[Nottingham] GCHQ proposes the Great Firewall of Britain

Duncan notlug at pendinas.org.uk
Thu Sep 15 20:02:46 UTC 2016 

On 15/09/16 17:17, Jason Irwin via Nottingham wrote:
> On 15/09/16 14:21, Duncan via Nottingham wrote:
>> Because you are wilfully ignorant ?
> Of what? If I've grabbed the wrong end of the stick, I'm happy to be put straight.
> 

As a country we have an ever increasing social, economic and even just
delivery of basic services dependence on the internet and our "cyber"
infrastructure.

The government is responsible for national defence. Today that very much
includes "cyber" threats.  Our government would be found wanting if it were
not giving serious thought to how to protect the network(s) as an essential
national infrastructure and the services that use them from threats.
Especially after very publicly visible cyberattacks like Stuxnet and
the one that took down the Ukrainian power grid[1].

If hostile combatants parachuted into Nottingham you would expect a
defensive response.  If someone used network vulnerabilities to shutdown
the sewerage system (yes, really) it would soon create a stink if there
were no defensive response.

Getting uppity about this because GCHQ got caught with its pants down is
like saying the MOD should give up on defence because we f*cked up in Iraq.
It isn't going to happen and nor should it.

In fact it is laughable to think they would publicly announce
"just a front to deepen their spying and privacy invasion".  They didn't
announce the last one, why on earth would they announce a new one ?


If you think about it from a "normal" IT security perspective, we are no
further forward than we were 15 years ago.  We are still shouting the
same old same old: "choose a good password", "don't click unknown links" etc
Blaming the end user when it goes wrong has not worked - it never worked.
When you stop blaming the user and consider the wider "system" you realise
that a phishing email landing in their inbox is the security failure.
Them succumbing to the phishing attack is a symptom of that earlier failure.

That is what is happening here. Government is recognising that despite what
shouty shouty sysadmins think the evidence is there that we are making
no meaningful headway on (cyber) security to the extent it is becoming
a serious national risk. The loss of significant information from companies
both in the US and UK to (almost certainly) state run industrial espionage
is one part of it but another is the fact that in a few years time we are going
to have people (society) depending on millions of unpatchable IoT devices.

Government is being forced to take a step back and ask how, where, when
can we better protect the country in the "cyber" realm because we need it.

What the NCSC is proposing may not be the best option but government
mandated security measures, probably at the ISP level, are coming.  The
onus is on us to engage with, shout at, argue with and review what is
proposed to make sure it is technically fit for purpose, we know who is
in control,  it has enough open scrutiny and the public have the power
to get things changed when (not if) they go wrong.

Have fun,
Duncan

[1] https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

More information about the Nottingham mailing list