x Abu Dhabi, UAEMonday 22 January 2018

The sticky issue of web security

Internet filtering, whether by governments or companies, tends to create a host of unintended consequences.

With the internet now integrated into almost every aspect of modern business, digital security is a major segment of the technology sector.
With the internet now integrated into almost every aspect of modern business, digital security is a major segment of the technology sector.

The openness and freedom of the internet, one of its greatest strengths, has clashed with authority since the earliest days of online communication.

In letting people publish and read whatever they want, the potential for everything from lawbreaking and taboo challenging to plain old-fashioned troublemaking was enormous. So it was not long before governments, businesses and citizens began drawing lines on what was and was not acceptable. In 1990, the US Secret Service raided the office of a book publisher in Austin, Texas, on suspicion that he was in possession of a sensitive computer file that had been illegally copied from the offices of the BellSouth telephone company.

Computers were confiscated during the raid, including one machine that was used as an electronic bulletin board - the precursor to the modern internet - for the company's staff and readers of its publications. When the computers were returned, the company discovered that the Secret Service agents had viewed, copied and in some cases deleted private messages sent between users of the board, many of whom were not even employees of the company.

The raid and its fallout led to the formation of the Electronic Frontiers Foundation (EFF), which remains the world's premier digital rights group to this day. The EFF launched a legal challenge against the Secret Service, and their victory in the case established the precedent - taken for granted in most countries today - that electronic communications such as e-mail are subject to the same protection as telephone calls.

The legal challenge was the first in a long line of cases, fought in courts all over the world, that questioned how traditional government approaches to investigating and preventing crime could be adapted to the borderless, free-flowing internet. A different set of questions confronted businesses. With internet access becoming a tool as essential to white-collar productivity as the telephone, companies had to work out quickly how to control the spread of confidential information, secure their systems from outside interference and ensure that their staff used business internet access for its intended purposes.

With the internet now integrated into almost every aspect of modern business, digital security is a major segment of the technology sector. Tareque Choudhury, who leads the security practice in the Middle East and Africa for the communications company, BT, said the position of chief security officer - practically unheard of a decade ago - is becoming commonplace. "The awareness is high and it goes beyond just the technical people," he said. "It is a business issue now, and it impacts a lot of different parts of the company."

But efforts to secure corporate networks and control internet usage by employees are subject to the same law of unintended consequences that governs any effort to change human behaviour from the top down. One simple example is internet filtering, a practice that Mr Choudhury says happens at 95 per cent of the world's big companies. The corporate objective behind filtering varies, but at the ground level, most filters ensure that staff do not view content that is inappropriate in the workplace.

But many go further, blocking access to websites that are not directly work-related. Research estimates the cost of lost productivity due to personal web surfing to be up to £50 billion (Dh366bn) in the UK alone, with employees estimated to spend upwards of one hour each working day on sites like Facebook. The response - blocking such sites - also comes at a cost, as companies are quickly discovering. Employees waste time in a new way - trying to find their way around the filtering system. More seriously, efforts by employees to circumvent the block can create major vulnerabilities in corporate networks.

Thanks to the availability of simple thumbstick-sized modems that connect computers to the internet via mobile phone networks, employees can now bring their own connection into the office. This bypasses corporate filtering, and simultaneously blows a gaping hole into the security of the company's networks, as a completely unsecured connection to the internet coexists alongside company servers and computers.

One corporate IT network administrator at a large construction company in Dubai said that in a recent building-wide scan, the technology department detected more than 10 unauthorised outside internet connections, with some being shared among multiple users who were also connected to corporate data servers. One employee even brought in a wireless router to share his mobile broadband connection with other staff on the floor. When confronted by the IT department, he said the connection was simply a way to let employees access sites he said were "vital" to their personal lives: Facebook and Google's Gmail.

In a recent survey of IT managers conducted by Secure Computing, the makers of the Smart Filter internet filtering software, 80 per cent said the greatest threat to the security of their systems came from insiders who often created unintentional vulnerabilities. Just 17 per cent thought outside threats from hackers were a more serious concern. With filtering having such unpredictable consequences on a company level, it is not surprising that even more serious problems can arise when governments try to filter access to the internet at a national level.

When Pakistan's government blocked access to the video sharing website, YouTube, in February, it inadvertently led to the site being unavailable across the world for almost five hours. Because of the trusting, interconnected way in which internet providers route traffic globally, Pakistan's redirection of YouTube traffic to a government "blocked" page ended up being spread to web servers all around the world.

The intention - to prevent its citizens from being exposed to a video deemed anti-Islamic - ended up exposing a major vulnerability in the internet addressing system and raising questions about the technical competence of Pakistan's government. According to the Open Net Initiative, a US-based organisation that researches internet filtering around the world, the UAE is one of 14 countries that has substantial or pervasive internet filtering at a national level.

They are soon to be joined by Australia, where the newly elected Labor government has followed through on its election pledge to introduce mandatory internet filtering at the internet service provider level. The system will target sites containing pornography and violent or illegal content. Households and businesses can choose to opt out and receive an unfiltered connection, but by default all connections will be filtered.

In the UAE, web filtering is done using Smart Filter, the same software that blocks internet access in many companies. Produced by Secure Computing, Smart Filter is also believed to be used by the governments of Tunisia, Saudi Arabia and Iran, among others. Mr Choudhury said that in the past, one unexpected by-product of state-level filtering was a complacency among home and business users. This was driven in part by an assumption that filtering meant that everything on the internet had been guaranteed by the government. "They thought that the ISP was taking care of things," he said. "But as we all know, the filtering does not deal with spyware, viruses, malware - all sorts of things that can cause problems".

This complacency, combined with other factors like rapidly growing internet penetration, has led to the UAE becoming one of the major hot spots for electronic virus infections in the region. It underlines the essentially behavioural nature of most security challenges - and how facing these threats is as much a human challenge as it is a technical one. @Email:tgara@thenational.ae