At the first-ever WIRED Security conference in London, Neon Century MD Cameron Colquhoun reveals the strange new world of weaponised open source data.
Neon Century's Managing Director, Cameron Colquhoun, featured in this month's edition of WIRED, alongside the head of MI6, Palantir Technologies and Ripjar. The article focuses on the intelligence analysts of tomorrow, open source intelligence and the data revolution across the intelligence sector.
You can read the article here:
Wired Magazine - May 2016 http://www.wired.co.uk/magazine/archive/2016/05/features/spies-data-mi6-cia-gordon-corera
*Images courtesy of Condé Nast Britain and R Kikuo Johnson.
I have a question for you. In the last 24 hours, how often did you use the Internet?
A couple of times? Several hours? Every waking minute?! You may or not be surprised to know, most of us now use the internet religiously to buy, share, sell, market, catch-up, watch, listen, work, complain, ask or quite simply to fill in time. For so many businesses today, like mine, we would not exist were it not for the internet.
It underpins everything we do. In the UK, by next year, the internet economy will make up 12.4% of GDP. Cue supporting graph:
Given the phenomenal economic value of the internet economy - I find it amazing that we (or any Western country for that matter), do not have a Government Department dedicated to the Internet? You may care to look at this list - 24 UK Ministries, 22 non-Ministerial departments and 349 Government agencies - not one of them contains the word 'Internet'. We have the Forestry Commission, the Rural Payments Commission, the Coal Authority and many more, it's amazing that in 2015 (let alone 2005), we don't have a sole Government body responsible for the Internet.
Imagine for a second if we did not have the Department for Transport - holding rail companies to account, managing airport expansion and motorway growth. Unthinkable isn't it?
The sad truth - and I'm sorry to be so blunt - is that most of our Government are digital dinosaurs. Most receive everything in paper form. Take the Defence Secretary, Philip Hammond, responsible for cyber-warfare as well as many other technical aspects of the military. I have it on good accord that he does not use or own a computer, period. Even a man who nearly became US President, John McCain, admitted in 2008 that he did not know how to use a computer.
This is in equal measures frightening and hilarious. Can you imagine our Energy Minister living in a tent in the woods, or our Education minister home-schooling his own children? That's the equivalent. There are plenty of successful businessmen in Parliament and the House of Lords, but none of them are what you would call tech entrepreneurs, and all come from the analogue era.
In the same way other Departments ensures we all have power and our roads, rail and airspace all function smoothly, here we are, in space year 2015, without a coherent executive body ensuring that the Internet is there for everyone to use.
What could be achieved with a Department for the Internet is an interesting question. Sure, it would not create online nirvana. But it could ensure high-speed internet access for all, advise citizens on cyber and hacking threats, (a bit like the FCO does for terrorism), expand 3/4G coverage across the UK, set data security standards, take a stand against the internet giants privacy grabs, and so-forth.
Here's hoping it won't be long before our Government starts thinking more like a successful tech company and dares to think differently.
* Open Source Intel shows Al-Qa'ida was usurped by the Islamic State in online popularity during 2014
* The Charlie Hebdo terrorists told passers by, before the attack, that they belonged to "Al-Qa'ida in Yemen"
* Will the Charlie Hebdo attack lead to more competition between jihadist groups?
It seems funny to say this but most of my adult life has been shaped by al-Qa'ida. On 15th September 2001 I started a degree in International Relations. It was four days after 9/11. On the first day of lectures, our professor threw out the entire first week's curriculum, in favour of discussing a completely new world taking shape before our very eyes.
The event was still so raw, just the night before I hung an American flag out of my dormitory window.
Four years later there was another reminder. My Graduation ceremony took place on 6th July, 2005. The next morning, I woke to find that London had been attacked and more than 50 people had been killed. I then spent the next few years in a professional capacity looking at the threat from groups like al-Qa'ida. It was fascinating and frightening in equal measure.
Since 2001, and until this year really, it felt like al-Qa'ida was everywhere. In the movies, on tv, and for me, a chunk of my working life. It was a truly global brand. Discussing these issues with colleagues one afternoon, I nudged them to think about life after al-Qa'ida: "If you think of al-Qa'ida as a global brand like Coca-Cola, what happens when Pepsi comes along? What will that group look like?"
Pepsi did arrive.
June 10th, 2014 was the day Mosul, a city in northern Iraq, fell to IS, and suddenly the group was catapulted to the centre of global media coverage, where it has remained since. Using Open Source Intel techniques, we can definitively say that June 10th was the day that IS overtook al-Qa'ida in terms of internet popularity, searches and coverage.
How is it possible to be so specific? Let's have a look at their global search results, by numbers:
(Blue is al-Qa'ida, the Red is Islamic State)
*Results include associated naming conventions; e.g. ISIS, Al-Qaeda
Al-Qa'ida vs Islamic State: Search Engine Queries (2014)
Al-Qa'ida's decline was endemic for years, as the next graph shows.
Al-Qa'ida vs Islamic State: Search Engine Queries (2004-Present)
Al-Qa'ida vs Islamic State: Search Engine Queries (9 Dec 2014 - 9 Jan 2015)
During the Charlie Hebdo attack, the attackers wanted the world to know al-Qa'ida was behind the attack - taking time, before the bullets started flying, to tell a passer-by who was responsible. Perhaps the terrorists had predicted that the Media would initially point the finger at the Islamic State, and they wanted to be sure al-Qa'ida and not IS, got the credit.
What can we learn from al-Qa'ida's seeming decline for several years, and its sudden reappearance on the world stage?
1. Long periods of inactivity or relative quiet do not mean that a group has died or the threat has decreased. As you'll note from chart two, the Islamic State group were around in 2004. That's right, they are ten years old - despite its appearance as a modern phenomenon.
2. The Islamic State had (temporarily?) overtaken al-Qa'ida as the world's number one terrorist group. It is highly likely that al-Qa'ida did not take to this kindly. Despite being jihadists, each group has a different view on how to fight the enemy. Highlighting these divisions, one al-Qa'ida group recently denounced the Islamic State's Caliphate in a recent press release.
3. Branding is as important for terrorists as corporations. For years al-Qa'ida leaders sought to replicate successful commercial models to manage their own global network of operations and manage their image and brand name carefully.
Sadly, it looks like they are also aware of the principle of market share.
- Too often, major companies fail to imagine how a cyber attack could unfold on their network
- The cyber-security sector can learn a lot from the principles of intelligence analysis; forewarning and forecasting future threats
- An internal exercise to imagine all of the potential cyber threats to your business is a smart, cost-free and diligent way to understand and mitigate cyber risks
- Understanding the threat is key - thinking through the range of actors that might want your data and how they may get it will reduce the likelihood of a surprise attack
The best things in life are free.
Many organisations are rightly concerned about their network security, the storage of their data and resilience plans in the event of a crippling cyber attack. Many spend huge sums of money on cyber security, but all too often attacks are successful because decision makers (including board members) fail to imagine who might hack their system and how they might do it.
Consumer brands are often the most naive: whether it be Domino's or Dairy Queen, it often comes as a surprise to companies that they have been targeted. I've consulted for a few brands who cannot see how they would be the target of cyber-criminals and opportunist hacktivists. The first step to rectify this state of mind is to assume the worst.
Even companies that take cyber-security seriously, as [US Drugstore giant] Target did, installing a multimillion-dollar IT security system is not a guarantee of security. Target suffered one of the worst cyber attacks in history; the CEO was fired and Target spent over $60m dollars rectifying the hack. One post mortem suggested the computer systems spotted the attack but Target's IT security professionals failed to see the attack coming.
There's a lot than can be applied from the Intelligence world to this problem. After all, cyber security is about threats and risk, and Intelligence is about forewarning and imagination: asking questions such as What might happen next? Will Country X attack Country Y? Which terrorist group will threaten us most next year?
Sony Pictures recently learned this lesson the hard way. As Lt General Clarence E. McKnight comments "Sony is a great example of how this sort of thing happens even though they had been warned about it before"
So what kind of questions would you need to ask to understand the threat your company faces from cyber attacks? Here's my top 5:
-Who would want to launch a cyber attack on my organisation? [ACTOR]
-What would their motivations be for doing so? [MOTIVATION]
-Once inside my network, what would they want to do? [INTENT]
-Is our data of value to other people and who would want it? [UTILITY]
-Are other businesses in our sector being targeted? [CONTEXT]
If the much criticised IT employees at Target had conducted the above exercise, perhaps Target would have implemented the right kinds of cyber-security measures and have thought about who might want their data, why, how they may go about acquiring it, and what the warning signs of that activity might be.
Conducting this type of exercise early on is critical for your business - thinking in this way will open up a whole series of second-order discussions about the security of your data and the threat you face. It'll save you money, it will reduce the likelihood of surprise, and who knows, it might even be fun.