[Nottingham] GCHQ proposes the Great Firewall of Britain

Duncan notlug at pendinas.org.uk
Wed Sep 21 22:44:24 UTC 2016

On 21/09/16 17:19, Martin via Nottingham wrote:
> On 15/09/16 21:02, Duncan via Nottingham wrote:
>> If you think about it from a "normal" IT security perspective, we are no
>> further forward than we were 15 years ago.  We are still shouting the
>> same old same old: "choose a good password", "don't click unknown links" etc
>> Blaming the end user when it goes wrong has not worked - it never worked.
>> When you stop blaming the user and consider the wider "system" you realise
>> that a phishing email landing in their inbox is the security failure.
>> Them succumbing to the phishing attack is a symptom of that earlier failure.
>> That is what is happening here. Government is recognising that despite what
>> shouty shouty sysadmins think the evidence is there that we are making
>> no meaningful headway on (cyber) security to the extent it is becoming
>> a serious national risk. ...
> Unfortunately very greatly so.
> Worse still, even mediocre 'security' is far too troublesome or scary
> for most normal people and various big businesses are all too happy to
> ignore the dangers other than to absolve themselves of all costs...
> There has to be a better way. That means NOT the way we do IT business
> at present.
> Phew! That's one for quite a talk in itself!!

That is part of the government "cyber essentials [plus]" drive.
By mandating a minimum level of security practice for companies that want to
take government contracts they are trying to encourage a change in attitude
to cyber security.  With billions being spent on government IT and more of
that earmarked for SMEs it could be a powerful leaver.  Or, if done badly, an
expensive box ticking exercise.  The intent, however, is there.

>> What the NCSC is proposing may not be the best option but government
>> mandated security measures, probably at the ISP level, are coming.
> It is an easy and convenient patch-over that will have an easy effect
> upon the unknowing most users...

Yes. It is, also, probably the most convenient (efficient ?) place in the
network (within jurisdiction) to knobble network based attacks like DDOS
or botnets.

> Also very easy to silently add an awful lot of mission creep for
> monetary and other purposes...

At least if they push it onto the ISP they are not creating a new monopoly
over and above them.  I can just imagine a future government privatizing
the "National Firewall".

> And better still, it is the ISPs and their customers that bear the costs...

I suspect there is still some argument to be had there.

>> onus is on us to engage with, shout at, argue with and review what is
>> proposed to make sure it is technically fit for purpose, we know who is
>> in control,  it has enough open scrutiny and the public have the power
>> to get things changed when (not if) they go wrong.
>> Have fun,
>> Duncan
>> [1] https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
> However, there is far too much 'fun' for normal people to keep up any
> sort of 'fight'...
> Is this where we need to sponsor some professional lobbying...?

People have their own priorities.  For some it is the environment, others helping the
homeless etc.  They are all important "fun".  Hopefully this will be enough "fun" for
some people to keep a candle burning.

Have fun,

More information about the Nottingham mailing list