minister Malcolm Turnbull, our cyber operations against IS ‘are making a difference to the military battle’, but it’s unclear as to whether we have sufficient plans to counter IS’s digital strategies – including their use of social media and encrypted mobile messaging applications. Online operations do have security flaws, but we can’t rely on always being able to exploit these flaws in order to gain new intelligence. IS is already well aware that their communication mediums have security implications, and to counter this, they strategically use Qur’anic verses and Arabic coded language when they communicate. This makes it difficult for westerners and non-Muslims to know what they are really saying, which gives them the upper hand – especially in the planning of terror attacks. For the sake of our national security, we need to be able to proactively decode IS messages. Who better to do that than educated Australian Muslims? It would be beneficial for us to recruit and train people in the areas of cybersecurity and social intelligence whose technical skillset is complemented by a rich, lifelong understanding of Islam. These people would operate in the ‘back end’, interpreting the coded messages spread in cyberspace by IS, using their own fluency in Arabic and the Islamic faith. In a sense, we could fight fire with fire and adopt a recruitment strategy similar to that of IS. The terrorist group is known to target educated, multilingual young people – even from Oxford and Cambridge colleges – who are not yet known to security organisations. These recruits, who often specialise in cybersecurity or engineering, allow IS to enhance their technical capabilities and expand their sphere of influence. A more overt approach to countering IS’s digital strategies would complement our covert one. We need wellinformed Australian Muslims to become more active across social media, debunking the myths spread by groups like IS. Jihadists cherry-pick verses from the Qur’an to inspire support and justify their cause, and often these verses are rooted in the descriptions of historical battles that aren’t relevant to current times. Cyberspace has no doubt complicated the war scene, and IS has turned it to their advantage. Empowering Australian Muslims by giving them an important role in the fight against radical Islamic terrorism would make us a more informed, more unified force in this new digital war.

Asia Pacific Security Magazine | 55

Cover Feature

L A N I M I R C E H T IS M S I R O R R E T N O LAW G N I C N A N FI ? H G U O TOO T T By Stephen Dametto Detective Superintendent, AFP, founder of Australia’s Counter Terrorism Financing Investigations Unit and UNSW Researcher in law.

56 | Asia Pacific Security Magazine

he global community must maintain a tough legislative stance to contain the influence of terrorists who use their contributions to humanitarian activities to win over the hearts and minds of local communities. The Independent Reviewer of Terrorism Legislation in the UK, David Anderson QC, in his fourth report on terrorism financing legislation highlighted the negative impact that counter-terrorism financing legislation is having on overseas aid. He drew attention to the constraints placed by the counter-terrorism laws of various western countries on the activities of NGOs and contributors who seek to provide aid to territories which are under de facto control of proscribed terrorist groups or in which such groups are active on the ground. He highlighted a real risk of a ‘chilling effect’ on UK NGOs’ activities overseas at a time when their efforts are possibly more critical than ever before. Anderson is not the only one with these views and in fact a great number of States and humanitarian organisations have expressed similar concerns. Such laws are perceived as overly harsh and have the effect that people – concerned about doing the wrong thing - stop giving money to legitimate charities. Also, as the penalties attached to such laws are seen as excessive, they can lead to grievance and alienation in the community hindering cooperation with Police and intelligence agencies and potentially assist recruitment to the terrorist cause. The argument follows that tough laws effectively criminalise legitimate humanitarian action by neutral and

independent actors (like for example the International Committee of the Red Cross), potentially impeding their work and aggravating human suffering in war. Further, not all the activities of organisations regarded as terrorist organisations are related to the commission of terrorist activities. An example is when the Tamil Tigers controlled the northern part of Sri Lanka and, in reality, the only means of making humanitarian donations to people within this region was to funnel the money through them. The Tamil Tigers not only engaged in terrorist acts against the Sri Lankan government, but also operated a de facto government, including the provision of civilian services, within this region. The question is then - how do we balance and manage the seemingly competitive interests of the need for humanitarian aid and stop funds going to terrorist organisations? One solution often proposed is to have an exemption in the law for providing or collection of funds for a terrorist organisation where the purpose is to spend the funds on humanitarian activities. Similar laws exist in New Zealand and Australian law already has a statutory exemption for the offences of ‘association’ with proscribed organisations where “the association is only for the purpose of providing aid of a humanitarian nature”. The rationale is that an offence that punishes an organisation or a person providing funding to a ‘terrorist organisation’ - regardless of how the funds are used -

$$ Cover Feature

represents a disproportionate response to the threat of terrorism. Instead, the focus should be upon fund transfers that are related to preparing for, assisting with, or the commission of a terrorist act (and not simply to any financial involvement with a terrorist organisation). Should a similar exemption exist in providing funds?

Firstly, the sheer scale and catastrophic harm to life and property, together with the intent to terrorise the population, to challenge the sovereignty of the state and, in some cases, to secure specific political ends place terrorist atrocities beyond the scope of even the most serious offences. Therefore - there is a greater imperative for prevention - as the risk of prosecuting and punishing the completed offence comes too late. Secondly, it is very difficult to draw a distinction between funds provided for bombs and funds hopefully provided for hospitals or orphanages. The often opaque organisational structure of terrorist organisations substantially inhibits certainty in ascertaining the real and ultimate destination of funds. There is a real risk that exempting funding for humanitarian work of terrorist groups could cloak more sinister use of those funds. As the Independent National Security Legislation Monitor in Australia, Bret Walker SC, stated in his 2013 report on terrorism financing laws, it should properly be an offence to

fund hospitals and orphanages run by terrorist organisations, despite how counter-intuitive this appears to be. Humanitarian activities conducted by terrorist organisations are also a pivotal component of their “hearts and minds” campaign which, any political campaigner will tell you, is key to recruiting new members and gaining support in communities. The sheer complexity and fluidity of contemporary global financial processes, coupled with small amounts of money, which can facilitate terrorist acts, means that the stated purpose of the funding cannot and should not be an overriding factor on the illegality of the transfer of funds. Instead - the answer lies in the proscription process – that is where an organisation is described as a terrorist organisation under Australian law. Once an organisation is proscribed, any funds to that organisation, regardless of the reason or how it is spent, are illegal and punished by criminal sanction. This is where the consideration must be given and the emphasis placed. If it emerges at trial that the funds were in fact used for humanitarian purposes, then this should influence the penalty received – but not the guilt of the party itself. Law makers and legislators must be guided by the big picture issue – terrorism is more dangerous and detrimental than any other offence, prevention is the key, and therefore it must be treated and acted on differently.

Asia Pacific Security Magazine | 57

Cover Feature

Children of war: The rise of a nation of young Jihadists

T By Anoosh Mushtaq Anooshe Mushtaq is Chair and founder of The Raqīb Taskforce. She is a Canberra-based advisor on Counter Terrorism & Countering Violent Extremism

58 | Asia Pacific Security Magazine

housands of Syrian children affected by trauma, unwanted by the international community, and courted by Islamic extremists may be cornered into jihadism. According to the NGO Save the Children at least a quarter of a million Syrian children are living ‘under brutal siege’. Their homes ‘have effectively been turned into open-air prisons’ where they endure ‘enormous suffering and injustice’. What’s in store for these children who’ll grow to shape the Syria of the future? Right now, evidence suggests that they’re on a path to long-term psychological issues – and radicalisation. To date, the civil war has claimed at least 200,000 lives and displaced approximately 8 million inside Syria. Close to 650,000 people are living in areas under regime besiegement, completely cut off from humanitarian access. 12 million Syrians inside of the country are in need of humanitarian assistance (Abboud, S, 2016). The numbers are staggering. The conflict has created 4 million refugees and yet, as the violence and desperation worsens, many among the international community tighten their borders and reject the desperate appeals for refugee status, out of fear of exposing their states to Islamic extremism. Jordan accepted Syrian refugees, but after a suicide car

attack that killed Jordanian soldiers in June 2016, the country restricted all access to refugees – even to the UN and other aid agencies that would deliver food, water and medical care. Save the Children’s recent report details how Syrian children are faring in the conflict. They’re becoming more aggressive, withdrawn, depressed, and isolated and are losing hope for their future. Malnourished, they’ve resorted to eating animal feed and leaves, which has led to an increase in juvenile petty crimes. Military groups have recruited children with the promise of receiving one meal a day. Traditional social structures have disappeared with the physical breakdown of family units. There’s an increase in child marriage in an effort to reduce the burden on families of feeding and housing all their children. Devastating reports describe parents being killed in search of food and medicine, leaving orphans as young as two years old, crying and distraught, wandering the dangerous streets lined with snipers. According to UNICEF, the children of Syria will represent a ‘lost generation’, since they’ve had little to no education for at least five years. Schools have become the targets of shelling and many education workers have fled or been killed. This has effectively collapsed the education system in most parts of Syria and forced approximately 40%

Cover Feature

"Their narrow and radical views of the world have been formed by a mix of ignorance, isolation and extreme exposure to violence.”. of children out of school. We may hope that it can’t get any worse, but in reality, it will. Children are the most vulnerable to the aftershock of war. They’re more likely to show long-term effects than adults when exposed to unrelenting, sustained violence. They can be susceptible to relapse if exposed to subsequent stress later in life. In studies of states that have been exposed to war, it’s clear that, later in life, survivors are likely to have PTSD and a propensity to violence. Their mental health issues include: psychosomatic symptoms; disturbed play; behavioural and emotional issues; sleep problems and nightmares; and anxiety. In many cases, children have been used as suicide bombers or brainwashed into becoming child soldiers – all forms of abuse that shape their futures. Since the end of the the civil war in 1992, El Salvador faced a growing problem of youth street gangs. It’s argued that the country’s current high level of violence and crime is mainly caused by civil war-related poverty, social exclusion, access to illicit guns, organised crime, weak institutions, and corruption. A 2002 study of internally displaced children from the war in Bosnia showed that 94% had features of PTSD. Further to this, over 90% of the children interviewed

expressed the fear of dying in the conflict, and over 80% felt that they could not cope with daily demands and that life was not worth living. There’s evidence that the Taliban and Northern Alliance soldiers are products of traumatic and violent childhoods – children of war. Their narrow and radical views of the world have been formed by a mix of ignorance, isolation and extreme exposure to violence. Today, Syrian children suffer this same mix, which makes them susceptible to the recruitment efforts of Islamic extremists. A sense of belonging to the international community could prevent radicalisation, but surely Syrian children won’t forget the international community’s response to their plight: rejection. It’s likely that they’ll seek revenge rather than acceptance in the future. We can still help these children to heal and to build resilience against the manipulation of Islamic extremists. At the very least, we must provide clear opportunities and compassion to those fleeing the Syrian conflict. If we don’t work to end inhumane religious and political wars, we’ll experience the uncontrollable rise of terrorism. When we ask what’s in store for the children of Syria, we’re asking what’s in store for all of us in the years to come.

Asia Pacific Security Magazine | 59

Cover Feature

ASIA TELECOMS INNOVATION SUMMIT & AWARDS A Review & Celebration of Global Telecommunications Projects 1 9 S E P T E M B E R 2 0 17 S W I S S O T E L M E R C H A N T C O U R T, S I N G A P O R E

The Asia Telecoms Innovation Summit and Awards celebrate and recognise the industry’s most innovative & successful project partnerships between operators and vendors over the last 12 months and showcase the very best projects from every corner of the industry.

AWARDS CATEGORIES: • Infrastructure Innovation

• Consumer Service Innovation

• Software & Applications Innovation

• Wholesale Service Innovation

• Enterprise Service Innovation

SUBMIT YOUR ENTRY NOW!

Participants include:

www.gtbsummits.com | gtbevents@euromoneyplc.com | +44 (0)20 7779 7227

60 | Asia Pacific Security Magazine

Cover Feature

Available online!

10110

55003/

Y’S NTR

AND

ENT

RNM

OVE

DIN

LEA

ATE

POR

ZIN

AGA

URIT

SEC

ed PP2

Approv

See our website for details ma

lian

sec

urity

.a www

ustr

alia

Post

000032

nal natio ar, in Inter ASIS nual Sem, USA An aheim An

d PP1

Approve

ine.

com

.au

te A Sta ISAC , Perth e rinngferenc e e in o l eng attCacks Socia

nsec

uritym

agaz

ep 20

Aug/S

RNM

OVE

DIN

LEA

.au

ov 20

s utive ch E u AZIN exec MAG ITY Why to be m CUR d E SE e e n hier ORAT ORP C c ND mu NT A THE

Oct/N

rity in Secu ment, rn Gove anberra C

of cult The ware the a

’S TRY

ne.c

URE

FEAT RISIS t LS C men SKIL le an e hum ation e h T form in in ction prote

THE

gazi

S P UP w.a WRA ww al ENT ation e, L EV N IA A C AIS nferenc e SPE Co ourn Melb ra ust

R CO

Post

N COU

ess a busin -high y strakliing ill Au Ta curity sk w How up? se keep

ption dece s of Sign $8.95

INC.

ren n child s satio cting bullie adicali art III R s – P ria Prote cyber y s m S e fro Proc is over lys para The Time Tech

GST

Time Tech

erl Cyb

1 YEAR SUBSCRIPTION

city Safe The need for ity Its and roperabil inte

reat ted a er Th Insid be elimintive c n a a o C a pr with oach appr

TO THE AUSTRALIAN SECURITY MAGAZINE

Get each print issue per year for only $88.00

A, k Q& , Quicrity and . Time u Tech ber Sec h more.. Cy muc

$8.95

INC.

GST

SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐

AUSTRALIA

88.00

(inc GST)

1 YEAR

☐

INTERNATIONAL

158.00

(inc GST)

1 YEAR

Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to

www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059

Email subscriptions@mysecurity.com.au

GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Asia Pacific Security Magazine | 61

EDITOR'S REPORT REVIEW A

BOMB SAFETY AND SECURITY A Manager’s Guide How to prepare for and respond to: Bombings, Bomb Threats, Unattended Items and Post Blast Available at www.asrc.com.au/publications/ books/bomb-safety-andsecurity-the-managers-guide/

62 | Asia Pacific Security Magazine

s a police officer between 1990 – 2005 it is ominously easy for me to draw on my own recollection of bombing incidents – be it the 1986 car bomb outside Police Headquarters in Russell Street, Melbourne, killing a policewoman, the 1994 NCA bombing in Adelaide that killed a WA colleague Detective Sergeant Geoffrey Bowen or the 2001 car bomb in Perth killing former WA CIB chief Don Hancock and his friend Lou Lewis. Any bombing attack will be framed around a motive, access to the materials, knowledge and understanding of those materials and the opportunity to execute a plan. These essential elements for a successful bombing are critical to understand the moment a bomb threat is received or should a bomb incident suddenly occur. Don Williams CPP has a passion and wide industry recognition in this field and sets out to share this understanding and appreciation of the fundamentals of bomb safety and security. This text provides the necessary insight and structured information to develop an important knowledge base when applying bomb security management principles and knowing how to plan, prepare and respond. Whether it’s in the form of a bomb threat or post an explosion, "experience and statistical analysis show that bombings are still the preferred weapons of terrorists as well as being a common tool for criminals." Therefore, this book is an important contribution “designed for government and corporate managers whose primary consideration is how to protect life and the organisation while minimising unnecessary disruption.” The fundamentals for managing bomb incidents are: • An understanding of bombs, their effects and why they are used; • An understanding of the different types of bomb incidents; • The application of basic security practices to prevent bomb incidents, as far as is possible; • Consideration of the factors related to bomb incidents in relation to the organisation; • Application of the principles for determining if a hazard may exist and for selecting the most appropriate response; • Drafting, implementing, practicing and on-going reviewing of a Bomb Incident Management Plan; and • Integration of Risk Management, Emergency Management, Business Continuity/Resilience, Human Resources, training and other management disciplines o provide sound bomb incident management capability.

Chapter 4 deals with preparing for and responding to bomb threats with the best practice approach of appointing a Threat Evaluation Team, including for each site, to enable different areas of knowledge, however the final decision should still rest with a single person in their role as threat coordinator. The five phases to the threat evaluation, known as the 5 R’s - receipt, record, report, review, respond. Importantly the threat evaluation time calculation is discussed, and responding to unattended items, hazardous mail, including white powder incidents, through to search techniques. Modelling blast effects and blast calculations are discussed in Chapter 13 which may have been expanded with computer modelling examples. Threats from social media channels and response using social media receives somewhat limited discussion. Despite these points, this is indeed an important and needed guide to be had on the bookshelf or within reach of any manager with security, emergency or facility management responsibilities. The use of chapter checklists and list of fifteen bomb incident examples also provides a degree of immediate application and enhanced readiness should an incident occur. If you don’t have a bomb response plan or even aware of the relevant text to have at your fingertips – here’s your opportunity – have it on the shelf ! Well done Don! Chris Cubbage CPP, RSecP Executive Editor

Have you recently published a security related book? Or have you just read a new, great security book? Please email us at editor@australiansecuritymagazine.com.au

N I G N I H C N U LA

7 1 20