Asia Pacific Security Magazine, Mar/April 2018 by MySecurity Marketplace

THE REGION’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com March / April 2018

Cybersecurity Trends of 2018

Smart Phones as Access Control Credentials

The state of malicious cryptomining

Trends in the technology industry – opportunity, scale & China

Alternative payments powered by Blockchain

Creating an Intelligent World

Dark Web, Tor & Anonymity

The Rise of Autonomous Vehicles

CYBERSECURITY TRENDS $8.95 INC. GST

of 2018

PLUS

Women in Security | Techtime

Cyber Security

25 – 27 JULY 2018

SECURING INNOVATION The 2018 Security Exhibition + Conference: Powered by ingenuity and invention, showcasing the latest technology and cutting edge thinking. From physical and electronic solutions, to biometrics and cyber security. Australia’s largest security event offers three days of business networking and intelligence sharing. Take a first-hand look at what’s next for the security environment including intelligence on managing threats and identifying risks.

MELBOURNE CONVENTION + EXHIBITION CENTRE EXHIBITION IS FREE REGISTER NOW securityexpo.com.au

#security2018

2 | Asia Pacific Security Magazine

RD BI LE Y B RL ILA EA VA ED A IT ES M S LI A S P Cyber Security

THE ASIAL SECURITY 2018 CONFERENCE

INTELLIGENCE AND APPLICATIONS TO MITIGATE RISK AND VULNERABILITY

The ASIAL Security Conference hosts a compelling program of renowned local and international experts and academics with case study evidence on how to protect your business, brand reputation and vital assets along with mitigating risk and vulnerability. It is your annual opportunity to receive fundamental updates from the organisations shaping today’s security landscape in a program carefully curated by the industry’s peak body. The format and content has been updated to reflect critical industry updates on the first day, followed by your choice of streamed sessions on the second and third day of the program. Learn proven strategies to tackle your security challenges with crucial intelligence on the ever-changing landscape.

HEADLINE SPEAKERS

SEAN DUCA

CAROLINE SAPRIEL

DANNY BAADE

Regional Chief Security Officer, Asia Pacific Palo Alto Networks

Managing Director, CS & A International

Head of Security, Gold Coast 2018 Commonwealth Games Corporation

COMMANDER GEOFFREY SMITH Commander, Tasmania Police

DAVE BROOKS

ARYE KASTEN

DAVID CROMPTON-GUARD

DR LISA WARREN

Post Graduate Course Co-coordinator, Security Science, Edith Cowan University

Chief Executive Officer, M.I.P Security

Business Continuity Manager, Safety, Security & Resilience, Metro Trains

Clinical/Forensic Psychologist and Founder, Code Black Threat

SECURITYEXPO.COM.AU FOR FULL SESSION DETAILS Book now to take advantage of this discount and avoid disappointment as the 2016 and 2017 programs sold out.

Lead Industry Partner

EXHIBITION HOURS

CONFERENCE HOURS

Wed 25 July 9:30am-5:00pm

Wed 25 July 9:00am-5:00pm

Thurs 26 July 9:30am-5:00pm

Thurs 26 July 9:00am-3:30pm

Fri 27 July 9:30am-3:30pm

Fri 27 July 9:00am-3:30pm Asia Pacific Security Magazine | 3

Weâ&#x20AC;&#x2122;re TRANSFORMING Join us as we embark on the next phase of our journey

- visit our new online store at hills.com.au -

HCORP0011-Jan18-v1

For more information on these and other best-in-class solutions from Hills call us on 1300 HILLS1 (445 571) or visit hills.com.au

facebook.com/HillsLtd/ CONNECT

E N T E RTA I N

SECURE

Contents Editor's Desk 5 Cyber Security Cybersecurity trends of 2018 Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij Correspondents Sarosh Bana Jane Lo

MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@mysecuritymedia.com SUBSCRIPTIONS

asiapacificsecuritymagazine.com Copyright ÂŠ 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E: editor@australiansecuritymagazine.com.au

The state of malicious cryptomining

Dark Web, Tor and Anonymity

The growing popularity of smart phones as Access control credentials

Closing the CyberSecurity Skills Gap

Taking the right risks and reaping the rewards

Trends in the technology industry

Creating an intelligence world â&#x20AC;&#x201C; Milestone Systems MIPS 2018

Women in Security : Personal inspiration to deliver security

Rise of autonomous vehicles

Why NDB compliance starts with the security basics

Page 8 - Cyber Security Trends

2018

Digital forensics

Alternative payments powered by blockchain

TechTime - the latest news and products

Book review

Page 10 - The state of malicious

cryptomining

All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

CONNECT WITH US

Page 24 - Closing the

CyberSecurity Skills Gap

www.facebook.com/apsmagazine

OUR NETWORK

www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

www.australiancybersecuritymagazine.com.au

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors Page 40 - Rise of Autonomous

Vehicles www.australiansecuritymagazine.com.au

www.aseantechsec.com

Jane Lo

Keith Suter

Erin Dunne

Alan Zeichick

Also with www.drasticnews.com

Jenny Yang Rebecca Vogel Alex Manea Scott Lindley

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com

6 | Asia Pacific Security Magazine

Daniela Fernandez Michael Bosnar

Page 46 - Digital Forensics

Editor's Desk

"All the damage that would come from a war would be worth it in terms of long-term stability and national security…I'm completely convinced that President Trump and his team reject the policy of containment… they've drawn a red line here and it is to never let North Korea build a nuclear-tipped missile to hit America" - Republican Senator Lindsey Graham during a CNN interview, March 3, 2018

t is a challenge to maintain even an umbrella view of global manoeuvres at play in 2018. With a proxy Middle Eastern regional war in Syria, it would be understandable that the USA, China and North Korea, would like to avoid an additional regional conflict on the Korean Peninsula, or worse, across the South China Sea. President Trump, in his own, incredibly unique and unorthodox way, keeps analysts, economists and geo-political strategists uncertain on how exactly he intends to reach his end-game – ‘ Making the USA great again’. At least his intention is clear but the somewhat appearance of an ad-hoc, step by step transaction process, seems to have limited foresight into the future, in particular if a miscalculation is made. National security was the basis of Trump imposing a US trade tariff of 25 per cent for steel and 10 per cent for aluminium, with exemptions only considered for close security and trading allies. The basis of the decision is that current terms undermine the US’s ability to source the steel and aluminium it needs to build military equipment such as tanks and warships, as well as the nation’s broader economic security. The US trigger for a potential trade war, came just days after China increased its military spending further to 8.1% of GDP alongside a move to end presidential term limits, enabling Xi Jinping now to remain in office indefinitely. The limit of two five-year presidential terms was written into China’s constitution after Mao Zedong’s death in 1976 by Deng Xiaoping. Russia has also latched on to the apparent wave of technological advances or, as Vladimir Putin stated, “risk drowning in that wave”. Speaking at a nationally televised address, Putin declared Russia’s development and testing of nuclear-powered cruise missiles, underwater

drones and other weapons, in response to the US policy change and Trump’s announcement to expand the US nuclear capabilities. At the time of the announcement, Russia’s Foreign Ministry made clear Russia was very disappointed by the ‘confrontational feel and anti-Russian orientation’ of the document. The geo-politics is being backed up with military action, though not just in Syria. The U.S. carrier strike group, led by the USS Carl Vinson sailed, uneventfully, through the South China Sea and docked in Da Nang, Vietnam, the first such US visit since the end of the Vietnam War. The U.K. Defense Ministry has also announced that a British frigate, the HMS Sutherland, will traverse the South China Sea, again under the flag of asserting the right of freedom of navigation. These naval manoeuvres are obviously designed to demonstrate US and allied force capabilities, reassure the Indo-Pacific region by signalling a shift of intent to more active confrontation with the Chinese. Though arguably, sailing through the South China Sea will not address the longerterm concerns in either Vietnam or Philippines. It is hard to disagree with Phillip Orchard of Geopolitical Futures who wrote, “Neither Chinese man-made islands nor Chinese drilling threaten the U.S. position in the region directly. And as Chinese maritime capabilities develop, the cost to the U.S. of wading into the disputes will only increase. This reality plays into the Chinese narrative that Southeast Asian states would be wise to accept its ascension as regional hegemon. And it’s a reality that routine deployments of U.S. warships to the South China Sea cannot change.” And in an extraordinary development, the US president has confirmed that he would sit down with the North Korean leader 'by May', which, if it goes ahead, would be the first time a sitting

US president has met a North Korea leader. Yet despite the surprise announcement of a meeting between Donald Trump and Kim Jong Un, the United Nations reportedly has evidence that North Korea has been shipping chemical weapon supplies to the Syrian government, in addition to North Korean missile technicians sighted at chemical facilities inside Syria. This includes at least two North Korean shipments to Syria intercepted in 2017. Bringing North Korea into having a role in the Syrian conflict makes it potentially much larger than just a middle eastern war. On a side note, a chemical incident is under investigation in Salisbury, UK involving a former Russian spy and his daughter – should it be an assassination it will be consistent with a number of others of a similar nature, including Kim Jong Un’s brother at the Kuala Lumpur International Airport. In this issue, we include insights into key technology trends, as well as, the cybersecurity trends, with 2018 anticipated to be the worst year to date for cyber-attacks. The Dark Web, Tor and Anonymity is discussed by our Singapore Correspondent Jane Lo along, with the state of malicious cryptomining also covered. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor

Asia Pacific Security Magazine | 7

National

Cybersecurity trends of 2018 By Alex Manea CSO BlackBerry

s BlackBerry’s Chief Security Officer, Alex Manea regularly speaks to Fortune 500 C-Suites and leaders representing the world’s top global brands, listening and learning about what security concerns keep them up at night. Alex also tries to spend just as much time speaking with security researchers – ethical hackers devoted to discovering security flaws and vulnerabilities. Based on countless conversations over the past 12 months with customers, partners, government officials, Blackberry’s internal cybersecurity experts, and leaders from both the security and research communities, below are Alex’s trends for 2018. #1: 2018 will be the worst year to date for cyberattacks With 2017 being the worst year ever for cyberattacks, it is tempting to think that we have hit rock bottom, but what we have seen so far is just the tip of the iceberg. The fundamental issues that have caused the majority of recent cyberbreaches have not been resolved. IT departments are being tasked to manage increasingly complex networks, support new types of endpoints, and protect more and more sensitive data. Legacy systems are still rampant throughout most industries and cannot be easily upgraded or replaced. These systems often contain publicly known software

8 | Asia Pacific Security Magazine

vulnerabilities which can be exploited to penetrate the corporate network. At the same time, attackers are getting increasingly sophisticated and have more incentives than ever to mount cyberattacks. From building ransomware or mounting DDoS attacks and demanding bitcoin payments, to working with organised crime and even national governments, malicious hackers have numerous ways to monetise their skills and to protect themselves.Governments and enterprises are recognising these new threats and deploying modern security solutions, but it will take years to decommission all of the legacy systems. 2018 will be yet another year where the shortcuts of the past come back to haunt us. More importantly, we need to start planning for the future by addressing the new threats posed by the Internet of Things (IoT), which go well beyond anything that we see in today’s cyberattacks. #2: Cyberattacks will cause physical harm Securing the Internet of Things is even more important than securing traditional IT networks for one simple reason: IoT attacks threaten public safety. A hacked computer or mobile device typically cannot cause direct physical harm. While it is certainly frustrating to have our personal information stolen, it doesn’t compare to the impact of being involved in

National

'While hackers are often depicted as technical geniuses using complex algorithms to break advanced cryptography, the reality is that simpler techniques can be just as effective. Criminal hackers are not seeking style points; they are simply looking to breach the system as efficiently as possible. ' Alex has a simple advice to all CIOs and CISOs: go hack yourself. You can spend all of your time building and buying systems that you believe will stop intruders in their tracks, but until you bring professional ethical hackers and let them simulate a real-world cyberattack (including phishing and other social engineering techniques), you would not ever know if you are truly secure. Blackberry’s cybersecurity services team recently gained access to a customer’s network by simply getting T-shirts made with their company logo on it and stating that they were “with IT.” If your employees do not know how to use the technology you put in place, or realise that they all play a critical role in keeping your company secure, everything a CIO/CISO does is for not. #4: Insurance and cybersecurity products will go hand and hand a car accident or having your infusion pump or pacemaker compromised. IoT security will literally become a matter of life and death, and we cannot simply wait for that to happen. There is a need for stronger IoT security standards, especially as we continue to move towards smart cites. With the growing ubiquity of IoT and lack of focus on security, it is only a matter of time until malicious hackers breach critical connected infrastructure and devices and cause direct physical harm to individuals and innocent bystanders. #3: Hackers will target employees as they become a growing cybersecurity vulnerability IT departments typically focus their spending on preventing external attacks, but the reality is that most data breaches start internally – either by sharing documents through unsecure, consumer applications or clicking on increasingly sophisticated phishing attacks. While hackers are often depicted as technical geniuses using complex algorithms to break advanced cryptography, the reality is that simpler techniques can be just as effective. Criminal hackers are not seeking style points; they are simply looking to breach the system as efficiently as possible. As our technical defenses continue to improve, employees will become the weakest link, increasingly targeted by attackers as part of their overall strategy.

In 2018, it would not matter which system or employee proves to be the weakest link, major corporate data breaches will happen and insurance companies are taking notice. They are taking notice because attacks to their clients could be as harmful as it could be helpful to their bottom line. This year we will see firms not only add more cyber policy holders to their roster, but also seek out two strategic avenues to help manage risk for them and their customers: products and experts. Just like Progressive’s Snapshot plug-in device which helps the insurer provide personalised rates based on your actual driving, insurance companies will start selling products to help track their client’s security posture. They will even partner with security experts to appropriately evaluate a company’s ability to protect against a cyberattack. Scorecards will be given and companies that perform the best will be rewarded with a lower policy amount. Next Steps While many other things will impact the cybersecurity industry this year, Alex believes these are some of the biggest trends for 2018. Though these trends may seem bleak to some, they too present many opportunities and possibilities if we are well prepared.

Asia Pacific Security Magazine | 9

Cyber Security

The state of malicious cryptomining

hile cryptocurrencies have been around for a long time and used for legitimate purposes, online criminals have certainly tarnished their reputation. Unfortunately, the same benefits offered by these decentralised and somewhat anonymous digital currencies were quickly abused to extort money, as was the case during the various ransomware outbreaks we’ve witnessed in the last few years. As the value of cryptocurrencies—driven by the phenomenal rise of Bitcoin—has increased significantly, a new kind of threat has become mainstream, and some might say has even surpassed all other cybercrime. Indeed, cryptocurrency mining is such a lucrative business that malware creators and distributors the world over are drawn to it like moths to a flame. The emergence of a multitude of new cryptocurrencies that can be mined by average computers has also contributed to the widespread abuse we are witnessing. Malwarebytes has been blocking coin miners via its multiple protection modules, including its real-time scanner and web protection technology. Ever since September 2017, malicious cryptomining has been our top detection overall. Cryptomining malware To maximise their profits, threat actors are leveraging the computing power of as many devices as they can. But first,

10 | Asia Pacific Security Magazine

Figure 1: Worm scanning random IP addresses on port 445

they must find ways to deliver the malicious coin miners on a large enough scale. While the Wannacry ransomware was highly publicised for taking advantage of the leaked EternalBlue and DoublePulsar exploits, at least two different groups used those same vulnerabilities to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars in revenue. Other vulnerabilities, such as a flaw with Oracle’s WebLogic Server (CVE-2017-10271) was also used to deliver miners onto servers from universities and research institutions. While Oracle released a patch in October 2017, many did not apply it in a timely fashion, and a PoC only facilitated widespread abuse. As it turns out, servers happen to be a favorite among criminals because they offer the most horse power—or to use the proper term —the highest hash rate to crunch through and

Cyber Security

solve the mathematical operations required by cryptomining. In recent news, we saw individuals who, against their better judgement, took this to the next level by using supercomputers in various critical infrastructure environments. Spam and exploit kits campaigns Even malware authors have caught the cryptocurrency bug. Existing malware families like Trickbot, distributed via malicious spam attachments, temporarily added in a coin miner module. Interestingly, the Trickbot authors had already expanded their banking Trojan to steal credentials from Coinbase users as they logged into their electronic wallet. The modular nature of their malware is certainly making it easier for them to experiment with new schemes to make money. Several exploit kits, and RIG EK in particular, have been distributing miners, usually via the intermediary of the SmokeLoader malware. In fact, cryptominers are one of the most commonly served payloads in drive-by download attacks.

Figure 2: Document containing macro that downloads the TrickBot malware

Mobile and Mac cryptominers Mobile users are not immune to cryptomining either, as Trojanised apps laced with mining code are also common place, especially for the Android platform. Similarly to Windows malware, malicious APKs tend to have modules for specific functionalities, such as SMS spam and of course miners. Legitimate mining pools such as Minergate are often used by those Android miners, and the same is true for Mac cryptominers. The same advice on sticking to official websites to download applications applies but is not always enough, especially when trusted applications get hacked. ~/Library/Apple/Dock -user sarahmayergo1990@gmail. com@gmail.com -xmr Drive-by cryptomining In mid-September 2017, a mysterious entity called Coinhive launched a new service that was about to create chaos on the web, as it introduced an API to mine the Monero currency directly within the browser. While in-browser miners have really taken off because of Coinhive’s popularity, they had already been tested a few years ago, mostly as proof-of-concepts that did not develop much further beyond that. There is, however, the legal precedent of a group of students at MIT who got sued by the state of New Jersey for their coin mining attempt—called Tidbit— proposed as an alternative to traditional display advertising.

Figure 3: An iframe redirection to RIG EK followed by a noticeable coin miner infection

Figure 4: Source code for the mining component within an Android APK

No opt-in by default Within weeks, the Coinhive API, void of any safeguards, was abused in drive-by cryptomining attacks. Similar to driveby downloads, drive-by mining is an automated, silent, and platform agnostic technique that forces visitors to a website to mine for cryptocurrency. We witnessed an interesting campaign that was specifically designed for Android and drew millions of users to pages that immediately started to mine for Monero under the pretense

of recouping server costs. Even though mobile devices aren’t as powerful as Desktops, let alone servers, this event showed that no one was really immune to drive-by mining. Malvertising was once again a major factor in spreading coin miners to a large audience, as we saw with the YouTube case that involved malicious ads via DoubleClick. Another

Asia Pacific Security Magazine | 11

Cyber Security

that Coinhive put forward to defend its stance against ad blockers and antivirus products. While only Coinhive themselves would have accurate statistics, according to our own telemetry the opt-in version of their API was barely used (40K/day) in comparison to the silent one (3M/day), as pictured in the below histograms during the period of January 10 to February 6. Moreover, even sites that do use the opt-in option may still be crippling machines by running an unthrottled miner, as was the case with popular American news website Salon[.]com.

Figure 5: Malicious Mac application launching a Monero miner

Copycats Several copycats emerged in the wake of Coinhive’s immediate success. According to our stats, coin-have[.]com is the second most popular service, followed by crypto-loot[.]com. While Coinhive takes a 30 percent commission on all mining earnings, Coin Have advertises the lowest commission rates in the market at 20 percent, although CryptoLoot itself claims to pay out 88 percent of mined commissions. In additions to bigger payouts, other “attractive” features pushed by newcomers are low payment thresholds and the ability to bypass ad blockers, which they often view as their number one threat. Browsers and technologies abused

Figure 6: An in-browser miner for Chrome on Android

Figure 7: Usage statistics for the opt-in version of Coinhive

Figure 8: Usage statistics for the silent version of Coinhive

interesting vector, which security people have warned about for years, is the use of third-party scripts that have become ubiquitous. A company called Texthelp had one of their plugins compromised and injected with a Coinhive script, leading to hundreds of government websites in the UK unwillingly participating in malicious cryptomining activity. To fend off criticism, Coinhive introduced a new API (AuthedMine) that explicitly requires user input for any mining activity to be allowed. The idea was that considerate site owners would use this more “ethical” API instead, so that their visitors can knowingly opt-in or out before engaging in cryptomining. This was also an argument

12 | Asia Pacific Security Magazine

Contrary to malware-based coin miners, drive-by cryptomining does not require infecting a machine. This is both a strength and weakness in the sense that it can potentially reach a much wider audience but is also more ephemeral in nature. For example, if a user navigates away from the site they are on or closes the offending tab, that will cause the mining activity to stop, which is a major drawback. However, we observed that some miners have developed sneaky ways of making drive-by mining persistent, thanks to the use of popunders, a practice well-known in the ad fraud business. To add insult to injury, the malicious pop-under tab containing the mining code would get placed right underneath the taskbar, rendering it virtually invisible to the end user. Thanks to this trick, the mining can carry on until the user actually restarts their computer. Another way to mine for long and uninterrupted periods of time is by using a booby-trapped browser extension that will inject code in each web session. This is what happened to the Archive Poster extension because one of their developers had his Google account credentials compromised. It is worth noting that JavaScript is not the only way to mine for coins within the browser. Indeed, we have observed WebAssembly, a newer format available in modern browsers, being used more and more. WebAssembly modules have the advantage of running at near native speed, making them a lot faster and more efficient than JavaScript. | payload = - [ ExportSection | count = 27 | entries = - [ ExportEntry | field_len = 9

Cyber Security

| | | - [ | | | |

Figure 9: Two of the most popular Coinhive copycats Figure 10: The compromised extension with a rogue JavaScript for Coinhive

field_str = "stackSave" kind = 0x0 index = 71 ExportEntry field_len = 17 field_str = "_cryptonight_hash" kind = 0x0 index = 70

While drive-by mining typically happens via the standard HTTP protocolâ&#x20AC;&#x201D;either via HTTP or HTTPS connectionsâ&#x20AC;&#x201D;we have witnessed more and more examples of miners communicating via WebSockets instead. A WebSocket is another communication protocol that allows streams of data to be exchanged. There is an initial handshake request and response with a remote server followed by the actual data streams. Coin mining code wrapped within a secure (wss) WebSocket is more difficult to identify and block. Conclusion As the threat landscape continues to evolve, its connections to real-world trends become more and more obvious. Malware authors are not only enjoying the relative anonymity provided by digital currencies, but also want to amass them. Cryptomining malware provides a good use case for leveraging the size and power of a botnet in order to perform CPU-intensive mining tasks without having to bear the costs incurred in the process. In some aspect, drive-by mining also applies the same concept, except that the botnet of web users it creates is mostly temporary. While malicious cryptomining appears to be far less dangerous to the user than ransomware, its effects should not be undermined. Indeed, unmanaged miners could seriously disrupt business or infrastructure critical processes by overloading systems to the point where they become unresponsive and shut down. Under the disguise of a financially-motivated attack, this could be the perfect alibi for advanced threat actors. Malwarebytes users, regardless of their platform, are protected against unwanted cryptomining, whether it is done via malware or the web.

Asia Pacific Security Magazine | 13

Cyber Security National

Dark Web, Tor and Anonymity

W By Jane Lo Correspondent

14 | Asia Pacific Security Magazine

hen the United States government took down Silk Road in May 2013 and arrested the founder, it asserted that: “the defendant, deliberately set out to establish an onlxine marketplace outside the reach of law enforcement or governmental regulation. Ulbricht has sought to achieve this end by anonymizing activity on Silk Road in two ways. First, Ulbricht has operated Silk Road on what is known as “The Onion Router” or “Tor” network, a special network on the Internet designed to make it practically impossible to physically locate the computers hosting or accessing websites on the network. Second, Ulbricht has required all transactions on Silk Road to be paid with “Bitcoins,” an electronic currency designed to be as anonymous as cash”. Four years later, the United States government took down another Dark Web site - AlphaBay, which it charged: “was designed to facilitate the illicit commerce hosted on the site by providing anonymity to its users in two primary ways. First, the AlphaBay hidden website operated on the dark web accessible only through The Onion Router (“ToR”) network, a special network of computers on the Internet designed to conceal the true IP addresses of the computers on the network. Second, AlphaBay required its users to transact in cryptocurrencies, also referred to as digital currencies, such as Bitoin, Monero and Ethereum”. With these high profile take-downs of “Dark Markets”, and the drama that followed - Silk Road’s founder losing

his life sentence appeal in May 2017, and the suicide of AlphaBay’s alleged founder in a Thailand prison in July 2017, Dark Web gained an unshakable reputation as a murky and mysterious place in the internet where criminals gather to conduct illicit activities. Anonymity – a privacy principle that protects individuals but also the criminals, Tor - the anonymizing technology, and digital means of payment (or cryptocurrencies) - BitCoin, Monero, Ethereum, also got caught up in this maelstrom of allegations and corruptions, illegal goods and services, organized crime and cyber underground. And swept alongside mentions of “Dark Web” were also references to the digital world of “Deep Web”. What is the Deep Web, Dark Web? “Deep Web” is widely pictured as the underwater portion of an Iceberg, where the tip represents the internet “searchable” pages crawled by traditional search engines - the “Surface Web”. Scientific calculations placed the below-surface portion of a real Iceberg at 90%. This figure is consistent with estimates of “Deep Web” making up 90% of the overall web, but other approximations have put it at as low as 5-10%. In contrast, the size of the searchable “Surface Web” is more transparent - extrapolation and inspection of TCP/IP of responses give circa 1.3 billion websites. First coined in 2001, “Deep Web” are sites not easily

Cyber Security

"Most people on the internet are doing benign and good things," Director of the Information Innovation Office at DARPA said when the agency’s Dark Web crawler was opensourced. "But there are parasites that live on there, and we take away their ability to use the internet against us-- and make the world a better place." underpinning the cryptocurrencies, routing technology for anonymizing digital addresses, the associative indexing of the web crawlers) combined with take-downs spark a renewed interest in how it operates in the modern internet, and the place it occupies in the sub-world of the Deep Web. Tor, The Onion Router, the beginnings and growth

accessed by traditional search engines and indexed. They are pages where information is “buried far down on dynamically generated sites” (not static or linked to other pages). They are also digital information such as those managed behind firewalls, or accessible via authenticated web front ends or protected by passwords, or stored on local PCs in peer-topeer networks. Examples are enterprise protected services on Cloud, Facebook with privacy settings, private photo galleries, HTTP servers that blacklist certain web crawlers. Within the “Deep Web” is a collection of sites running on an encrypted network. This is the “Dark Web” – though it leverages of off the internet infrastructure, not only is it inaccessible via traditional search engines, it also cannot be visited via traditional browsers. Dark Markets operate in this part of the net. Results from attempts to measure the magnitude of Dark Web – particularly the portion that hosts legal content - despite the access constraints and its transient nature test widely held perceptions: A year-end Tor Project study indicated 50,000 sites (significantly less than 1% of the overall internet sites); a 2016 private-sector research concluded that “the dark web is host to primarily legal, even mundane content” ; another reported 52% of “onion services” is crime related. Online trading of illegal goods was around before Dark Web came into existence. What is different this time is the technological advances (BlockChain technology

While the take-downs may cause many to focus on Tor’s role in providing criminals the arena to conduct illegal activities, law enforcement acknowledges its legitimate uses. In fact, there were military origins of this technology, as a means of intelligence gathering. Both the US ONR (Office of Naval Research) and DARPA (Defense Advanced Research Projects Agency) supported the research into “an infrastructure for private communication over a public network” or “The Onion Routing”, which came to be known as Tor. Patented by the US Navy in 2001, evolving demands for anonymous communications led to alternate designs. Two well-known ones are Freenet (a peer-to-peer distributed anonymous information storage and retrieval system) and I2P (“The Invisible Internet Project”, which like Tor, allows anonymous access to online content, using a peer-to-peer-like routing structure and layered encryption). Early stage adoption saw one of the first hosting services operating on the Tor network (Freedom Hosting); the launch of the first Dark Market (Farmer’s market). Silk Road went live 2 years later, and became Dark Market’s standard modus operandi with its business model of offering escrow arrangement and Bitcoin as payment means –itself also a relatively recent existence after the mining of the Genesis block. During this period, there were early signs of legitimate activities - the attack on Freedom Hosting and take down of Farmer’s market were examples of early law enforcement and white hat activities on the Tor network. Further adoption came with users including Edward Snowden who used a Tor application called Tails (The Amnesic Incognito Live System), and Securebox users for communicating securely and anonymously with media organsiations, and with law enforcement for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations. Specifically, in April 2015, DARPA launched and opensourced the Memex program, which, explained by Chris

Asia Pacific Security Magazine | 15

Cyber Security

trade and sex trafficking.” In parallel, on the back of BlockChain development, Ethereum and Monero were also launched – cryptocurrencies that were also adopted by Dark Markets traders in their basket of standard payment means. The take-down of Silk Road in 2013 did not deter Dark Market traders from launching their sites on the network. In fact, the FBI noted, when shutting down Silk Road 2.0, “It’s been more than a year since the FBI made an arrest of the administrator of the black-market bazaar, Silk Road, and here we stand again, announcing the arrest of the creator and operator of Silk Road 2.0. Following a very close business model to the first, as alleged, Blake Benthall ran a website on the Tor network facilitating supposedly anonymous deals of drugs and illegal services.” Double-Edged Sword?

White (Memex program manager), could revolutionize law enforcement investigations: “By some estimates Google, Microsoft Bing, and Yahoo only give us access to around 5% of the content on the Web. That leaves a lot of room for bad actors to operate freely in the shadows. By going far beyond the realm of traditional search engines, Memex gives law enforcement a powerful new tool to search the "dark web," where criminals buy, sell, and advertise in the illegal weapons

16 | Asia Pacific Security Magazine

That a hacking collective “Anonymous,” who notwithstanding its vigilante actions (e.g. taking down child pornography sites), is also linked to attacks on government websites and said to be targeting central banks, add to the unfavourable perception of anonymity. Neither do the references of Tor associating it with hosting “hidden services” (later renamed as “onion services - perhaps recognising the negative connotation this term is loaded with). For the wider community of everyday users, the bombardment of internet adverts triggers the desire for anonymity: to be shielded from online surveillance (the tracking of behaviour and interests) - or "traffic analysis." Sometimes the reason is personal: to exchange information in chat rooms on socially sensitive topics such as certain health questions. In some ways, Tor’s emphasis on legitimate use could be seen from its seemingly lack of misinformation controversies, compared to other platforms that offer anonymity features. One example is 4Chan. Famous for birthing Anonymous, with a heavy visitor daily traffic of 23 million, it had been accused of spreading false information, hoaxes and rumours. The disclosures of Panama Papers and Paradise Papers, which gave insights into illegal financial arrangements (as well as legal ones), were possible with anonymous communication systems or anonymity systems (in addition to encryption). While anonymity supports privacy and safety, the frequency of Dark Market launches point to abuses by Cyber criminals of the technology. Indeed, in his book “Data and Goliath”, one of the world’s leading security experts, Bruce Schneier noted, “Our infrastructure can be used for both good and bad purposes. Bank robbers drive on highways, use electricity, shop at hardware stores, and eat at all-night restaurants, just like honest people. Innocents and criminals alike use cellphones, e-mail, and Dropbox. It rains on the just and the unjust. Despite this, society continues to function, because the honest, positive, and beneficial uses of our infrastructure far outweigh the dishonest, negative, and harmful ones. The percentage of the drivers on our highways who are bank robbers is negligible, as is the percentage of e-mail users who

Cyber Security

are criminals.” One example is ShadowBroker’s release into a Dark forum, tools and exploits allegedly stolen from NSA, which were instrumental injecting the WannaCry virus into the global computer networks. Ironically, leveraging on the anonymity afforded to the users of the Tor technology and cryptocurrencies, the Cyber criminals also performed a few high profile exit scams – where the site creators disappeared with the cryptocurrencies held in the escrow (e.g. Evolution, Agora). During these exit-scams by the Cyber criminals on their fellow “compatriots” and high profile take-downs of the Dark Markets, there was an observed dip in the number of Tor relays and bridges. So, then, what is next - what are the indications of the future direction of the Tor network? Will “the most popular websites in the dark web” still be “acting as catalysts for dark web expansion by providing necessary knowledgebase, support and services to build Tor hidden services and onion websites”, as noted in a 2016 academic study? What is next for Tor and anonymity technologies? One aspect is how well the network guard Tor user’s anonymity. On-going research that identify and evaluate vulnerabilities help lay the ground for building protection, as we see from the debates following the MIT/Qatar’s 2015 paper on potential de-anonymizing attacks on Tor network which could identify site’s servers and operators. Another is how the roles that governments take on, will shape our understanding and adoption of anonymity concepts. Law enforcement actions on the illegal activities in the Dark Web will enhance understanding and safer legitimate uses. "Most people on the internet are doing benign and good things," Director of the Information Innovation Office at DARPA said when the agency’s Dark Web crawler was open-sourced. "But there are parasites that live on there, and we take away their ability to use the internet against us-- and make the world a better place." Regulations are also able to adapt to advances in technologies as we see from ground-breaking cases such as Steve Jackson Games, Inc. v. United States Secret Service (in which the court held that e-mail deserves as much protection as telephone calls) , and Bernstein v. U.S. Dept. of Justice (in which the ruling that restrictions on encryption as a United States Munitions “weapon to be regulated for national security purposes” violated First Amendment rights led to relaxation of export regulations). By codifying Privacy-by-Design and Privacy-by-Default principles (among others) in the final text of General Data Protection Regulation (GDPR) for application in EU Member States from 25 May 2018, GDPR is the biggest shake up to European privacy laws for 20 years. Measures such as pseudonymisation and requirements such as data minimisation, terms which sound relatively sophisticated to many of us today, may yet become commonly known. And, certainly how we come to view the part anonymity plays in our lives will also drive its development. “Each

person’s requirements for anonymity differ – do you need to protect your passwords and keep private documents away from your co-workers? Do you need to hide from a fan who is stalking you?” Kevin Mitnick, one of the world’s most famed hackers, challenged us in “The Art of Invisibility”. Final words As with other technologies, operational security or OpSec, is critical for users who desire absolute privacy. Mr Chester Wisniewski, Principal Research Scientist, Sophos says: “If you cross pollinate any part of your real identity with your "private" identity it is often possible to link the two together. Never use a real name or nickname that has ever been associated with you before. Always create unique email addresses and other identifiers and only create them from within the context of your privacy shielding network like I2p or Tor. Always censor any screenshots or photos taken of content from your private identity to shield it from being publicly discovered. Never use voice or video services over hidden networks. Don't log into accounts or websites associated with your patterns in the open world. Always use a unique machine with a operating system designed to protect and make it harder to accidentally reveal your identity, like TAILS”.

Advocacy. Community. Integrity. Join the Australian Institute of Professional Intelligence Officers today Intelligence can provide exciting career pathways across many different agencies and sectors — but isn’t it good to know you’re part of a bigger national and global community? The Australian Institute of Professional Intelligence Officers (AIPIO) provides this community, together with a wide range of membership benefits. Our membership is drawn from a diverse range of intelligence domains, including:

NATIONAL SECURITY

DEFENCE

LAW ENFORCEMENT

REGULATION

BUSINESS

ACADEMIA

BANKING & FINANCE

INTEGRITY COMMISSIONS

As the peak professional body for intelligence professionals, AIPIO is committed to: Connecting members across intelligence communities and encouraging cross-domain collaboration Sharing cutting edge and emerging global intelligence practices and enabling technologies Supporting and representing intelligence professionals throughout their career lifetime Encouraging cross-domain collaboration on broad intelligence topics such as cyber and big data

Do something positive for yourself and your career – join AIPIO today.

aipio.asn.au

Asia Pacific Security Magazine | 17

Cyber Security

The growing popularity of smart phones as Access control credentials By Scott Lindley, General Manager, Farpointe Data

18 | Asia Pacific Security Magazine

martphones fulfill many needs, including telephone, camera, navigation, music, video, clock, news, calculator, email, Internet, gaming, contacts, and more. Security professionals creating access control systems need to be aware that 95+ percent of all adults 18-44 years own smart phones. Plus, 69 percent of the entire population already uses smart phones. That's babies through seniors. And, the average smart phone user touches their device 2,617 times a day ((Dscout Research)! Thus, practically anyone using an access control system already carries a smart phone. Another way to look at it is that every smart phone user, or almost everybody, could now easily download an access control credential. Mobile credentials are smart phone-based versions of traditional RFID cards and tags. Mobile credentials make it possible for smartphones, such as the Apple iPhone® and the range of Google Android® devices, to be used as an electronic access control credential. No longer will people need various physical credentials to move throughout a facility. Instead, a person's iPhone or Android smart phone, which they carry with them wherever they go, will have the credentials they need to enter into any authorized access system. In fact, such a system can reach beyond the facility

into their homes, their automobiles or at the gym. “Mobile has already disrupted so much in both our personal lives and the enterprise, but we are still tapping an old school badge on a door access reader,” David Anthony Mahdi, research director at Gartner Research says. “It’s a dichotomy. On one side we are doing all these amazing things with our phones but then we are still using 20-plus year old technology to get into our buildings.” Referred to as mobile or soft, smart phone based access control credentials are another version of traditional RFID cards and tags, joining proximity and smart card credentials to support a user as she moves about a secured facility. Gartner suggests that by 2020, 20 percent of organizations will use mobile credentials for physical access in place of traditional ID cards. Soft credentials provide several advantages over hard credentials. They are more convenient, less expensive and more secure. This is true for both end users and installers. They are more convenient because the user already has his credentials and already carries it with him wherever he goes. Credentials can be delivered to the end user in either paper or electronic form, such as via email or text. The dealer has nothing to inventory and nothing to ship. Likewise, the user sponsor has nothing to store, nothing to lose and faces no physical replacement hassles. Cost are lowered as nobody

Cyber Security

mobile access systems. One additional concern held back some buyers. What if the baby boomers at our facility don't have a smart phone? Problem solved. Just be sure that your soft credential reader can also use a smart card. Technical Stuff Quickly Explained Just like hard credentials, soft credentials can support the 26-bit Wiegand format along with custom Wiegand, ABA Track II magnetic stripe and serial data formats. They can be ordered with specific facility codes and ID numbers. They are delivered in the exact number sequence ordered with no gaps and no under- or over-runs. Two technologies are used - Bluetooth and NFC (Near Field Communication). Bluetooth readers are less expensive because almost every smart phone already has Bluetooth. Not even 50 percent of all smart phones yet have NFC. Bluetooth's other big advantage is read range, up to 30 feet. Plus, installers can provide adjustable read ranges and differ them for various applications. For instance, they could be six inches at the computer access control reader but 24 inches at the front door. When entering the facility gate, a still longer read range, perhaps six feet, can be provided so users don't have to open their car window to reach the reader. NFC readers only operate with a read range of a few inches, that of a proximity card, eliminating any possibilities of simply leaving the smart phone in the pocket or purse and still get reads. Secure!

“Mobile has already disrupted so much in both our personal lives and the enterprise, but we are still tapping an old school badge on a door access reader,” must undertake "1sy-2sy" replacement orders. Original soft access control systems are already being used by innovators, approximately five percent of users, according to Gartner. There were the typical drawbacks with a new technology. Before they switched to soft credentials, the next wave of users have requested smart phone solutions that eliminate many of the frustrations that they discovered with their original smart phone apps and hardware, the main one being complicated implementation practices. The newer solutions provide an easier way to distribute credentials with features that allow the user to register only once and need no other portal accounts or activation features. By removing these additional information disclosures, vendors eliminated privacy concerns that have been slowing down acceptance of

Many companies still perceive that they are safer with a card, Gartner’s Mahdi notes, but if done correctly, the mobile can be a far more secure option with many more features to be leveraged. Handsets deliver biometric capture and comparison as well as an array of communication capabilities from cellular and Wi-Fi to Bluetooth LE and NFC, he adds Bottom line - both Bluetooth and NFC credentials are safer than hard credentials. Read range difference yields a very practical result from a security aspect. A Bluetooth reader can be installed on the secure side of the door while NFC must be mounted on the unsecured side. As far as security goes, the soft credential, by definition, is already a multi-factor solution. Mobile credentials remain protected behind a smart phone's security parameters, such as biometrics and PINs. Once a biometric, PIN or password is entered to access the phone, the user automatically has set up 2-factor access control verification - what you know and what you have or what you have and a second form of what you have. To emphasize, one cannot have access to the credential without having access to the phone. If the phone doesn’t work, the credential doesn’t work. The credential works just like any other app on the phone. The phone must be “on.” Leading readers additionally use AES encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers resist skimming, eavesdropping and replay attacks. With the U.S. Federal

Asia Pacific Security Magazine | 19

Cyber Security

Trade Commission (FTC), among others, now holding the business community responsible for implementing good cybersecurity practices, such security has become an increasingly important consideration. If the new system leverages the Security Industry Association's (SIA) Open Supervised Device Protocol (OSDP), it also will interface easily with control panels or other security management systems, fostering interoperability among security devices. Likewise, check if the new soft system requires the disclosure of any sensitive end-user personal data. All that should be needed to activate newer systems is the phone number of the smart phone. Lastly, once a mobile credential is installed on a smartphone, it cannot be re-installed on another smart phone. Think of a soft credential as being securely linked to a smart phone. If a smart phone is lost, damaged or stolen, the process should be the same as with a traditional physical access credential. It should be immediately deactivated in the access control management software - with a new credential issued as a replacement. Installing Soft Credentials Is So Much Easier Smart phone credentials are sold in the same manner as traditional 125-kHz proximity or 13.56-MHz smart cards from the existing OEM to the dealer to the end users. For the dealer, smart phone credentials will be more convenient, less expensive and more secure. They can be delivered in person or electronically. They are quicker to bill with nothing to inventory or to be stolen. Also, in most cases, soft credentials can be integrated into an existing access control system. Distribution can also be via independent access control software. There are two types of software. First is the Wallet Application, a free software that is downloadable from the Apple App Store or the Google Play Store. Its purpose is to hold the access control credentials. Typically, the Mobile Wallet App will store as many credentials as you will want, all at one time. The Mobile Access Credentials are the individual credentials needed to gain access. Each credential can be programmed to work with a specific access control system. This means that, yes, a single smart phone, holding multiple access credentials, can be used to gain access on multiple access systems. No longer will users be required to carry individual multiple hard credentials. The employee just carries her smart phone which has them all within it. Smart phone credentials deploy so much faster than hard credentials. To install a mobile credential, a user needs to first have the Wallet App installed on a supported smart phone. Next, you launch the App and select the “Add” button, indicating that you would like to load a new credential. A Registration Key Certificate is provided for each credential ordered. Now, enter the unique 16-character Key from the Certificate and tap “Submit.” Once successfully registered, the new mobile credential will appear in the Wallet App ready for use. From that point on, the user simply holds their smart phone up to reader when they approach it.

20 | Asia Pacific Security Magazine

Why Multiple Credentials Are Emphasized with Smart Phone Access Control The simple reason is that this is the future. Already, we've discussed access control at the front door, the parking gate and for the data system. But, at lunch, soft credential would also be available at the cafeteria or the vending machines. Students could check out books while machinists select the tools they need. They become a photo ID at the club. All are separate applications with their own access control systems. Thus, a Mobile Wallet App will normally store many credentials on a smart phone at one time. The actual quantity is dynamic and is related to the memory specifications and internal storage space available on each individual smart phone. And, more opportunities are on the way. How about using your smart phone as an intelligent key for your car? Want to know where your child is driving, how fast or if he added gas or oil? How about using it to access your gym, automatically synch to a piece of equipment or analyze the effectiveness of your workout? Forget all those other tags and cards. Your smart phone will become the passport to all aspects of your life from work to home to avocations. At a fraction of the investment you have in hard credentials, secure soft, digital credentials are all you need. The Hard Fact about Soft Credentials Soft, mobile, smart phone based access control credentials are inevitable. Every security professional needs to get on board. About the Author: Scott Lindley is a 25+ year veteran of the contactless card access control industry. He is general manager of Farpointe Data, the leading OEM for cards and readers. He can be contacted at Scott.Lindley@farpointedata.com.

Cyber Security

26 - 28 June 2018 Marina Bay Sands, Singapore www.NXTasiaExpo.com

TRANSFORM THE FUTURE Get involved in transforming the future at NXTAsia – Asia’s new exciting platform showcasing the latest in digital enterprise solutions and technologies. Attendees will be able to gain insights and witness emerging technologies and enterprise solutions. A part of ConnecTechAsia, NXTAsia’s first edition will present an exciting and fresh new way for end-users to experience the latest technologies and form valuable partnerships. Find out how to apply these technologies in your business.

IoT / Smart Cities

Cloud / Big Data / Data Centre

Cyber-security / Security

AI (Artificial Intelligence) / Machine Learning / Robotics

VR / AR / MR

Skip the Queue! Pre-register your visit now at www.NXTasiaExpo.com/pre-registration

A part of:

Held alongside:

Organised by:

Held in:

Asia Pacific Security Magazine | 21

THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 4, 2018

Protect your reputation after a breach

Breach notification isnâ&#x20AC;&#x2122;t just about breach notification

Cryptocurrency Insecurity

Spectre and Meltdown

MORE TO COME!

! N O O S T

U O 4 # E

U S S I

DATA BREACH M EM B ER F OC U S E D 22 | Asia Pacific Security Magazine

Advocacy. Community. Integrity.

Cyber Security

Join the Australian Institute of Professional Intelligence Officers today

Intelligence can provide exciting career pathways across many different agencies and sectors — but isn’t it good to know you’re part of a bigger national and global community? The Australian Institute of Professional Intelligence Officers (AIPIO) provides this community, together with a wide range of membership benefits. Our membership is drawn from a diverse range of intelligence domains, including:

NATIONAL SECURITY

DEFENCE

LAW ENFORCEMENT

REGULATION

BUSINESS

ACADEMIA

BANKING & FINANCE

INTEGRITY COMMISSIONS

Do something positive for yourself and your career – join AIPIO today.

aipio.asn.au

Asia Pacific Security Magazine | 23

National

Closing the cybersecurity skills gap By Rebecca Vogel Intelligence Lecturer Department of Security Studies and Criminology *For the full article and references contact the Editor.

he approaching “fourth industrial revolution” was the theme for the 2016 World Economic Forum, and a global report entitled, Amplifying Human Potential was released at the Forum. The report discussed the digital technologies young workers will need to navigate and the skills they will need. The report reiterated the importance of education—that “through education, there is an unassailable opportunity to prepare everyone for such a change (Infosys, 2016).” The education system, both at a secondary level and the tertiary level, needs to be directly involved in programs to enhance cybersecurity skills. While the tertiary level appears to be moving in the right direction, in 2014, 64% of high school students America did not have access to computer science classes or other classes that would help prepare them for a career in cybersecurity (Raytheon, 2014). Industry experts consider that even if schools place a much stronger emphasis on cyber security, it may take up to twenty years for the skills gap to close (L. Morgan, 2014). Increased Workforce Capability In October 2012, the FBI launched its Next Generation Cyber Initiative, which was aimed at enhancing the Bureau’s ability to deal with cybersecurity issues. To do this, the FBI sought to hire more computer scientists. While the FBI has made some progress toward this goal, recruitment and retention of qualified candidates is reported to remain a challenge; this is because there are higher salaries offered in private industry (Dunsmuir, 2015). Tellingly, a 2015 audit of the Next Generation Cyber Initiative showed the FBI

24 | Asia Pacific Security Magazine

'The US Bureau of Labor Statistics releases a biennial report on the fastestgrowing occupations. Its 2013 report indicated that the information-security profession, including cybersecurity professionals, is expected to grow 36.5% by 2022.' was not able to hire 52 of the 134 computer scientists it was authorised to recruit, presumably because of the lower wages the Bureau offered (Office of the Inspector General, 2015). In Australia, the 2013 Australian National Plan to Combat Cybercrime identified two key priorities that were intended to strengthen its response to the cybersecurity skills shortage: 1) Improving the capacity and capabilities of agencies to address cybercrime, and 2) Partnering with industry to tackle the shared problem of cybercrime. The imperative for cyber capacity and capability was explained in the report, saying, “…law enforcement agencies need to keep pace with evolving technologies if police

National

are to perform their duties in the digital environment (Commonwealth of Australia, 2013). Similarly, the Australian Crime Commission (ACC), Australia’s national criminal intelligence agency, in its National Organised Crime Response Plan 2015–18, cited the need to: 1) progress the priorities set out in the 2013 Australian National Plan to Combat Cybercrime, specifically, … improving the capacity and capability of government agencies, particularly law enforcement, to address cybercrime; and 2) develop a technical capability community of interest, comprising a national forum for relevant agencies and organisations to discover and understand the technical capability challenges facing law enforcement agencies nationally that impede investigations into cybercrime and technology-enabled crime, to identify mechanisms to mitigate or address these capability challenges. (Australian Crime Commission, 2015a). In 2014, the Pentagon announced an initiative that it intended to create a 6,000 strong cyber workforce to defend against threats to American computer networks, citing a challenge to train a cyber workforce, which is expected to run through 2016 (Bottalico, 2014). The US Senate also passed the Cybersecurity Skills Shortage Bill in September 2014, granting authority to hire and retain qualified cybersecurity professionals in an expedited manner, pay recruits more competitive salaries, and provide more attractive benefits and incentives (Chabrow, 2014). Later, in November, 2015, the UK government announced its National Cybersecurity Plan (previously known as the National Cybersecurity Programme) (NCSP) to bolster Britain’s next generation of cyber security professionals. The plan involved an increase in spending on cybersecurity to £1.9 billion by 2020, recruiting 1,900 new staff across the three intelligence agencies. The first National Cyber Centre will be established, which will house the UK’s first dedicated cyber force. A £20 million competition will be run to open a new Institute of Coding to train cybersecurity students in high-level digital and computer science skills. In quite an innovative move, the plan targets the most talented 14 to 17 year olds, providing them with expert mentors, challenging projects, and summer school to identify and train potential future employees (UK Government, 2015). Emerging employment trends The US Bureau of Labor Statistics releases a biennial report on the fastest-growing occupations. Its 2013 report indicated that the information-security profession, including cybersecurity professionals, is expected to grow 36.5% by 2022. This profession is one of only twenty occupations with the highest expected percentage change of employment between 2012 and 2020 (Bureau of Labor Statistics, 2014). Results of research conducted by KPMG are also indicative of the trend toward “upskilling” within the private sector to protect itself against cyber breaches. In 2014, KPMG surveyed 300 senior IT and HR professionals in the UK within organisations of between 500–10,000 staff and found that companies are “increasingly desperate” to in their quest to hire the right cyber people, with 70% admitting their company lacks

the ability to assess incoming threats (KPMG, 2014). There are positive trends being seen in bridging the gap in cybersecurity skills and reasons for optimism. The 2015 ISACA report showed enterprises are beginning to look at cybersecurity as an issue for the business itself, and not just for the security manager. Security Operations Centres (SOCs) are being implemented, budgets are increasing, and executive support for security programs is more apparent, helping to elevate cybersecurity programs (ISACA, 2015). Another emerging trend in employment practice is to use Cyber Challenge competitions as a means to vet the cybersecurity skills and know-how of prospective employees. The US Cyber Challenge, in partnership with private industry, is creating “mini-challenges” to be piloted in late2016, which will allow job applicants to demonstrate their cybersecurity abilities and potential employers to evaluate their skills in real-time (Chabrow, 2016). Employment challenges There are challenges surrounding developing and maintaining a robust cybersecurity workforce within the national security community, encapsulated in a 2015 article from The Times of London: Technological skills are at a premium, and the Confederation of British Industry calculates that in three years there will be 600,000 vacant slots for able technological graduates. People who work at GCHQ are on government pay; many could earn far more outside. ‘Cheltenham is not much like San Francisco. If you’re a techie, this might not be the first place you would want to come,’ the head of personnel says (MacIntyre, 2015). Across the Atlantic, US report (2016) reiterated similar challenges seen in the Federal Cybersecurity Workforce, namely: 1) demand outstripping supply for cybersecurity professionals, 2) skills gap in cybersecurity positions, and 3) agency strategic workforce plans that do not specifically address cybersecurity workforce needs (Francis & Ginsberg, 2016). Compounding the challenges faced by the cybersecurity skills shortage are those of enticing and retaining the information security experts needed within the National Security space and public sector space more broadly. The 2014 KPMG survey mentioned earlier indicates a higher “churn” rate for cyber professionals than for IT professionals, and 52% of those IT and HR professionals surveyed agreed there is aggressive headhunting in this field (KPMG, 2014). This presents an obvious challenge to the public sector, as the public sector, with its historically lower salaries, will surely struggle to retain cyber-skilled individuals who can and will be easily headhunted by the private sector, with its much more robust capability to offer attractive pay packages. Private sector entities, including the large Professional Services, Technology and Financial Services firms, will no doubt increase salaries and compensation packages offered to public sector cybersecurity specialists, effectively cherry picking many of the best potential employees. A 2015 report by the US Department of Justice highlighted the struggle facing the FBI in attracting computer science recruits, mainly due to low pay (Dunsmuir, 2015). The FBI, responding to the report, said “the cyber workforce

Asia Pacific Security Magazine | 25

National

challenge runs through the federal government” and that it was necessary to develop “aggressive and innovative recruitment and retention strategies” (Dunsmuir, 2015). An encouraging move to address the pay gap issue was the introduction of US legislation (S.1,691—Border Patrol Agent Pay Reform Act of 2014), which incorporated the Department of Homeland Security’s Workforce Recruitment and Retention Act), aimed at mitigating the significant problems of successful retention and recruitment, which was passed in December 2014, enabling qualified recruits to be paid more competitive salaries, benefits and incentives. Implications for practice The global cybersecurity skills gap has important implications for the private and public sectors. There is a critical need to address the talent shortage by increasing the number of individuals who have cybersecurity skills. While problematic, this situation presents a unique window of opportunity for those individuals looking to work in the national security community. Current IT professionals, university students and others interested in the cyber domain have abundant opportunities to upskill in cybersecurity areas such as forensic computing, social media exploitation or threat intelligence reporting, and move into this dynamic, growing field. Numerous government initiatives are in place to address the cyber skills shortage, as well as legislation which will provide the means for the public service to become more competitive in attracting and retaining the best and brightest individuals. The public service, facing challenges of competition from

26 | Asia Pacific Security Magazine

the private sector in recruitment and personnel retention, will need to innovate and respond in a much more agile way to market forces in order to attract and keep the best cyber personnel. Given the challenges in competing on remuneration, organisations that offer additional benefits on the job, such as ongoing training and professional development, a clear career path within the cybersecurity field, ongoing engagement with outside stakeholders, vendors and academia, to inform their employees’ cybersecurity expertise, will likely have a stronger case for retaining their cybersecurity professionals. These aspects of a strategic workforce planning and retention program will ensure that the next generation of cybersecurity professionals remain engaged in the national security sector to combat the cyber threats of the future. The implications of the ongoing and growing threat posed by criminal and foreign adversaries are clear for cybersecurity operations and intelligence practice. The gap between the need for individuals highly skilled in cyber and the numbers of cyber-trained intelligence analysts within the National Security and Law Enforcement communities provides a challenge, but also numerous opportunities. Reskilling and upskilling in cyber expertise within the national security community will be important in dealing with the dynamic, technically savvy cyber opponents. Creating an agile, skilled cybersecurity workforce is the current challenge. The bottom line is that national security communities will need to invest in their workforce, to improve the cybersecurity capability and capacity of their people through further education and training.

Taking the ‘right’ risks and reaping the rewards By Jenny Yang Security Architect, Versent

here is a common perception of the stereotypical security professional who always says ‘no’. However, there are a growing number of security consultants who have come to approach new projects and clients with the response ‘yes - if….’. The role of the security consultant is to ensure they have assurances over what the business is doing, and to do that it’s not as clean cut as a yes or no answer. Security has never been about holding anyone back, but rather to protect the business by enabling senior leaders to take the right risks, in order to reap the rewards. To do this, the security consultant needs to have a transparent view of the business. Then it’s about taking a layered approach, and layering your recommendations with context. Real-time visibility of security posture To better understand the business and its challenges, it’s critical to know what your security posture is. Without knowing where you currently are, how do you know where you are meant to go? The traditional approach is to hire an external consultancy to compare the current security maturity to external standards such as ISO27001 or PCI-DSS. The findings will be analysed based on a time-boxed set of interviews and subset of documents, rather than what is actually in the environment. The response and analysis to which can be shaped by what the auditor perceives. This is not to discount the role of an external auditor, however in this changing climate, these audit controls need to be automated and assessments cannot wait until the next time there is funding for an external consultancy and a maturity assessment. General controls are typically assessed from two aspects: design effectiveness and operational effectiveness. The guardrails built into your CI/CD pipeline form your design effectiveness. The operational effectiveness is where monitoring and security orchestration tools come into play. The benefit of going to cloud service providers is that there are ‘plug and play’ products that can give visibility. Stax is a perfect example of this. Executives expect quarterly cybersecurity reports and managers spend at least a few days every month generating governance risk and compliance reports; however, this can

now be reduced to an automated task that can be produced in real-time. Automate security auditing Security consultants are designed to be advisors, not auditors. With the shortage in cybersecurity resources, time is better spent on automating controls, not on ticking check boxes and spending countless hours generating monthly compliance and executive security reports. Migrating to the cloud was considered to be a significant risk 10 years ago. It’s important to remember, just because you migrate to cloud platforms like AWS, does not automatically grant you all the certifications that come with AWS. It does however, give security professionals the optimal opportunity to leverage new and improved tools, build in the automated security controls and enhance visibility of their own resources. Build in the controls, then trust and verify Trust that your developers know what they are doing but still verify to check against human error. A good developer will want to share their learnings, learn from others and build continuous improvement into the pipeline. Your developers know the ‘ins and outs’ of the application and where it could be improved which enables the company to fine-tune their policies. Greater visibility of how to improve the code and the technology with static code analysis and runtime vulnerability management scanning, will ultimately educate the developer community. The trusted advisor Managers and executives need to change their expectations around what the security team is providing, moving beyond monthly reports, to see the security consultant as a ‘trusted advisor’ to inform the business of its risk, rather than simply providing a yes or no answer. And once the security consultant has a better understanding of the business, and its challenges, only then can they enable a business to take the ‘right risks’.

Asia Pacific Security Magazine | 27

E TUN IN ! NOW

www.australiancybersecuritymagazine.com.au 28 | Asia Pacific Security Magazine

PODCAST HIGHLIGHT EPISODES

Episode 28 – Australia’s eSafety Commissioner, Julie Inman-Grant discussing online safety, cyber bullying and child exploitation

Episode 15 – Protecting media & journalists in hostile environments – Shannon Sedgwick, CEO of GM Risk Group

Julie Inman-Grant, the Australian eSafety Commissioner at the Office of the eSafety Commissioner, speaks with Chris Cubbage at the Women in Cyber Mentoring Event in Sydney. Julie discusses her role and her focus on online safety, preventing cyber bullying, and child exploitation, and how her 17 years formerly at Microsoft, as well as Adobe, and Twitter, assist her in her role as the Commissioner of eSafety.

In this interview, Chris Cubbage interviews Shannon Sedgwick, CEO of GM Risk Group, a consulting firm specialising in protecting media staff, both in terms of physical and cyber security, as they travel in hostile environments.

Chris and Julie also discuss the three pillars within eSafety of safety, security, and privacy and their inter-connectedness and priorities, and how parenting and education are still the two major lines of cyber-defence.

Shannon has personally provided protective services to media companies and has travelled to over 30 countries this year, including the Congo, Afghanistan, and Iraq. Shannon discusses the services that GM Risk Group provide, how to mitigate risk, and the increased focus of media companies on duty of care and overall safety for journalists. If you, or members of your team work in regions of the world, where data or physical safety are at risk, then you’ll enjoy this interview with Chris Cubbage and Shannon Sedgwick.

Episode 25 – ECU Cooperative Research Centre & Dr Peter Hannay’s research into historical location data within digital devices In this interview, Dr Peter Hannay of Edith Cowan University (ECU) provides insight into the recent completion of his doctoral research which focused on historical location data that can be gathered from small and embedded devices. This research was used by WA Police to assist in homicide cases, for tracking a suspect’s movements, as well as providing a credible alibi. Peter also talks about ECU’s Cooperative Research Centre, a $130 million-dollar project, as well as leading research in cyber security, particularly IoT. If you’re interested in cyber security research, and true crime, then you’ll enjoy this interview with Chris Cubbage and Dr Peter Hannay.

Episode 8 – Meet Renowned Autonomous Vehicle Security Architects & “White Hat” Hackers, Dr. Charlie Miller and Chris Valasek, GM’s Cruise Automation You’ll love this interview with Charlie Miller and Chris Valasek. As the sixth interview at #AISACON17 in Sydney, we met these celebrity ‘security architects’, who first hacked two non-connected, commercially available cars using a diagnostic port. While some consideration was made to security in the original software, Chris and Charlie highlighted that with a little problem solving, and a lot of patience, control systems, effecting steering, brakes and lights could be manipulated. Later, the dynamic duo set their sights on ‘remotely’ hacking a Jeep SUV. In this interview, we’ll learn how they were able to bridge the gap between the ‘head unit’ or radio, and the control systems, and take control. All while the driver was travelling at over 100 km per hour. Enjoy the discussion!and privacy and their inter-connectedness and priorities, and how parenting and education are still the two major lines of cyber-defence.

Episode 17 – Tackling online extremism through inclusion and tolerance: The Raqib Taskforce In this interview, Chris Cubbage interviews Anooshe Mushtaq, Chair and Founder of The Raqīb Taskforce, an organisation that promotes social inclusion and cohesiveness for Australia’s Muslim community, particularly the youth. Anooshe shares how her grassroots organisation is helping to debunk hate speech, remove division, and promote the voice of young Muslims, to counter extremism both within and outside the Muslim community. This involves a host of online and social media strategies. Ultimately, the Raqib Taskforce aims to build a tolerant and cohesive society, through better understanding of all sides. Please Note: This interview was arranged and conducted by MySecurity Media independently of the Risk Management Institute’s National Conference. Recorded November 16, 2017, Canberra.

Episode 9 – Cyber Threat Alliance (CTA) President Michael Daniel in Sydney #AISACON17 Our seventh interview at #AISACON17 in Sydney in October, is with the President of the Cyber Threat Alliance, Mr Michael Daniel. In this interview, Michael Daniel talks about his new role at the Cyber Threat Alliance, or CTA, and how his organisation and the 12 member companies are sharing threat intelligence at speed and scale. In particular, you’ll hear about the CTA’s ‘sharing rule’, that ensures collaboration, and improves all members’ products and services. And this sharing is quick. Michael highlights that the time from detection by one member company to deployment by another member company can be as short as only 54 minutes. In this interview you’ll hear cyber security vendors working together to collectively, systemically disrupting the ‘bad guys’.

www.australiancybersecuritymagazine.com.au Asia Pacific Security Magazine | 29

International

Trends in the technology industry â&#x20AC;&#x201C; opportunity, scale & China

Insights from the Canalys APAC Channels Forum, December 2017, PERTH

T By Chris Cubbage Executive Editor

30 | Asia Pacific Security Magazine

he opportunities for the technology industry and channel providers are moving fast and in some parts of the globe, the technology strides are leaping ahead. It will be the Technology Channel eco-system who will sell, support, configure, secure and maintain these interconnected networks, systems, robots, drones and autonomous vehicles. The market opportunity is looking explosive. As 2018 gets underway, every sector will continue to increasingly experience a digitalisation and automation transformation. In manufacturing, or what is termed Manufacturing 4.0 is being seen in China, Japan and South Korea, with the value chain moving faster than ever through the application of 3D printing, robotics, analytics, virtual reality, augmented reality and the concept of digital twins, where a real product and a digital copy of that product is created to manage and track the entire life cycle, including the intricacies of the farm and factory.

Driving Transformation: Cloud Environments & Ecosystems The cloud environment will support these evolving and innovative applications but with the use of edge computing, local processing and storage will still be necessary. The ability to process multiple data sources at high speeds, close to the source of the data will continue to rise sharply. There will be a need for speed and overcoming the latency of cloud environments. As a result, there is an emergence of microsolutions, combined sensors, analytics, machine learning that are rugged, heat resistant, water resistant and portable. This will be a new form of computing. It is being driven by increases in CPU and GPU processing capability and solid-state drives are exploding in terms of capacity, currently available in 32TB. These micro-clouds will exchange data with the public cloud and the Technology Channel partner network sees enormous opportunity around the integration

International

driven and centred around cloud infrastructure and it is now who partners with who, for providing cloud services. These partnerships bring together the operational technology and IT technology companies, such as HPE partnering with APG, announced in Madrid in October, 2017. In Microsoft’s case they’re working with HPE, DellEMC, Lenovo, and Cisco Azure stack for edge computing. AWS is working closely with VMware for cloud architectures. Google is behind but catching up and Cisco and Google have released products for providing hybrid cloud environments, capturing Salesforce as a preferred cloud provider. It is not just the USA cloud providers. China’s Alibaba and TenCent are also growing fast in South East Asia and will continue to expand globally. The scale of capital investment is enormous, with massive purchases for server and storage capacity by the super seven cloud builders, Amazon, Microsoft, Google, Facebook, Alibaba, TenCent and Baidu. Microsoft and AWS are spending US$2 to US$3 billion dollars a quarter each, on building datacentres. These companies are buying more servers per quarter than either HPE or DellEMC sells per quarter. The component suppliers are responding and there is a need to take cost out of datacentres and some are building their own custom silicon in order to reduce costs and accelerate deployment. The super seven will ultimately face a huge capital expenditure challenge on maintaining current investments and whilst dealing with legacy technology. As technology continues to develop, these datacentres will ultimately require upgrading, as faster and more efficient processing and storage becomes available. What is the outcome of these investments? The race is on to capture as much of the cloud infrastructure market as possible, as technology continues to reach into every aspect of an individual human’s life, a product’s life and the way the two interface with each other from here on in. The human and machine have become inseparable. That is the opportunity and scale. Facial Recognition Delivers Service Automation

'...In China, more than 20 airports are using facial recognition to check who is traveling through the airport and in Singapore.' and management of these environments. Many of the technology solutions will still need to be delivered locally to comply with industry regulations and ensuring the delivery of faster performance. The cloud will evolve and big cloud providers, mainly in China and the USA, will start to move to other countries as part of the next trend, being a need to build ‘city’ clouds that sit closer to the data. The entire technology industry is increasingly being

In China, Kentucky Fried Chicken (KFC) is taking payments from people’s smiles, with no device or card required. The system confirms it is a real person through voice and movement verification and then verifies the customer’s smile using facial recognition, initiated through an annual service sign-up. Facial recognition, with the launch of the iPhone 10 will be a major driver of new technology solutions over the next two to three years, as it becomes mainstream and better accepted. In Singapore, retailer Challenger Technologies is using facial recognition to monitor the number of visits a person makes to the store, noting the sex, race, age and product interest of each customer and each of their visits. A convenience store called Cheers, also in Singapore, has no staff – you go in, select your items and the items are automatically self-checked out as you leave, with facial recognition being one, among of a range of integrated technologies applied, during the shopping process. These stores will increasingly become common place, with ‘process automation’ replacing the need for human capital. But despite

Asia Pacific Security Magazine | 31

International

"...JD.com has invested heavily in drones, building 185 drone ports for delivery services to the rural areas of China, providing 24 hour delivery across the country. These drones fly 100 kilometres per hour and can deliver packages up to 15 kilograms"

the human service roles being replaced ‘front of house’, what the store still requires is to manage the system analytics and maintain the store’s software. People will be moved from the ‘front office’ to the ‘back office’. In China, more than 20 airports are using facial recognition to check who is traveling through the airport and in Singapore, Terminal 4 is now open, as one of the most advanced terminals in the world, providing self-service check-in, automated bag drop and immigration clearance and boarding, with passengers only needing to show their passport once. In addition, with 3D scanning, electronic devices and laptop computers no longer need to be removed from baggage to speed up the security screening and boarding process. City Surveillance capabilities are being demonstrated in China and facial recognition is being increasingly used widely for searching against criminal profiles. With a need to cover expansive geography, China is seeing network cameras deployed on a massive scale, with video analytics increasingly applied for extracting facial recognition. It is now a requirement in China for tender documents to have facial recognition as standard for all City Surveillance applications. Robotics, drones & displays

Cheryl Cook, Senior Vice President Global Channel Marketing, DellEMC Steve Brazier, CEO, Canalys

L-R: Cheryl Cook, Senior Vice President Global Channel Marketing, Joyce Mullen, Senior Vice President and General Manager for the Global OEM and IoT Solutions, & Tian Beng Ng, Vice President and General Manager Channels, Asia Pacific & Japan, DellEMC

32 | Asia Pacific Security Magazine

In Japan, Heather Hotels have launched the first robot-based hotel, with 140 robots and only seven human staff. The hotel includes two novelty dinosaur robots that speak five languages and in the bedrooms, a communication device called TAPIA, which works much like Amazon’s ALEXA, allows guests to instruct what they want – ‘please turn the lights on, please turn the TV on, please order room service.” Another food chain in Singapore, Koufu, is using robots to collect the dishes and will move around the restaurant, detecting if there’s an obstacle in the way. In the Guizhou province of China, a new Virtual Reality (VR) theme park opened in November 2017 offering 35 virtual reality attractions, from shoot-‘em-up games and virtual rollercoasters to tours with interstellar aliens amongst the region’s most scenic locations. The Made-in-China 2025 initiative has the goal of exporting 100,000 industrial and commercial robots, per year. JD.com has invested heavily in drones, building 185 drone ports for delivery services to the rural areas of China, providing 24 hour delivery across the country. These drones fly 100 kilometres per hour and can deliver packages up to 15 kilograms. In transportation, it is expected that fully autonomous cars will start to appear on roads within the next three years. It will be a race on who achieves it first, with Singapore and Seoul anticipated to be the first to allow autonomous vehicles on main roads. In Hong Kong, Minh Phung, a supply chain company, is using 3D design software to create its product samples, rather than what has been a traditional approach of sending customer’s physical samples, they now build, model and send in 3D. Though still not the same as a touch and feel experience, what previously took days and weeks is now just hours and sent to customers instantaneously, as well as provided in multiple sample forms. The factories are also being transformed with sensor filled factories in China, India and Bangladesh monitoring productivity, the progress of work

International

and the components and capacity of each factory. The same approaches are being made in other sectors such as agriculture or healthcare to measure and monitor the efficiencies across farms and hospitals. Likewise, in schools and on campuses, with the threat of active shooters, a sad but common threat in the USA, technology is addressing how it is applied in defending staff and students. Active shooter scenarios are now planned for with automatic locking systems on all the doors and panic buttons, with sections of the school or campus able to be locked down to prevent offenders from accessing areas and to provide valuable time to allow students and staff to escape to safety. Digital signage is another major growth area. A pizzeria in Norway is using a digital sign which is measuring when people look at the advert, how long they look and which aspect of the advert they look at. High resolution signage is rapidly gaining in quality, where the difference between a sign and a window may not be clear. This will allow digital signage to be more readily applied elsewhere, such as in homes, hotels or office rooms without windows. Commercially this is applicable to cheaper apartments or hotel rooms with a need to provide a sense of greater space, views and promotions. Even in aviation, aeroplane windows could be replaced with digital signs, displaying what the passenger prefers, including the replication of a window.

Steve Brazier, CEO, Canalys

Financial Systems Finance is rapidly being transformed by technology. The ability to deploy blockchain for auditing and inventory purposes will be increasingly important. The bigger trend is in countries now rushing to become cashless. Already in China, small micro payments are now cashless and has allowed even the homeless to go digital and receive street donations through QR codes and direct to their accounts. In India, de-monetisation has accelerated online adoption and online payment systems, growing over 20 times in 2016/2017 alone. With a population of 1.32 billion people, around 1.17 billion now have Aadhaar biometric identity cards and these are now linked to personal bank accounts. Once the link is established, payments can be facilitated using Aadhaar cards and will revolutionise Indian banking. Singapore too is introducing a cashless society with the government working with seven local banks to implement a pay-now system, which allows citizens to transfer money between each other using their phone numbers, without the need for their banking account number system. Government Surveillance Government will also play a role in driving a digital agenda. China is rolling out a social credit score system, which involves rating their 1.37 billion citizens based on their digital activity and use of their smart phones. For example, if you play games on your phone for eight hours a day then your social credit rating will go down because the system will detect you being lazy. However, if your purchase habits include buying nappies, your rating will go up, because youâ&#x20AC;&#x2122;ll be considered a responsible citizen by being a good parent and contributing

to society. If you chat with one of your friends who is an antigovernment activist, then your rating will go down, as you will be flagged as being connected to them. But despite the loss of privacy, some of the benefits will include quicker identification, such as checking-in at hotels, access to credit loans and getting travel visas. Today, the system is voluntary but by 2020 the system will be mandatory. If your social credit score falls to below a certain level, you may be blocked from the use of certain services or social inclusion, such as being blocked from using online dating sites or social media channels. And despite this concept being pursued by only China, it would be naĂŻve to think that other countries will not look to adopt a similar system in the future. DellEMC: Announces Dedicated Iot Business Unit The DellEMC briefing, provided by Joyce Mullen, Senior Vice President and General Manager for the Global OEM and IoT Solutions and Cheryl Cook, Senior Vice President Global Channel Marketing outlined the companyâ&#x20AC;&#x2122;s recent

Asia Pacific Security Magazine | 33

International

"The Infrastructure Solutions Group (Dell EMC) experienced growth of 2 per cent quarter over quarter, with third quarter revenue of $7.5 billion and operating income of $678 million. Servers and networking revenue was $3.9 billion"

commitment of US$1 billion into an IoT Business Division and touched on their dedicated Smart Cities team. With positive Q3 results, Dell Technologies has launched a dedicated Internet of Things (IoT) division aimed at coordinating development of IoT products and services across all of their businesses. This approach includes IoT-specific products, labs, partner programs and consumption models to help customers speed the implementation of their IoT solutions. Joyce confirmed, “We’re pretty happy about where we are in the market and in the industry and with our progress against our own internal goals. We’re very much focused on our infrastructure capability and has helped solidify where we partner and where we put our R&D. IoT is right on the cusp of taking off. I’m not sure if it’s a year, two years or three years but its going to take off at some point.” The Infrastructure Solutions Group (Dell EMC) experienced growth of 2 per cent quarter over quarter, with third quarter revenue of $7.5 billion and operating income of $678 million. Servers and networking revenue was $3.9 billion, which was an increase of 32 per cent year over year and three per cent quarter over quarter. Storage revenue remained flat at $3.7 billion quarter over quarter. For the first time, Dell EMC became the worldwide leader in server units and revenue share and maintained its global x86 server leadership for the fourth quarter in a row, with 18.8% unit share. Additionally, Dell EMC’s x86 revenue share increased 37.9% year over year. Subsequent to the end of the quarter, Dell EMC announced the expansion of its midrange storage portfolio with two new SC All-Flash data storage arrays, along with key software updates to Dell EMC Unity designed to boost efficiency and cost savings for mixed block and file workloads. Lenovo: High Performance Computing A Major Focus There are four key segments Lenovo is focused on: Cloud,

34 | Asia Pacific Security Magazine

Private Cloud, Analytics and Data Centre Infrastructure. In hyper-scale, Lenovo provides data centre infrastructure to four of the seven largest cloud providers. Software defined data centres are driving the cloud environment into software defined storage and hybrid cloud environments, such as Azure stack. “The third focus is High Performance Computing (HPC) and Artificial Intelligence (AI). Lenovo is a top two HPC provider and the fastest growing super computer company in the world”, confirmed Sumir Bhatia, President of Lenovo’s Asia Pacific Data Centre Group, “The objective is to be number one by 2020.” Lenovo has achieved some of the world’s best installations, including in June 2017 completing the delivery and implementation of the world’s largest, next-generation Intel-based Supercomputer at the Barcelona Supercomputing Centre at the Polytechnic University of Catalonia, Spain. The 11.1 petaFLOP Supercomputer called MareNostrum 4, is being used to power human genome research, bioinformatics, biomechanics, weather forecasting and atmospheric composition. The system is powered by more than 3,400 nodes of Lenovo’s next-generation servers, featuring Intel Xeon scalable processors, interconnected with more than 60 kilometers of high-speed, Intel Omni-Path Technology 100 Gb/s network cabling. It is the third leading-edge HPC system that Lenovo has installed at the Partnership for Advanced Computing in Europe (PRACE), making Lenovo Europe’s largest provider of leading-edge HPC systems. The next focus is AI with over a billion dollars investment going into Lenovo’s AI lab, with three labs around the world: Raleigh, North Carolina, Stuttghart, Germany and Beijing, China. These innovation centres are building an ecosystem around two key brands, Think System and Think Agile. Think System encompasses next gen servers, storage and network switches and in August, 2017 Lenovo announced the ThinkAgile VX Series, a preconfigured hyperconverged infrastructure appliance for software defined data centre capability. Sumir Bhatia highlighted, “With the new offerings

International

around the Think System and Think Agile, we have a total of 88 new world record benchmarks and 46 of these are on the new Purley platforms – more than any of our competitors.” When coming to market in the Asia Pacific region, Lenovo spreads the region out to Australia & New Zealand (ANZ), ASEAN, India, HTK (Hong Kong, Taiwan & Korea) and Japan, with a General Manager in each of these sub-regions to manage the four business units. For ANZ there is 65 people under the leadership of General Manager, Rob Makin, with coverage in all states supported with customer facing solution consultants and a separate channel team looking after the managed partners and distributors. Success in the ANZ has been achieved with the largest super computer sold in 2016 to the National Computational Infrastructure (NCI), based at the Australian National University and, since April 2017 is signing two to three HPC customers a week in Australia, having just experienced the sixth straight quarter on quarter growth. For Rob Makin, Lenovo is winning in the SDN space because of the quality of engineering in the products and the integral depth of partnership with the software providers. “This is not a standard server and some software”, Makin said, “this is an engineered appliance. What is very important is that when you put software on a server or engineered appliance you need to make sure that server is optimised for the best performance from that software. The second angle is when you put electricity through anything, at some point it is going to break. Statistically, we’re the most reliable by a factor of 10 against some of our competition. You need to have the support mechanism in order to fix these systems.” “If you take our pedigree with SAP, where for over 10 years we have over 50 per cent market share in the SAP HANA Appliance. This system consists of some server hardware and firmware, the SAP HANA platform and then a storage layer, which happens to be IBM Spectrum. We don’t have to attach a SAN to any of our appliances and it comes with RedHat software. All of this has to talk and function and when SAP decide the customer has to go to a new service pack, everything has to be configured.” The analogy Makin uses is it’s like running a Formula 1 real time analytics system. Rob said, “If that Formula 1 system is out of kilter you have to understand how to work with the software partners at Level 3 engineering in order to get things fixed, as well as design ahead of the curve. This is all an important message for the customer. If you deliver this technology that gives that cloud functionality to the business, whilst meeting the cost and data sovereignty point of view, all of a sudden, you’re relevant again.” Extreme Networks: Securing Network Growth Founded in 1996 with release of 1GB and 10GB switches, Extreme Networks came under new management in 2014, immediately acquired a range of high density wi-fi solutions and in 2016 acquired what was the Motorola wi-fi product line from Zebra Technologies. Now with two ranges of wi-fi solutions, Extreme Networks highlights itself as the official supplier to the NFL, including Official Wi-Fi Analytics Provider of the Super Bowl for the fifth year in a row and with a growing portfolio of major USA stadiums using

their network switches and multiple kilometres of fibre. In Australia, the company has gained Cricket Tasmania, installing a new network in Hobart. In July 2017 the company acquired the IP Networking division of Avaya, and in November 2017 they acquired the datacenter networking assets of Brocade. These acquisitions have built a suite of technologies able to service enterprise solutions at the network edge. The major markets are in hospitality, hotels, stadiums, logistics, healthcare and education, and increasingly to the broader enterprise sector. Importantly, security is built into the platform with network access control (NAC) provided by AirDefence, a Wi-Fi intrusion prevention system. “Despite many companies spending money on firewalls and network security”, said Simon Naylor, Vice President for the APJ Region, “they often don’t invest in securing the perimeter of their Wi-Fi networks. AirDefence spots rogue IPs, produces heatmaps, provides network assurance and we’re finding a lot of companies now looking at their networks in more detail.” Deploying Wireless Next Generation provides a triple radio access point, with two of the radios for data at 2.4 or 5GHz, providing traditional Wi-Fi and then the third radio can be used as a sensor to monitor for illegal access, attacks or activity. The solution is a mix of software and hardware and access point radios can also be used as sensors to secure the perimeter. Simon Naylor confirmed the company has the largest Café chain in China, with every single store installed with the Extreme locator providing location-based services. This allows customers to provide a first time log on, but once that device is registered, then the system will retain the customer’s details, preferences and when you enter another store in the chain it will auto-detect the device and offer, by name, preferred items and services. The same services are provided in Singapore for 16 shopping malls for Capital Land and in Australia, David Jones and HealthScope are major clients running their department store and healthcare networks. An attractive aspect offered by the Extreme Networks product range is a compliance platform which can create different policies specific to the industry network requirements, as well as network auditing configurations. In Australia and New Zealand, Managing Director Chris Georgellis is seeing market maturity growing rapidly, confirming, “companies are increasingly recognising the network as an asset and in the last 12 months the customers are seeing the business benefits on offer. People are opting into network and location-based services, with a new App, both Bluetooth and network location identification can be provided which tracks where people are in a department store, how long they spend there and then you can start to target people with offers and this will start to be integrated with digital signage and advertising.” Extreme Networks appears to be on an exciting growth phase, having leapt to the number three networking vendor globally, from number 13, through both organic growth and acquisitions. As a 100 per cent channel business, partners are critical, along with the likes of Hills and NEC in Australia, Extreme Networks is clearly focused on best of breed endto-end networking solutions to help manage, protect, analyse and monitor networks.

Asia Pacific Security Magazine | 35

National Security

Creating an intelligent world Introduction to the Milestone Systems MIPS 2018, Hanoi, Vietnam APAC Leading The Surveillance World

By Chris Cubbage Executive Editor

36 | Asia Pacific Security Magazine

s of 2016, the global video surveillance market was valued at $15.4 billion and mostly driven by the China market with 42% market share, exceeding $6.4B. Across the world, eight countries have higher growth rates than the global average, with five in the APAC region, being China, Indonesia, Vietnam, India and Thailand. The remaining three are Mexico, Brazil and Argentina. The APAC region will be the gravitational pull for continued growth of the video surveillance segment and its dominance in the physical security sector. Globally, physical securityâ&#x20AC;&#x2122;s convergence with ICT infrastructure will drive growth in video and system analytics, hybrid deployment from Artificial Intelligence (AI) edge to AI cloud infrastructure and most importantly, will need to be increasingly supported by cybersecurity to protect privacy, accuracy and capability. By 2021 the APAC market forecast for video management systems (VMS) is to double to $663M, with China demonstrating a much larger video channel concentration, with 250 and over channels and 1000 and over channels

representing over a third of the total VMS license revenue. In opening the MIPS2018 Conference for Milestone Systems, January 23-26, 2018 in Hanoi, Vietnam, Monica Wang, senior analyst with IHS Markit provided an overview of the physical security market, with a focus on the major trends in video surveillance. The physical security sector is separated into security equipment and security services, with consumer video surveillance and video analytics showing clear growth trends. Indeed, the fastest growing sector in security equipment is the consumer video surveillance segment and in security services, video analytics is showing the greatest potential for continued growth. For the APAC region, enterprise storage and video surveillance are two of the fastest growing segments. Analytics & Ai - Market Drivers In Video Surveillance The key market trends driving growth is the continued transition from analogue to digital cameras and this trend will continue with the advent of network cameras, representing 71% of the market by 2021. The next transition for digital

National Security

cameras is moving to higher resolution cameras. As camera resolution improves there is corresponding growth in video analytics, which has forecast triple digit growth rates with capability to automate the video monitoring process. Growth is being supported with the advent of a new generation of video analytics that is building market confidence with its accuracy. By 2022, the number of cameras with inbuilt video analytics will grow by a factor of 4 and for video recorders with inbuilt video analytics, it is expected to grow by a factor of 5. Why is there a growing market demand for deep learning video analytics? Digital video streams can create big data pools and with cloud computing and better deep learning algorithms, the benefits of rapid image processing across cloud platforms will allow the algorithms to focus on accuracy and have a capability to improve the efficiency of the video analytics solution, processing video images in a fraction of the time and in much higher volumes. For the market segment verticals, in particular for transportation, government and retail, this capability creates new opportunities and will see the strongest growth. City Surveillance capabilities are being demonstrated in China. With a need to cover expansive geography, China is

seeing network cameras deployed on a massive scale with video analytics increasingly applied for extracting facial recognition. It is now a requirement in China for tender documents to have facial recognition as standard for all City Surveillance applications. The additional major trend is the deployment of Artificial Intelligence (AI) technology in video surveillance, using a mix of technologies at the AI edge and integrated to the AI cloud. AI at the edge saves on bandwidth and relieves on computing capacity at the headend with object detection, crowd monitoring and feature extraction done by the camera before image transmission. As new chip vendors enter the market, AI camera prices will also continue to decline and video surveillance will continue to converge with ICT equipment, bringing significantly improved capability for feature extractions of humans and vehicles, object searching and data mining. The final trend is in cybersecurity and the key challenge to overcome before video surveillance becomes a major aspect of the IoT revolution. Video surveillance and cybersecurity will become critical in terms of privacy and the path to cybersecurity for video surveillance includes connectivity, data

Asia Pacific Security Magazine | 37

Stephen Bose, Business Development for Icetana briefing APAC MIPS in Hanoi, Vietnam

surveillance market is a key area where these capabilities will be demonstrated. By 2025 it is forecast there will be a billion AI cameras deployed in world cities. With this level of intelligence and video analytics operating across these cities, this will bring a far greater understanding and insight into city activity, with the capability to drill down to the individual and specific objects. With a billion security cameras operating at 30 frames a second, this creates over 30 billion frames a second every day. The human ability to process and understand these images will not match the capability of AI. Currently, a human can understand about 5 frames a second, where the Tesla V100 system can handle 900 frames a second. The 8x Tesla can do 7,000 frames per second with less cost and greater accuracy. Over a short time, with machine learning, the systems will become faster and more accurate in applying biometric and movement algorithms for people and object matching on a scale never seen before, let alone imagined. Milestone Systems Transformation

"By 2025 there will be a 1000x GPU-computing improvement in performance over the current CPU. The integration of big data, neural networks and AI platforms will see massive increase in capability and the video surveillance market is a key area where these capabilities will be demonstrated." collection, data computation and the creation of biometrics, such as face, gate, movement, behaviour, as well as object and people correlations. Cybersecurity has become a major cornerstone of the video surveillance sector and includes the need to have pre-defined processes in dealing with and responding to identified vulnerabilities, effective vulnerability notifications and software patch delivery, best practices in standards for vendors and camera product features relating to camera encryption of images and certification by third parties. Era of Ai The era of AI is changing every environment, including in web services, intelligent machines, healthcare, security and finance. By 2025 there will be a 1000x GPU-computing improvement in performance over the current CPU. The integration of big data, neural networks and AI platforms will see massive increase in capability and the video

38 | Asia Pacific Security Magazine

"It is inevitable that all devices will be connected," states Milestone CTO BjĂ¸rn Skou Eilertsen. As an industry leader, Milestone Systems is focusing on the three key trends of aggregation, automation and augmentation, with aggregation of devices, automation of systems and augmentation with humans. Milestone is transforming the way it thinks about its solutions, products and platforms. With 22 solution partners, the company is maintaining its attention on the customer requirements with the Milestone video technology platform consisting of the presentation interface, device hardware, video services interface and cybersecurity. Each segment sets out to meet the corresponding key trend, with how devices are aggregated, with automation occurring in the video service interface and the augmentation provided via the presentation interface. One of the key investments for Milestone has been on expanding the driver framework into the IoT framework and to aggregate all of the sensor information with the video services interface, through building greater video processing services at the GPU level and improving compute capacity exponentially better and faster, with more innovations coming to market in 2019. One such innovation will be in the Mobile market, with a Mobile SDK to allow customers to adapt mobile applications to their own requirements. And in cybersecurity Milestone will be certified in data privacy and security to create more confidence in its approach to security by design, security by default and security by deployment.

Women in Security Cyber Security

Personal Inspiration to deliver Security: Daniela Fernandez With Chris Cubbage Executive Editor

rowing up in Colombia, one of the most beautiful countries in South America, Daniela Fernandez also faced her home country’s complicated daily reality, often involving violence and corruption. Now the Senior Manager Group Cyber Analytics and Reporting at the Commonwealth Bank in Sydney, Daniela took inspiration from tragedy, explaining, “Whilst studying in the first year of my Computer Science and Software Engineering bachelor’s degree, my mother was the victim of Colombian urban violent crime. She was leaving a bank in Cali when a criminal tried to rob her, she received five gunshot wounds in the process, but survived. This experience obviously affected me deeply in many ways, one of which was to develop a drive and a strong interest in security. I now wanted to shape my existing career to assist with crime prevention.” On completing her bachelor’s degree, Daniela moved to Australia to complete a Masters of IT in System Security and seek out opportunities to use her professional experience in Analytics and Software Development, but applied to the security domain. “Initially I worked in protective security services, looking after physical security, such as analysis of bomb threats, gas attacks and ATM skimming attacks, then I moved into an intelligence team and focussed on combating fraud. Later, I joined the cyber security team at the Commonwealth Bank, where I was hired to build the reporting and analytics capabilities for the team.” “Two of the key challenges,” Daniela highlights, “are the skills shortage and the need to raise security awareness. Lack of professionals with the right skills to work in cyber

security is still a global challenge across organisations. Women in leadership roles have a key role to play here – by becoming role models they inspire other women who may have considered a career in security, but have been put off due to stereotypes, or an existing lack of diversity. We need new and better techniques to raise cyber awareness that can easily be understood by non-tech savvy people. Female leaders bring new perspectives and fresh ideas to design innovative techniques that can help raise awareness and encourage safer interactions with technology and information.” Daniela contributes with leadership roles. “I currently have two mentees, a female student who wants to get into the cyber security industry and who is seeking advice for a potential career path, and a male who works in data analytics and is looking to overcome challenges faced to progress his career when English is not his first language. I also have a female mentor who has helped me with the progress of my leadership related goals. Mentoring has been great to gain useful advice and learn about others’ experiences. However, it’s also important to have good sponsors that can advocate for you and help you connect with the right people to get to the next step of your career. Women are being increasingly recognised in the industry, but more needs to be done. Diversity targets of gender and ethnicity have been achieved in some organisations for entry and mid-senior levels, but getting the right balance at the C-level is an ongoing challenge. In addition, due to minority of female leaders in the industry, when things don’t go the way they should, and the accountability falls on a woman, the negative impact is huge for the rest of the females in the industry.” Where Daniela sees the industry heading is a continued focus on collaboration between governments and private sector to strengthen security. “We have witnessed how well cybercriminals work together to achieve successful attacks, and from an industry perspective our collaboration against these threats has been fruitful, but there’s still a lot of work to do in this space. I believe that more sophisticated Artificial Intelligence or Machine Learning techniques will be implemented to prevent cyber-attacks and data breaches. These techniques will not only be focused on analysis and profile of previous attacks, but also on supporting activities related to threat assessment, intrusion detection and prevention, incident response and recovery. Finally, I also think that there will be a strong focus on compliance and getting the basics right with the introduction of security legislation, like the mandatory data breach notification scheme in Australia and the General Data Protection Regulation (GDPR) in Europe.” Daniela is someone who remains passionate about using technology to simplify and secure lives. “I’ve always found ways to do this within my career” she said. “For example, in addition to my day-to-day work I get the opportunity to participate in volunteering activities that have a positive impact in the community, such as the ‘ThinkUKnow’ program that the Commonwealth Bank runs in partnership with the Australian Federal Police and other organisations, that seeks to raise awareness about cyber safety with kids and parents.” An initiative which clearly reaches back to her inspiration whilst in her first year studying computer science.

Asia Australian Pacific Security Magazine | 39

Cyber Security

The rise of Autonomous vehicles

T By Jane Lo ASM Correspondent

40 | Asia Pacific Security Magazine

he first known death caused by a self-driving car occurred last year in May when a Tesla driver put his Model S into an autopilot mode. The car’s sensors, failing to distinguish a white 18-wheel tractor trailer crossing the highway, crashed full speed into it. Nearly ten months later, an accident involving an Uber self-driving car prompted Uber to suspend its program for driverless cars pending further investigations. Even more recently, Google added to our doubts about the safety of self-driving cars when they disclosed drivers testing their driverless car Waymo(s), equipped with advanced driver-assistance, fell asleep at the wheel while moving at highway speed; some even put on makeup or hunting for cables and the like in the 2013 experiments. These incidents do not quieten the sense of unease when it comes to self-driving cars. A lot of the fear stems from the idea that the algorithms driving these cars are not able to make the split second “right” decisions and reactions that human drivers are (deemed) capable of.

Despite these misgivings, automation is on the rise in the transportation sector (and much more). Waymo, Uber, Tesla are not the only game in town. Automobile industry giants Ford, General Motors have also poured millions in this area. The pace of innovation has not sat idle. In the last quarter of 2017, AI-Asia Show at the Art Science Musesum Singapore, and the Singapore International Robo Expo (SIRE) held conferences and discussions to explore the trends, infrastructure and talents in Autonomous Vehicles (AV), among other aspects of automation and robotics. Singapore’s case for Autonomous Vehicles (AV) At the SIRE’s session on “Requirements to Faciliate Autnonomous Vehicle Deployment in Singapore”, Mr Titus Seah (Minstry of Trasnport, Singapore), elaborating on “MOT’s Vision of AV in Singapore” said: "Self-driving vehicles can radically transform land transportation in Singapore to address our two key constraints - land and manpower”.

Cyber Security

AV holds the promise of addressing these challenges through transforming the public transportation into one is only convenient but also comfortable, and thereby reducing the demand for private car ownership, and freeing us from the drudgery task of driving to focus on more interesting activities. Moreover, it also presents an opporunity to “shape the design of our cities”, he said. Examples include “reduction of carparks, and and narrower car lanes”. Singapore’s AV vision is realised through a few stages: town deployment in the next decade, and full operational deployment island-wide after. Trials prior to deployment are conducted in a phases, with the initial phase running in a controlled enivornment ciruit, before progressing to a small scale testbed with safety driver and full control. Final phase is tested in a complex environment, with or without safety driver with limited control. “The trials will help us shape the mobility concepts which can meet Singapore's needs, and also gain valuable insights into how we can design our towns of the future to take advantage of this technology”, Mr Seah explained.

'The trials will help us shape the mobility concepts which can meet Singapore's needs, and also gain valuable insights into how we can design our towns of the future to take advantage of this technology '

AV technologies in Singapore Mr Colin Lim (Managing Director, SMRT Services), at AI Asia Show’s ”The Inevitable Future of Transportation” panel, said, “unlike autonomous vehicle trials elsewhere, Singapore's focus was to employ the technology for public transport such as buses, shuttles, taxis, which is important to reducing demand for private transport and congestion”. Trialling AV in Singapore is ideal - neither wintry conditions nor heavy monsoon floods, clearly marked roads well-planned traffic system, and drivers who tend to obey highway code. With a government that has set out a clear AV vision, and who cultivates the art of the possible, Singapore has seen a few successful trials. AV in Singapore went public in 2015 within an enclosed ground with the 10-seater Auto Riders that shuttled visitors around Gardens-by-the-Bay. During the same year, testing began in the 2.5-squaremile business and residential district "One-North", for the first trialling of AVs on public roads alongside human drivers. Another important milestone was achieved in August 2016, when nuTonomy kicked off a pilot scheme offering the first ever self-driving taxis available to the public. While companies including Google had been testing self-driving cars on public roads for several years, nuTonomy, a spin-off of the MIT / SMART (Singapore-MIT Alliance for Research and Technology), said it was the first to offer rides to the public. It even beat Uber by a few weeks. Each nuTonomy car — modified Renault Zoe electric vehicles — is fitted with a variety of sensors (LIDAR, cameras, and radar) used to detect obstacles and traffic lights. Data collected as part of its trials in One-North - on vehicle performance, routing efficiency, vehicle booking process, and passenger experience – is used to continually improve the company's software. The company aims to roll out a fullyautonomous mobility service in Singapore in 2018. Dr Eng You Hong (Postdoctoral Associate, Singapore – MIT Alliance for Research and Technology, Singapore), elaborated on “Experiences in Conducting the AV Trial at

Asia Pacific Security Magazine | 41

Cyber Security

One-North”, and challenged us to imagine “an integrated autonomous train, car and shuttle system; providing mbility on demand, for both passsents and goods, which is completely adpaitve to how the landscape of any city changes.” Based on a research *, it was predicted that with Singaore’s 2011 population of 5 million, only 300,000 autonomous mobility-on-demand shared vehicles are needed, representing a significant reduction of the approximately 1million vehicles on the roads of 2011. *K Spieser, K Treleaven, R Zhang, E Frazzoli, D. Morton, and M. Pavone. Towards a systematic approaach to the design and evaluation of automated mobility-on-demand systems: a case study in Singapore. In S Beikr, editor, Road Vehicle Automation Lecture Notes in Mobilitiy. Springers, 2014. Doug Parker (nuTonomy's Chief Operating Officer), said at AI-Show Asia 2017, that "when you are able to take that many cars off the road, it creates a lot of possibilities. You can create smaller roads, you can create much smaller car parks." He added "I think it will change how people interact with the city going forward." Running concurrently with the One-North trial is the 2-year mobility-on-demand autonomous (MODA) shuttle trials at Sentosa. Offering the real-world challenges of a mixed-use transport system within the confines of a closed environment, Sentosa is a unique test bed. Integrated into its existing network of on-island bus, tram and monorail infrastructure, the shuttle, a 15-seater Navya Arma minibus, was showcased by ST Kinetics (title sponsor of SIRE 2017). Insights gained from the trial, such as technical and infrastructural features, and commuter behaviour and mindsets, are used for evaluating the deployment of AV in other areas of Singapore. ST Kinetics’s AV technologies are also being developed for larger 40-seater electric MODA buses equipped with GPS, sensors, detection radars and sonars, and more complex navigation functions such as increasing speed capabilities under heavier rain conditions. In addition to public transportation, AV is also trialling for industry applications, with Asia's first launched by the Belgian logistics company, Katoen Natie, at an ExxonMobil plant in Singapore's chemical industry hub. Developed by Katoen Natie in co-operation with Dutch manufacturer VDL Groep, the driverless truck’s transponders communicate with road sensors within the plant, to transport bags of polymer from a packaging center to a storage facility 3-4km away, with the aim to expand the pilot with 11 additional GPS-enabled driverless trucks in the near future. Other commercial pilots include the 30 electric-powered dollies that move containers at the terminals of PSA International, the government-owned port operator, and its "truck platooning" project where three driverless trucks tag via wireless communication a manned-truck on a 10km public road stretch between two port terminals. Most recently, to further catalyse Singapore to become a global player in urban mobility solutions, a 1.5km test circuit that replicates various elements of Singapore roads, such as common traffic schemes and rules, was launched. Jointly developed by the government and the Nanyang Technological University, the 2ha facility also has a rain simulator and flood zone to put AVs' navigational abilities to the test under these conditions.

42 | Asia Pacific Security Magazine

Cyber Security

'Autonomous vehicles are still in trial phase, hence sufficient realistic field data may not be available in next few years. An integrated simulator can prove highly useful in bridging that gap' What are AV’s enablers? By integrating processes with GPS and digital data culled from phone apps to optimsie pick-ups and drop-offs, the Fleet Management System (FMS) enables the control of fleet operations including energy and speed management. Explaining that simulation plays an important in the FMS design, Justin Dauwels (Deputy Director, ST Engineering –NTU Corporate Lab) at SIRE2017 said: “Autonomous vehicles are still in trial phase, hence sufficient realistic field data may not be available in next few years. An integrated simulator can prove highly useful in bridging that gap”. Further, simulations become more critical as the technology matures to handle multi-traponsportation system, customer demand modelling, and integration of real-time traffic data. AV deployment is not possible without the ecosystem of engineering skills coupled with certifications standards and framework for validating safety, security and performance functional safety. This was hlighted by Dr Martin Saebeck (Principal Technology Conultat, TUV SUD) at SIRE 2017, “as the pace of technology advancement surpass legislations adnd standard bodies, stakeholders in technnology development and adoption carry the responsibility to mitigate the risks for scalable and dependable automation technology”. Ethics, Law and Anthropomorphization In Saudi Arabia, Sophia, the robot made headlines when it was granted citizenship. “I am very honored and proud for this unique distinction. This is historical to be the first robot in the world to be recognized with a citizenship”, she (it) said. How her claim holds up in court will not only set a legal precedent, but also pave way for how we think about how robotics and automation impact various aspects of our lives. AV is exciting because of the benefits it brings. Aside from freeing us to perform more value-added tasks while we are intransit, there is plenty to look forward to: imagine that we no longer have to worry about drink-and-drive, or falling asleep at the wheel, or be embarrassed about poor parking skills. But, many questions remain. Some are software (are there robust data sets for different regions or climates); some are security related (how easily is the AV hacked), or legal (who is responsible if an AV crash). And some require business model changes (what does an AV insurance cover). Matt Pollins (Partner, Head of Comemrical and Technology – Media and Telecommunications, CMS Singapore), at the AI-Asia Show, speaking on “Legal Issues in Artificial Intelligence: Who regulates the machines?”,

questioned “What happens if Intelligent machines commit crimes? Who owns IP generated by AI?” Amongst concerns such as privacy, biased algorithms, cybersecurity, perhaps how the AV will arrive at an answer to a moral dilemma occupies us most. Dr. Ian Kerr (Canada Research Chair in Ethics, Law & Technology, and Full Professor Faculty of Law, University of Ottawa), on his talk “Predicting AI: The Past, Present and Future Promise of Artificial Intelligence“ (as part of the High Commission of Canada’s Speaker Series to mark Canada’s 150th Anniversary) presented the classic thought experiment in ethics: the “Trolley Problem”: There is a railway-trolley barreling down towards a group of five people strapped onto the tracks. We are standing some distance off next to a lever, faced with two choices: (1) pull the lever which diverts the trolley onto the side track – though this will kill the one person who tied up on this other track or (2) do nothing and the trolley kills the five people on the main track. He explained that our expectations towards non-humans tend to be “anthropomorphised”. Projecting our humanity onto AV, we expect the AV to embody similar human traits, emotions, intentions and react like us. So in the Trolley problem, we will probably program the “right” answer given by an individual or a group into the AV. However, he catuioned that by default, artificial intelligence is “unpredictable by design” and it is “impossible to recognise all scnearios”. Moreover, as “machine autonomy increase, human controls decreases”. The “foresseability problem” – that “AI can be autonomous and operate in ways that are unforeseeable by the original programmers, giving rise a potential laibility gap”, * was highlighted by Mr Matt Pollins. * Regulating Aritifical intelligence systems: Risks, Challenges, Competencies, and Stragies., Havard Journal of Law and Technology, Vol. 29, No. 2, Spring 2016, by Matthew U. Scherer Whether we talk about Narrow AI (which operates in ways that are no longer under the control of those who are legally responsible for it), or General AI (which eludes the control of all human beings), we undoubtedly conjure up science-fi images of Terminators and where lethal autonomous robots are weaponized and kill-decisions are delegated to the machine. What can we do? Dr Kerr suggested an international norms be agreed under a United Nations framework, so that AI is for the good of humanity. Danit Gal (IEEE, Chair of Outreach Committee), speaking on “The Ethics of Artificial Intellignece in Asia”, emhapised the need for a “kill swtich” and “to fail safely”. When will atuonomous vehicles arrive? Mr Koh Poh Koon (Senior Minister of State for Trade and Industry), opened the Singapore International Robo Expo, noting “we are at the cusp of the next phase of industrial revolution, where traditional business models are being disrupted by technological advances in areas such as the Internet of Things, Artificial Intelligence, Data Analytics, and Robotics”.

Asia Pacific Security Magazine | 43

Cyber Security

SAE International’s J3016 “International’s Levels of Driving Automation for On-Road Vehicles” Six Levels of Driving Automation Photo Credit: SAE International and J3016

From driverless cabs to commerical trucks, from tests in closed environments to trialling in public roads, Singapore has demonstrated that automated driving is coming; yet, many of us are still convinced that we are no closer to experiencing driverless cars in our everyday lives. How do we make sense of what is really possible in this brave new world of self-driving vehicles? One way: standardise the definitions and expectations of what we mean by “self-driving”. SAE International’s J3016 (formerly the Society of Automotive Engineers) “International’s Levels of Driving Automation for On-Road Vehicles” (issued January 2014) sets out a common taxonomy and definitions, for six levels of driving automation that spans from no automation to full automation. • The first three levels rely on humans to perform the dynamic driving task. This task includes the operational (steering, braking, accelerating, monitoring the vehicle and roadway) and tactical (responding to events, determining when to change lanes, turn, use signals) * • The next three levels delegate the entire dynamic driving task to the automated driving system with varying degrees of human back-up intervention under increasingly complex environments. The idea is that we can be totally free to read a book or finish up an article while the software worries about the driving. • The last 6th level is the fully automated car. In likelihood, level six is what we have in mind when we think of a driverless car. While most believe that is probably

44 | Asia Pacific Security Magazine

decades away, we humans simply have poor track record when it comes to forecasting technological breakthroughs. That within half a century of Thomas Watson’s prediction that "I think there is a world market for maybe five computers," – whose company IBM went onto develop Watson famed for its Jeopardy matches against human players and in whose home country witnessed the proliferation of PC in nearly every home – proves that the potential of bleeding edge technology does sometimes surpass our capacity to imagine the impossible.

Why NDB compliance starts with the “essential” security basics

I By By Michael Bosnar VP, ANZ at Ivanti

t almost goes without saying that data breaches have become a headline making daily occurrence. Locally there have been numerous high profile data breaches in the past few months, with both public sector and private sector organisations being targeted. Just to name a few: the Department of Finance, the Australian Electoral Commission, the National Disability Insurance Agency, the Department of Defence, Medicare, AMP, UGL, the Australian Red Cross, Dominos and most recently Uber have all suffered breaches of Australian customer data over the last couple of months. It’s alarming that even Uber, a company commonly regarded as a major digital disrupter, seemingly forgot the cyber security basics and failed to provide proper governance. Moreover, what most of the breaches mentioned above have in common is that the hackers got in through security vulnerabilities that could have been avoided by following basic “cyber hygiene” procedures. For instance, the recent hacking of an Adelaide defense industry contractor in which commercial details of military aircrafts were stolen, revealed that hackers had gained access by exploiting a 12-month-old vulnerability in the company’s IT helpdesk portal. The ASD also found the contractor had not changed its default passwords on its internet facing services. In just a few months no doubt it will be made known just how prevalent data breaches are, with the federal government’s Notifiable Data Breaches Act (NDB) taking effect on 22 February. This will require organisations with an annual turnover of more than $AUD3 million to notify affected customers and report the theft of personal information to the Office of the Australian Information Commissioner (OAIC). Organisations that fail to meet the requirements will face fines that could reach more than $AUD1 million. “Doing an Uber” will be unlawful so organisations need to be working even harder to get their technology, people and processes ready for compliance. Getting the basics right Most cyber attacks are successful because companies struggle with the security basics. Many organisations are

focusing disproportionately on reactive tactics rather than preventative strategies outlined by the Australian Signals Directorate’s “Essential 8” cyber security strategies, which help organisations achieve a baseline cybersecurity posture. The eight recommendations are divided into two groups. Four intend to prevent malware from running and the other four intend to limit the extent of incidents and recover data. A key recommendations is for organisations to be patching their operating systems and apps regularly. They also need to be implementing application control. For instance, the WannaCry ransomware attack could have been remediated against using application control and wouldn’t have spread if the relevant vulnerability was patched. In addition, all unnecessary admin privileges need to be removed. Such steps have been mandated by organisations like the Australian Signals Directorate (ASD) as key in preventing ransomware. In fact, according to the ASD, application whitelisting, application and operating system patching and administrative privilege restriction could mitigate 85 percent or more of cybersecurity threats. Penetration tests should also be carried out regularly; it’s even worth getting friendly hackers to expose – and then patch up – any existing vulnerabilities. There are other layers to your cyber security defences to consider. User education is vital to preventing phishing emails from getting in, which are often the gateway to cases of online fraud. It is also important to continuously back up data to avoid the risk of data loss and to correctly configure Windows firewalls, to help to stop the spread of ransomware. However, patching and application control should be first on the list for all organisations looking to fortify their organisation against attack - and can go a long way toward reducing your attack surface. If the “back to basics” approach is to succeed, organisations need to start viewing their security programmes proactively as opposed to reactively, to ensure that the necessary precautions are in place from the bottom up. Only then will we be on course to derail cybercrime in its tracks. Ultimately, when it comes to security and IT, it’s vital to get the basics right first - otherwise your technological innovations will be built on incredibly weak foundations.

Asia Pacific Security Magazine | 45

Digital Fore Cyber Security

Digital ForensicS T By Jane Lo Singapore Correspondent

46 | Asia Pacific Security Magazine

he eagerly anticipated iPhone X launch at the Orchard Road Apple Store in Singapore drew massive crowds to its doors on 3rd Nov. Amongst the die-hard fans who had been queueing before 8am, an opening time that was two hours earlier than standard, were some who had flown in from neighbouring countries or even camped overnight. The enthusiastic response was further proof that each iPhone’s release had not failed to disappoint since Steve Job’s introduction in 2007. From a million units sold in 70 days, to more than 10 million in a weekend 10 years later, the evolution of iPhone, in its first astonishing decade, had seen a string of innovations that came with each upgrade. Packed with horsepower, imaging and voice-enabled technologies, iPhone spawned the age of “Smart Phones” with touchscreen features for us to navigate our news feeds and our geo-locations, and “apps” that entertain us and manage our daily lives. Not only did these spark the development of competing Android devices, “Smart Phones” also contributed to the exponential growth of other “Smart” devices - “Smart TVs”, “Smart Cars”, amongst others. This rapid pace of “Smart” innovations presents significant challenges to digital forensic practitioners. Each new feature, hardware, operating systems and

applications requires the development of new tools and techniques as part of evidence preservation. Additionally, each step of these new processes to extract and prepare data for evidence examination is set out to necessarily comply with the relevant Criminal Procedure and Investigations Code. Other technological advancements such as “Big Data” – where data are stored in multi-media, unstructured format – also makes it time consuming to isolate vital digital evidence. And most of all, the rising sophistication of Cyber Criminals also means digital forensic practitioners are more often than not, playing catch-up. At the DiCyFor Security Summit (7th, 8th Nov 2017), two digital forensic specialists, Mr. Christopher Church (Senior Mobile Forensics Specialists, Innovation Centre, Interpol) and Mr. Mohd Zabri Adil B Talib (Head of Digital Forensic Department – Cyber Security Malaysia) elaborated on the challenges and what are needed. Law Enforcement Investigations in the New Digital Era - Interpol With 192 member countries, Interpol spans a wide network to assist law enforcement agencies around the world in combating transnational crime and terrorism.

ensic

Cyber Security

November 2010: INTERPOL Secretary General, Ronald K. Noble (centre left), and Singapore Minister for Home Affairs and for Law, The Hon. Kasiviswanathan Shanmugam (centre right), sign a Headquarters Agreement, in the presence of INTERPOL President, Khoo Boon Hui, and Commissioner of Singapore Police, Ng Joo Hee (far left and far right respectively). Photo Credit: Interpol

Christopher Church (Senior Mobile Forensics Specialists, Interpol) on “Law Enforcement Investigations in the New Digital Era”. Photo Credit: DiCyFor Security Summit.

Supported by facilities such as Digital Forensics Laboratory (focuses on extracting digital evidence from electronic devices), Cyber Fusion Centre (brings together law enforcement and industry, in sharing and consolidating Cyber Incident information and best practices), The Interpol Global Complex for Innovation (IGCI), located in Singapore had successfully coordinated a few Interpol-led operations. Some success stories One was the April 2015 take-down of Simda (a network of malware infected computers in US, UK, Russia, Canada and Turkey). The global operation was coordinated by the IGCI, with collaborations from the private sector (Kaspersky Lab, Microsoft, Trend Micro), Japan’s Cyber Defense Institute, and law enforcement agencies, including the Dutch National High Tech Crime Unit, FBI, the Russian Ministry of the Interior’s Cybercrime Department “K”. Another (with participating countries Cambodia, Korea, Philippines, Thailand and Vietnam), was the June/July 2015 Operation Aces, which led to the arrest of 48 suspects, seizure of 100 pieces of electronic evidence, and shut down of illegal gambling offices and call centre-type operations running online scams.

Success stories notwithstanding, Chris Church emphasized that law enforcement has to change and adapt as more crime is transferring from the real world to online, and that law enforcement cannot fight Cyber Crime on its own. Criminals constantly evolving “Criminals are constantly evolving, adapting their tools and methods in an attempt to stay ahead of police. This is especially true when it comes to cybercrime. Law enforcement must therefore keep pace with innovations in technology and embrace the latest crime-fighting developments”, he said. Law enforcement have struggled due to various challenges, some which are not dissimilar in the private sector such as inadequate investments or knowledge, others such as criminals’ ability to rapidly adapting to law enforcement intrusions, or, lack of consistent standards in digital forensics. Digital Innovations – double edged sword Chris Church added that the proliferation of cloud where a “user’s life is replicated on the cloud – such as pictures, videos, audio flights, hotels, concert bookings, purchase histories

Asia Pacific Security Magazine | 47

from online / offline instant messages, behavioural analytics”, that “the Cloud is becoming more essential as technology moves ever onwards”, with more powerful processing and larger storage capabilities. “Cloud brings a world of opportunity not seen before”, such as more “Virtual Reality, Immersion Gaming (Pokémon GO) and advanced processing power and utilisation of Artificial Intelligence and machine learning.” Add to this, is the “IoT integration” - mobile phones, laptops, SmartTV, Smart Watch, Tablets, Motor Car and such connected to a vast Cyber Space network - we are living in an era where “everything is always on and always communicating and collecting data around the user and their habits." The ubiquity of digital devices means that digital evidence is present in almost every crime. While this offers new opportunities for police investigations, it also means collecting evidence from a wide diversity of devices which have varying degrees of technological complexities, and which, not uncommonly, cross jurisdictional boundaries. Complication Digital Forensics - Encryption Adding to these complexities is the debate over encryption and access to secured devices and communication. Common situations where crucial evidence such as text messages or photos in the suspect’s device exist but are inaccessible due to a PIN key, court-order for vendor’s assistance to unlock a device could be hampered by regulations / concerns on data privacy and protection. The pitting of security against privacy considerations - as witnessed in the San Bernardino’s shooter’s case – to arrive at the “right approach is both a legal and social challenge. Forensic tools not catching up with increasing sophistication “The digital technology is becoming too varied and complex for traditional forensic tools to access, examine, process, visualize, compare and analyze data. And Cyber Criminals are becoming advanced and organized at large scale. Another challenge is the increasing of zero day attacks like Ransomware and APT”, said Mohd Zabri Adil B Talib. These challenges, the volume of data stored on the devices requiring significant time spent isolating relevant evidence, on top of those posed by rapid technological advancements are “leading to slow results and massive case backlogs” and “digital forensics field needs new techniques and methods to cope with big scale of data evidence and complexity of APT attack”, he added. What’s being done Chris Church said “to promote best practice guidelines in dealing with digital evidence, in the UK, all digital forensic practitioners working for the Criminal Justice System need to be accredited to ISO 17025 for most of their work”. Further work remains to bridge the gap between digital forensics and these codes of practice and conduct associated with the accreditation, such as analyst competence, the validation of

48 | Asia Pacific Security Magazine

methods, and the handling and storage of test items which tend to focus on physical forensics. Mohd Zabri Adil B Talib said, “due to the complexity of the technological issue, CyberSecurity Malaysia introduced CyberDEF service in 2015”. CyberDEF is combination of a standard CSIRT (Cyber Security Incident Response Team) and element of forensic science which focuses on Detection and Eradication, and Forensics. This formalisation ensures that forensic science is an integral part of Cyber Defense, the next level of Cyber Security which “to analyse the attacks, and to prevent future attacks, at the same time adding the ability to bring Cyber Criminals to justice”, he elaborated. The battle continues Cyber Crime can be labelled as too difficult to prosecute on the basis that Digital Forensics is too complex and evidence is elusive. But there are also other reasons. In the Interpol-coordinated operation targeting sextortion around the world: Operation Strikeback in April/ May 2014, which resulted in the arrest of 58 suspects and seizure of 250 pieces of electronic evidence, some suspects were bailed and yet to face criminal charges. Prosecutors in many countries, often have anti-corruption laws to charge those caught taking bribes in exchange for favours or influential decisions. But when sex is involved, prosecution is harder because sextortion as a legal matter (often) does not exist, and prosecutors have to lean on existing law. And with victims often shying away from coming forward, it is one of the hardest-to-prove crimes. Even when Cyber Crime prosecution is successful, there could be a sentencing gap between what is perceived to be fair and proportionate to the crime committed, versus the actual penalty handed down by the judge. In the excerpt from Australian Broadcasting Corporation program “Four Corners: Transcript - Fear in the Fast Lane”, Andrew Fowler the investigative journalist, interviewed the law enforcement officers involved in catching the Cyber Criminal selling 50,000 credit cards (equivalent to $110 million) for sale on the net. That the accused got off with a $2,000 good behaviour bond and a one year suspended prison sentence, plus $150 in court costs, “left many gobsmacked”. In yet another example of the complexity law enforcement faces is the translational nature of Cyber Crime. Though the criminals are identified, taking them into custody may not be possible due to lack of jurisdiction over them. Recently, The Prague High Court ruled that Russian citizen Yevgeniy Nikulin, accused of hacking social networks including LinkedIn, who was arrested in Prague, can be extradited to the United States. Russia also accuses him of a small cyber theft and both countries have requested his extradition, leaving him in a tug-of-war between Washington and Moscow. These are just some of the challenges in combating CyberCrime. To keep their enterprises alive, Cyber Criminals share their experiences and learn from the past. Law Enforcement around the world must do the same to keep up.

STRATEGY, TECHNOLOGY AND INNOVATION FOR SMARTER CITIES AND COMMUNITIES

20 - 22 March 2018 I Pullman Melbourne Albert Park I Australia

FEATURING LEADING INDUSTRY EXPERTS: JARMO ESKELINEN Chief Innovation & Technology Ofﬁcer Future Cities Catapult, UK

CLAYTON BANKS Chief Executive Ofﬁcer Silicon Harlem, USA CHARLES CASUSCELLI Chief Executive Ofﬁcer Western Sydney Regional Organisation of Councils

BENEFITS OF ATTENDING  Leverage technology within cities for social good, sustainability, resilience and equity  Examine what’s happening in the foundational sectors of smart cities - from mobility and transportation to health, infrastructure, energy and ﬁnance  Connect together silos within city administration to make smart city decisions  Understand how data and analytics are enabling insights into city operations to tackle urban challenges

DECLAN CLAUSEN Deputy Lord Mayor The City of Newcastle

 Develop procurement strategies to support the partnerships needed for collaboration  Integrate people, networks, analytics tools and platforms at the start of your smart city journey to ensure success  Benchmark and identify smart city projects that you can model

POST CONFERENCE CYBERSECURITY FOR CITIES 4.0 DAY

SEPARATELY BOOKABLE

Held as part of the Cities 4.0 Summit it will focus on security and privacy aspects of smart cities that are relevant to areas like Internet of Things (IoT), Smart Buildings, Smart Grid Systems, Critical Infrastructure Networks and Intelligent Transportation Systems. More information here: www.cities4pointzero.com.au/agenda/day-three Supported by:

JULIE WAGNER Non-resident Senior Fellow & Co-Director Brookings Institute, Switzerland PROFESSOR MARK BURRY Founding Director, Smart Cities Research Institute & Professor of Urban Futures Swinburne University of Technology CLAIRE HOWLETT A/First Assistant Secretary Department of the Prime Minister & Cabinet KEVIN MACK Mayor, Albury City Council & Chair Evocities

Media partners:

Organised by:

TOBY KENT Chief Resilience Ofﬁcer Resilient Melbourne To see the full list of speakers visit http://www.cities4pointzero.com.au/speakers

Cyber Security

Alternative Payments powered by BlockChain By Jane Lo, Singapore Correspondent

he stratospheric rise of BitCoin, from its humble beginning when 10,000 bought a developer 2 pizzas, to breaking through several resistant levels to trade as high as USD19,000, set off a series of skepticisms amidst a flurry of responses from regulators. Banking titans, Jamie Dimon of JPMorgan famously said he would "fire in a second" any JPMorgan trader who was trading BitCoin, noting: "It's against our rules and they are stupid"; and Lloyd Blankfein of Goldman Sacs said “something that moves 20% [overnight] does not feel like a currency. It is a vehicle to perpetrate fraud”. Chief Information Officer of the largest lender in Southeast Asia, DBS, claimed, “We see BitCoin as a bit of a Ponzi scheme,” describing transaction fees as “incredibly expensive,” and “hidden through the cryptomechanisms.” Some countries in the Americas (Bolivia, Ecuador) or Asia (Kyrgystan, Bangladesh, Nepal) have outright banned BitCoin trading. Some see it as a solution to its struggling economy, such as Venezuela which launched an oil-reserves backed Crypto, or North

50 | Asia Pacific Security Magazine

Korea who could be mining digital currency to generate income. Some have officially recognised BitCoin as an instrument of payment, such as Zug Switzerland since last year; or Japan which moved on from the collapse of its Tokyo crypto exchange Mt. Cox and granted BitCoin the official status in April 2017. Regulatory actions by some larger economies have been less clear-cut. China, while demanding the closure of the domestic cryptocurrencies exchanges and outlawing ICOs, has not explicitly banned private citizens’ trading of BitCoin. Russia issued a draft bill to ban cryptocurrencies three years ago but had yet to follow through. In the US, the SEC (Securities and Exchange Commission) declared that ICOs may need registration, but its exchanges CME, CBOE (Chicago Merchantile Exchange, Chicago Board of Exchange) are cleared to offer trading exposure to cryptocurrencies. Others embrace the innovation by experimenting with BitCoin’s underlying BlockChain and DLT (distributed ledger technology), such as Canada’s Project

Jasper or Singapore’s Project Ubin – a DLT payment system prototype for interbank currency exchange, developed by a consortium of Singapore-based banks and R3, with the support of MAS (Monetary Authority of Singapore). Gibraltar is launching GBX (Gibraltar BlockChain Exchange) a new crypto exchange and token sales platform. The interest in BitCoin has clearly outgrown its geeks and devoted user community. Cautionary remarks, deep suspicions, speculative fervour, optimism and enthusiasm - these myriad reactions are perhaps the clearest evidence yet, of the immense potential of the BlockChain technology underpinning BitCoin, that allows exchange of value in a tamper-proof and transparent way with pseudo anonymous counterparties. With its low barrier of entry (you just need digital connection and software), BitCoin’s sprawling ecosystem spawned offshoots such as Ethereum Smart Contracts and other derivatives including ICOs. While a host of challenges such as mis-information, volatility, association with criminality, or

Cyber Security

"But many of these are technological challenges that could be addressed over time” and so “it may not be wise to dismiss virtual currencies,"

Nick Cowan, CEO and Managing Director of the Gibraltar Stock Exchange (GSX) took to the stage at BlockAsia Show 2017and elaborated on token sales best practices, something that the Gibraltar Blockchain Exchange (GBX), a new crypto exchange and token sales platform, a subsidiary of the GSX, is implementing to bring stability and standards to the industry. Photo Credit: GBX

Singapore (ACCESS), Monetary Authority of Singapore, speakers at the Singapore FinTech Festival 2017, and the Asia BlockShow 2017.

#1 Money Laundering One of the most cited reason for disparaging BitCoin is its role in facilitating criminal activities. This is not surprising given that ransomware, illegal drugs, or stolen plastic demand payments in BitCoin. The seizure of 110,00 + BitCoin from the takedown of SilkRoad further linked BitCoin to illicit activities. But … Aside from the inconvenience of laundering BitCoin (BitCoin obscured and layered by using mixers/tumblers expose the launderers to the trustworthiness of these service providers), BitCoin really is nowhere near as anonymous and untraceable as purported. It is pseudonymous - the 26-35 alphanumeric address to send or receive BitCoin can be tied to a user. With each BitCoin transaction recorded on the public ledger of BlockChain, visible to everyone, it is not impossible to find out who is doing what. In the case of SilkRoad, law enforcement first uncovered the suspect’s BitCoin addresses (by seizing the laptop he was actively using at the moment of his arrest), thereby tracing his transactions from marketplaces to his personal wallets.

#2 Price Swings

government crackdown may undermine the nascent ecosystem and ultimately shrink the network, “for now, virtual currencies such as BitCoin pose little or no challenge to the existing order of fiat currencies and central banks. Why? Because they are too volatile, too risky, too energy intensive, and because the underlying technologies are not yet scalable. Many are too opaque for regulators; and some have been hacked,” said Christine

Lagarde, IMF Managing Director at the Bank of England conference, London September 29, 2017. “But many of these are technological challenges that could be addressed over time” and so “it may not be wise to dismiss virtual currencies,” she elaborated. We find out more about the ongoing discussions from Association of Cryptocurrency Enterprises and Start-ups

Unsurprisingly, the roller-coaster ride of BitCoin marked it as a vehicle for speculation, not a reliable store of value. Regulatory crackdown, technological challenges, or just old-fashioned profit taking drive down prices; relief rallies on regulatory approvals or ‘successful forks’ contribute to price spikes. BitCoin started 2017 at ~$1,000. By June it hit $3,000 before losing $1,000 a month later, as uncertainties surrounded an impending fork which produced an alternate “BitCoin Cash”. Fears over the fork subsided but were quickly replaced by surprises over the Chinese government crack-down on ICOs and cryptocurrency exchanges, and unanswered questions about the fates of the Chinese mining companies, among the world’s largest. BitCoin plunged by $1,000 in mid-September, after opening the month at ~$5,000. Market resiliency supported its recovery to $4,000 as peer-

Asia Pacific Security Magazine | 51

Cyber Security

to-peer exchanges replaced the closure of centralized exchanges. But … While this volatility makes it hard for merchants to price their goods in BitCoin, it is an inevitable symptom of innovations. Just witness the Apple share price volatility tracking its iPhone launches or Tesla with each of its electric car upgrades.

#3 Power Consumption The last few months had seen heated debates on high power consumption of the BitCoin network, ranking it on par with that of countries such as Macedonia, Ireland, most countries in Africa, or an average U.S. household. Sceptics focus on the vulnerability of the network due to the high power requirements. Critics point out that the usage diverts from more useful economic activities. But … The mining difficulty level can be adjusted downwards, to lower energy consumption if energy cost starts to eat into mining profits. Security professionals argue that high power consumption ironically ensures the stability of the BitCoin – that is, a 51% attack is an expensive power requirement to maintain network disruption. Some maintain that there is still lacking a meaningful comparison between Crypto and Fiat in power requirements.

#4 Cyber Security BitCoin is more secure than alternatives: a larger network not only means it costs more to attack, but also develops a rich ecosystem to be focus of study by cryptographers. But as its value increases, so does its appeal to potential Cyber attackers.

Just last year, more than $60m worth of BitCoin was stolen from one of the world's largest digital currency exchanges, Bitfinex, the biggest since its predecessor, Mt Gox, lost BTC worth $350m at the time of heist and ultimately had to shut down. A network of Ethereum, had also been a victim of a Cyber break-in, forcing a “hard fork” that sparked rebellion splitting it into two versions – one in which the losses were fully reflected and recorded, and the other in which as if the theft never happened. These Cyber thefts exposed vulnerabilities despite having delivered security improvements such as segregated client accounts, two-factor authentication and multi-signatures protocols. But … To be clear, while the exchanges had been hacked, only one major vulnerability of the underlying BitCoin was found in its implementation and exploited. Nevertheless, for this new technology to survive and gain wider adoption, some say it is time for formal standardization of the security requirements.

#5 Overall Crypto Reputation Aside from being labelled as a “criminal” currency, BitCoin also suffers from “guilty by association” as its spin-off, ICOs, come under increasing scrutiny. Recent disputes surrounding the two highest profiles ICOs, Tezos and Bancor underscore the extent to which investors are willing to fund ICO, based on the release of white papers and the involvement of high profile venture capitalists, without demanding working prototypes, or implementation of best practices such as a robust governance framework. Due diligence ... At the BlockShow

Asia Crypto Funds panel, Prof David Lee stressed the need to complete due diligence with the same depth as with a traditional investment on aspects (such as the management team, milestones, and financial discipline). To assess if an ICO would be truly sustainable, he cautioned against viewing the Crypto world through Fiat lens, and instead suggested assessing the business on its ability to follow a 3-pillar model referencing - 3Cs (Community, Compassion, Creativity), LASIC (Low Margin, Asset Light, Scalable, Innovative, Compliance Easy), and 5Ds: digitalisation, disintermediation, democratisation, decentralisation, and disappearance.

#6 Speed and Scalability It is often said that Blockchain technology is today not ready for commercial use cases. Today, the BitCoin network sustains ~7 transactions per second (“tps”). Validation takes a further ten minutes, and longer when the system is congested. Compare this to Visa, which handles an average 2,000 tps (a fraction of their said capacity of 56,000); and Facebook and Google at ~52,000 and 40,000 respectively. On-going improvements … Enter EOS which is implementing asynchronous communication and parallelization whereby multiple transactions are processed simultaneously, enabling horizontal scalability of the network. Additionally, by adopting the Graphene technology (proven to achieve 10,000 - 100,000 tps), EOS can achieve 300,000 tps. In fact, the road map is to scale to process 1 million tps.

BlockShow Asia 2017. From Left: Simon Dixon (BnkToTheFuture.com); Crystal Rose (Sensay); Igor Pesin(Sreda); Remington Ong (Fenbushi Capital); David Lee Kuo Chuen (Professor, Left Coast)

52 | Asia Pacific Security Magazine

Cyber Security

BlockShow Asia 2017. From Left: Benjamin Bliski Founder & Executive Director at The Naga Group AG, Floyd DCosta Management Consultant – Cloud, Blockchain Technology, Shaun Djie Co-founder at DigixGlobal , Toby Hoenisch Cofounder & CEO at TenX, Dmitry Gorilovsky Founder and CEO of Moeco.ioBrendan Blumer Founder and CEO of block.one

#7 Acceptability For a new technology to become mainstream, it must find a fan base beyond the technically-minded. Brock Pierce (Chairman, BitCoin Foundation) at the BlockShow Asia 2017 “BlockChain & The Token Economy” panel suggested “going back to basics” of money: as a medium of Exchange, it should be portable, durable, divisible, fungible and a store of value. There is potential for BitCoin to fulfil these requirements, and also promote financial inclusion thereby reducing poverty, he said. Its characteristics of transparency and decentralization can also help discourage corruption. Some responses … Turning these views into actions is The World Bank, who launched a BlockChain lab a few months ago, as part of a bid to pilot projects that can improve governance and social outcomes in the developing world. But, as Simon Dixon pointed out at the BlockShow Asia 2017 “BlockChain Investments Agenda”, for the USD 300 billion ecosystem to become a self-sustaining economy, we must accept that we each have our own views of what we want BitCoin to be, and overlay our own wants and desires onto the protocol.

Singapore FinTech Festival 2017, panel “Harnessing the Power of the Ledger”. From Left to Right: David Rutter, Founder & CEO, R3 Lab, Joseph Lubin, Founder, Ethereum , V. Laxmikanth (VLK), Managing Director, Broadridge Financial Solutions , Greg Li, Head of Asia, BitFury

Singapore FinTech Festival 2017, panel “Harnessing the Power of the Ledger”. From Left to Right: Chonchol Gupta, Chief Business Officer, IOT Word Labs (Moderator), Brad Garlinghouse, Chief Executive Officer, Ripple Taavet Hinrikus, Co-founder & Chief Executive Officer, Transferwise , Tim Grant, Founder & Chief Executive Officer, DrumG Financial Technologies

In Summary … The enthusiasm surrounding BitCoin is partially rooted in the promises of BlockChain technology. Greg Li (Head of Asia, BitFury) at the Singapore FinTech Festival 2017 panel “Harnessing the Power of the Ledger” said that BlockChain is not about reducing costs, “but the significant value creation through

a boost in efficiency and velocity to trade assets, reducing human errors, and having the transparency for easier audit. We are talking about time, people and resources savings which can be put into other areas.”

But, its application to everyday practicalities may be limited – for now. At the “Alternative Payments: Beyond Hype” panel, Brad Garlinghouse (CEO, Ripple), believed that alternative payments would reduce the

Asia Pacific Security Magazine | 53

Cyber Security accounts and identities.” “The best response by central bankers is to continue running effective monetary policy, while being open to fresh ideas and new demands, as economies evolve”, she added. Initiatives in Singapore

MAS (Monetary Authority of Singapore) and ABS (The Association of Banks in Singapore) lead the project, involving 11 financial institutions and five technology companies in Phase 2 of Project Ubin. Phase 1 of the project implements the concept whereby banks receive their Digital SGD transfers from the Central Bank, allowing them to make transfers to each other or back to the Central Bank. The exchange of Digital SGD on the distributed ledger are transfers of a binding claim on the Central Bank’s currency; participants are not exposed to credit risk.

cross-border transfer friction (time, cost) but he did not believe that society can move away entirely from a cash-based system into a cashless society. Taavet Hinrikus (CEO, Transferwise) agreed, and referring to coffee, he explained “it is currently not possible for anyone to purchase coffee using BitCoin, but they can surely do so using cash”. On the other hand, Christine Lagarde proposed, at her Bank of England speech that virtual currencies “may one day be easier and safer than obtaining paper bills,

54 | Asia Pacific Security Magazine

especially in remote regions. And because virtual currencies could actually become more stable.” For “new payment services in countries where the shared, decentralized service economy is taking off … rooted in peer-topeer transactions, in frequent, small-value payments, often across borders”, she said virtual currencies “potentially offer the same cost and convenience as cash—no settlement risks, no clearing delays, no central registration, no intermediary to check

Amongst the regulators who have taken a proactive and forward-looking approach is the Monetary Authority of Singapore (MAS). With Project Ubin, Singapore has demonstrated its commitment to “FinTech” and promoting innovation within the Financial Services sector. “Project Ubin is a collaborative project with the industry where we introduced a digital representation of the SGD to explore the use of DLT in interbank payments and settlement. It’s not for retail payments,” clarifies Jacqueline Loh, MAS Deputy Managing Director, monetary policy & investment/development & international/ fintech & innovation. “We believe that central banks like MAS can play a bigger role beyond just providing research funding. Collaborative projects such as Project Ubin support the creation of open intellectual property and foster collaboration between industry players,” she says. On Cryptocurrencies regulations, it has also clarified its stance. Singapore doesn't plan to regulate cryptocurrencies such as bitcoin, but will remain alert to money laundering and other potential risks stemming from their use, Monetary Authority of Singapore (MAS) Managing Director, Ravi Menon, said in an interview with Bloomberg News in October. MAS’s focus is to "look at the activities surrounding the cryptocurrency and asking ourselves what kinds of risks they pose, which risks would require a regulatory response, and then proceed from there," he added. Further, in the wake of an increase in the number of ICOs in Singapore as a means of raising funds, it clarified in August that the offer or issue of digital tokens in Singapore will be regulated if the digital tokens constitute products regulated under the Securities and Futures Act (Cap. 289) (SFA). MAS is also working on a new payment services regulatory framework, known as the Payment Services Bill. The Bill will streamline the regulation of payment services under a single legislation, expand the scope of regulated payment activities to include virtual currency services and other innovations, and calibrate regulation according to the risks posed by these activities.

Available online!

000032

Post

ed PP1

Approv

See our website for details

ATE

w | w

u w.a

sec

urity

THE

COU

NTR Y’S

gazi

ne.c

.au

arch

Feb/M

2017

t a jus it trali Aus ’t hack n ca

URIT

SEC

AND

ENT

VER

R RPO

E AZIN

n ralia

LEAD

ING

| w ww.a us

tralia

Post

DIN

LEA

o m Com s single state

INC.

e.co

May 20

Te fundinrrorism g law s Digit aga al War Islam inst the ic Sta te

gy holo a Psyc rviving u for s nt attack viole

Get each print issue per year for only $88.00

2017 orld ol W ecurity Interp Cyber s s | view nect and re t ven Con nal e ines Regio| Philipp re gapo

Sin ek in

r we

Cybe

GST

1 YEAR SUBSCRIPTION TO THE AUSTRALIAN SECURITY MAGAZINE

ed unifi your : Three ring s Secu nication erations id mu com key cons

GST

INC.

03227

m.au

April/

T hoekr uch m m gy – RecCByobnolo

d lia? fe an A sa re Austra secu

$8.95

PP1000

f war

o rity: gnition & Facial secu r Video en in Senio Wom habab, rcher, Analytics b hin S esea Nous ecurity R ersky La S Kasp

INC. GST

$8.95

azin

urity r sec e US Cybe ets in th PL s ra s a of nected e &A, Drone con ick TQearr d r u Q te s, n o...rism in rity ime, evcieuw ore re S eTcehcT

VIEW L -RE els ECcIAuss Ctrhaalinann u rSitPy fo s ac’ a ly u u a c A e n rity ltCha & - M G’s s COA onwea Fourtu‘smecu COU

$8.95

mag

ren o

RNM

g the akin n 61: T o DATA n’s lead h o Nati r researc cybe

urity

Child

ep 20

Y’S NTR

nsec

000032

d PP1

Approve

Aug/S

THE

roved

E GOV

Post App

GOVE

NMEN T AN RSA D CO ps RPO U Edito Conferen l sRteATE SEaC CO tica g U ce 20 r's R THE eview Prac buildin ient RITY MAGAZIN 1 r E - PAR 7 il o T 2 f ber res prise Cybe y r ks: c r c e c t In a n t suran e Time at traffi le c to e– sta conv Vehicminute t ersati rt the on Ten loymen ya ivac dep Is pr t cause s lo C ri sis NY ese eist - Com Manage H Chin - Use municati ment Foc The k Cyber us r Driv o .au Ban role en Plan com ine. The yber nning agaz uritym nsec of c nce alia ustr .a w sura ww e E | the IT in to b Modern AZIN re kes ating MAG Secu isCin ITY Rg avig the futu it ta ity y N t ri o E U S a u ty f E r Wh art c eo ORAT Strate ORP gy scap DC a sm T AN land ING

EAD

L Y’S NTR

SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐

AUSTRALIA

88.00

(inc GST)

1 YEAR

☐

INTERNATIONAL

158.00

(inc GST)

1 YEAR

Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to

www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059

Email subscriptions@mysecurity.com.au

GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Asia Pacific Security Magazine | 55

TechTime - latest news and products

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au