Bright Stove

Reflecting information risk journey

Archive for April 2013

12th RAISE Forum Meeting at Jinan, Shandong

leave a comment »

Talking about Shandong in the previous blog (“Before the ashes turn cold“) yesterday, in fact, I just came back from our 12th RAISE Forum meeting which was held at Jinan, the capital city of Shandong province in China on March 27 and 28, 2013. The meeting was co-sponsored and jointly organized by Beijing Powertime (北京时代新威) and Timesure, supported by the Association of China Information Security Industry (ACISI), and co-sponsored by (ISC)2.

IMG_0269

Unlike previous gatherings, the 12th meeting started with a half-day public seminar participated by about 150 professionals mainly from Shandong, and a number of other cities in China. The keynotes of the seminar were given Mr Wu Yafei, Chair of the the ACISI (who is also Executive Director of the Information Security department of the State Information Center, SIC), and Professor Lv Shuwang (the inventor of the SMS4 cryptographic hashing algorithm).

 IMG_0274 IMG_0277

Prof Lv spoke about the nature of Internet and internet, and the importance of knowledge security. In accordance to Prof Lv, knowledge security is a natural progress from information security as we evolve from an information-based economy to knowledge-based economy. Knowledge security is critical not just to organization, or individuals, but also the issues of preserving the massive knowledge from a nation’s civilization and cultural heritage perspective. Knowledge security requires a secure Cyberspace, a Cyberspace that operates on network in which its growth, reliability, maintenance, and security are accorded with national level coordination and protection, as preserving knowledge of a nation’s culture and civilization is a national issue. Today’s Internet is however rooted in the US and not a true internet network where there’s mutual connection between a nation’s public (or citizen) network and US or other nation’s public networks. To have a truly internet network, China needs to have its own public network to begin with. Currently, China’s public Internet network (as well other many other countries’ public Internet) shares a portion of the global Internet, “like a tenant on a rental property”, says Prof Lv. As such, security problems on the Internet continues to proliferate and cannot be resolved effectively. This is not an ideal condition for China’s knowledge security. Prof Lv therefore asserts that “China doesn’t have Internet”. Nevertheless, expecting the global Internet to have its root removed and made completely open is also impractical, Prof Lv concluded.

At the public seminar, Mr Ning Jiajun, retired Chief Engineer of SIC, also shared his thoughts on the Information Security issues and challenges in China, and discussed on the need for a basic Information Security Law, or Ordinance. This is necessary to address the fundamental legal principles, and basic system requirements, in support of more comprehensive information security specialization laws for the security governance of each industry sector.

In the professional certification arena, Mr Wang Xinjie of Beijing Powertime shared the status of the new work item on Information Security (IS) Professional Certification in ISO, which is still in an extended Study Period (totaling 12 months now); the status of CISSP adoption in China (which has more than 600 certified professionals as of March 2013); and the development of a new Certified Information Security Auditor (CISP-Auditor) in China. The idea of the Information Security Auditor is focused on developing a community of professionals who will be skilled at auditing (or validating) the information security practice of organizations. The practice may be based on ISO/IEC 27001 ISMS standard, or other approaches adopted by the organization, or mandated by specific industry regulations.

In addition to the China’s experts’ presentations, representatives from RAISE Forum members also spoke in the public seminar. Mr Koji Nakao presented the status of security standardization at ISO/IEC JTC 1 SC 27 and ITU-T SG17, including the current work plan and the areas of focus in the near term. Prof Hueng Youl Youm of Soonchunhyang University, South Korea, presented the status of Personal Information Management Systems (PIMS) standardization in ISO/IEC JTC 1/SC 27 and also within Korea itself. I shared my thoughts on the Responsive Security approach for information security risk management (which I shall discuss in future blogs perhaps).

IMG_0265
  IMG_0275

The closed-door meeting of the RAISE Forum continues in the afternoon and whole day the next day at the Institute of Information and Communications Research (CIIIC). In person at the meeting were members from Japan, Singapore, South Korea, P.R. China, Thailand, and also representative of (ISC)2, while Malaysia and Chinese Taipei’s representatives joined the discussion and presentations via WebEx teleconference facility online. 

Besides the usual updates on ISO/IEC JTC 1/SC 27 and ITU-T SG 17 standards development activities, the meeting also discussed about some recent Cybersecurity development, such as the Obama’s Executive Order, Japan’s Cybersecurity strategy development, the very recent South Korea Cyber attack incident, and Thailand’s Cyber frauds incidents involving security of smartphone applications. The international standardization activities that are of interest includes the revision of the ISO/IEC 27001 and 27002 standards (both are currently at DIS stage, likely to be published before end of this year), cloud security standards, which includes ISO/IEC 27017, and 27036, and the new work item in WG 4 on the technology aspects), and PIMS related standards efforts. There were also much deliberation on the scope of a RAISE Forum project on “Information Security Audit Framework”, which is currently under development. The result of (ISC)2 2013 Workforce Study report, and the recent RAISE Forum initiated Information Security Management Practice survey results were also discussed. The latter will be shared in a separate update in a few weeks.

The meeting closed with the thanking of the organizers and sponsors, and also a short discussion on the 13th RAISE Forum meeting. This year is in fact the 10th year anniversary of the RAISE Forum, since its inauguration in Nov 2004. The 13th meeting is planned to be held before year-end, venue to be confirmed, and will be held as a 10th anniversary celebration event.

Written by mengchow

April 7, 2013 at 2:38 pm

Posted in Cybersecurity Collaboration, Risk Management, Security Standards

Tagged with , , , , , , , ,

Before the ashes turned cold

with one comment

Bruce Schneier wrote an interesting piece recently about the use of technology for political purposes and suggests that we need “more research into how to circumvent these technologies”: https://www.schneier.com/blog/archives/2013/04/it_for_oppressi.html

Technology is like a knife (in fact, a knife is also a technology). It is double-edged. It depends on the user more than the provider in terms of its application. If a user uses a knife to kill a human being, it is against the law, it is even considered barbaric, animal, etc. We know the danger, but that alone does not stop us from using. If we look at the history of technology, explosive was discovered in China many years ago. The emperor then was worried about its negative effects and forbid further research and use. But its utility is far beyond the fear of the imperial order or the negative effects of an explosion. In the hands of the inquisitive minded scientists and the powerful politicians, it has since evolved and today it is not just gunpowder explosive that we are worried about anymore. The killing power of nuclear had been experienced, and yet many countries continue to justify for its use.

Finding ways to circumvent technology would reveal weaknesses that help the provider to strengthen it. It may even create a market selling the idea of its “safe use”. Even if a technology provider decides to discard it, another may acquire or reinvent it, as long as there’s a demand.

Beneath technology is intellectual, knowledge, and information. Knowledge is power. Information flows.

In the Qin (秦) dynasty period, the first emperor of China understood that knowledge is power, and was therefore fearful of the potential threats of scholars and their teachings to his rule of the country. As a result, the Qin emperor ordered the burning of books in an attempt to contain peoples’ knowledge to only those aligned with the government’s policies. Nevertheless, the dynasty was overthrown by two rebels who were illiterates. A poet in the late Tang dynasty summarizes this elegantly, “坑灰未冷山东乱,刘项原来不读书”, which roughly translates, “Before the ashes (of the books) turned cold, Shandong had already rebelled; Liu Bang (刘邦) and Xian Yu (项羽), the two leaders of the rebels were both illiterate.” A few emperors in subsequent dynasties did the same thing and again failed badly.

Today, we thought that China and many others would have learned from history that censorship is not an effective tool for maintaining control of information and power (based on the historical lessons learnt). But they don’t. Control gives the perception of power. Power blinds one from seeing things clearly. Letting go (detachment), as we learn in Buddhism, is not a simple thing.

Written by mengchow

April 6, 2013 at 11:34 am

Posted in Misc, Policy