Horizon Scanning 2023

Overview of current issues relevant to the Wider Public Sector

Introduction

Horizon Scanning Definition:

Horizon scanning is a technique for detecting early signs of potentially important developments through a systematic examination of potential threats and opportunities, with emphasis on new technology and its effects on the issue at hand.

Source: https://www.oecd.org/site/schoolingfortomorrowknowledgebase/futuresthinking/overviewofmethodologies.htm

Horizon Scanning exists with a proper method that gets used within the commercial world, in the Government [1], Health [2], Military [4] and Intelligence communities.

We’ve seen a lot of this work during the COVID-19 pandemic in the Health sector, referenced in [2] above, it’s a valid and useful model, for planning and understanding the word and the surrounding complexity.

There is an excellent detailed handbook on Horizon Scanning [3], which will help you if you wish to dive deeper into the subject.

You can't do horizon scanning within the constructs of a static system, it is dynamic thing. It is a moving fluid events driven paradigm and things change. So what does this mean on a day-to-day basis? That means monitoring what's on the news, the big global and macro issues;

The War in Ukraine

The Energy Crisis / Prices

Cost of Living Concerns

Climate Change,

On-Going Cyber Threats & Scams

Tiger Economies in Asia [5], trade and Global Economies of China, Russia, the US, and Asia-Pacific Countries.

There are the issues raised in the Green Economy, new emergent issues like Doughnut Economics [6].

These are all things, which have nothing to do with Cyber Security and Resilience, but everything to do with the economy and the way the criminals, hackers and foreign hostile states think. Foreign states and even our own all driven by a “Doctrine” [7]. This includes the UK Cyber Doctrine [8], that drive the military objectives, which on the civic side through the work of the Cabinet Office National Cyber Security Programme [9], and the NCSC [10]. Making sure you've got a good source of rich knowledge in terms of newsfeeds blogs, push content (Podcasts / blogs/ news feeds) notes and qualitative research memos[11] from conversations, things you come across, reports that get written and just generally understanding your environment.

Horizon scanning can take account of major news events and things happening in the country and globally. Obviously, you can’t track everything, but you’ll develop a set of “Lenses”, we refer to as Contexts. A few big issues to consider that could affect Cyber Security are

• global warming

• pandemics political elections,

• political takeovers in countries,

• insurrections,

• civil unrest,

Things that are going on within the environment of your own organisation. Horizon scanning is about looking at asset & risk management, threats,

facilities, vulnerabilities and exploits. Risk analysis and risk management and risk planning is all about understanding the current threats that you're facing vulnerabilities and In a complex computer system, there might be 50 vulnerabilities, but 49 of those vulnerabilities, remain unexploited. However, if more of those vulnerabilities start to get exploited. we often refer to zero-day exploits, that means someone has

taken a theoretic vulnerability and turned it into an actual exploit and have been able to affect

the cause that they were seeking to do in relation to that vulnerability. that's when you've got a problem,

that's when companies like Microsoft, Amazon, Google, release patches against current detected and reportedbvulnerabilities, hopefully before they become exploitable, but sometimes an exploit happens and it quickly industry has to move to patch that vulnerability.

This has happened recently for instance attacks on Citrix and VM-ware, it is these are zero day (unpatched) vulnerabilities that are dangerous. Sometimes known vulnerabilities are kept secret and these are known as “equities”[12], which can be used by foreign state actors for cyber-attacks, surveillance and espionage.

We can change our world view[13] when new information comes to light. In fact refusing to change your worldview for political or organisational reasons in the light of new knowledge and information can lead to real world problems.

There is much to learn from Systems Theory[14] and complex systems that can inform the horizon scanning process and approach.

We're constantly retraining, rechecking, reassessing, everything that's going on. We don't often know

how critical a vulnerability, or a thing is. So, what we do is we use a five-by-five classification approach to help inform the process. The 5x5 intelligence classification system[15] is used widely in the Police and Intelligence services.

These are known as sometimes as intelligence assessments[16] or referred to as an Intelligence Estimate, by our American colleagues. An output from the intelligence process, becomes a product[17], it means

it's gone through the whole assessment machinery.

Part of that assessment machinery is the horizon scanning and validation of facts. So, using a five-by-five matrix gives a level of confidence and these assessments are constantly changing as well. So, I hope

that basic introduction to riser scanning has been useful. And we will look at some of these areas now in more detail.

Section One – Horizon Scanning Update January 2023

Exploring weak signals[18] exploring things, which already exist, but their relevance has changed or increased. But it's actually trying to put the contextual single intelligence picture[19] together, Situational Awareness[20] is everything in the Intelligence world, along with Context[21]. Remove Context and an assessment or product is useless, inaccurate and potentially dangerous. The objective is to discuss a few topics and to drill down on them.

Cloud computing

Cloud computing [22], it's a mature market, with Microsoft, Google and Amazon Web Services leading the way. Working with the cloud requires a slightly different skill set [24]. It is important to remember that in the context of cloud computing you need to understand which type of service you have brought.

If you think of a pyramid[25]. The top of the pyramid[26], with the least amount of work for you to do is “software as a service” SaaS underneath that is “platform as a service” PAAS and underneath that is “Infrastructure as a service” IaaS.

If you buy a Software as a Service (SaaS), then absolutely means that everything's done for you.

All the software patching the operating system, the platform, everything is all taken care of for you.

When you buy a Platform as a Service (PaaS), you're buying the, the infrastructure and the server part

with the operating system and the patching gets done for you. You are responsible for the software you

put on top of that and keeping all that software patched and maintaining that.

When you buy Infrastructure as a Service (IaaS), you're literally buying flat tin. So that means you've got

to be responsible for putting the operating system on it, including the licensing, configuration and patching. You've got to be responsible for patching the systems, the software and everything above it. So,

you need to understand all of that. Also bear in mind that itreally important is the configuration.

So, the main thing that's consider is all the configurations. If you deploy something of Amazon, you just

push a button and it just does it for you. it's, it's all there. you need to really think that stuff through.

Software Defined Networks

Software Defined Networks [27] (SDN), based around the core concept of infrastructure as code[28]. This comes up in many ways because you've got the cloud

infrastructure [23] we were just talking about, but also, you've got things like VMware.

You're actually running software, which is emulating hardware. This is becoming far more

commonplace now with appliances that we used to have physical “tin” including firewalls.

You can have a completely software defined network within your virtual private cloud. The only real exceptions, used to be the PKI encryption HSMs (The Hardware Security Modules used to calculate and run software encryption) [30], even GCHQ has finally moved away from Paper Tape!! [31] yes, paper tape for cryptographical encryption.

Cisco firewalls etc. have a Unix core in the middle of it. So, you need to really think through how this

is being deployed. Who's checking the, the configurations and how it fits together. Containerisation [32] has been around for a few years and which you're going to hear an excellent presentation about shortly,

but once you get containers in place, basically then you're no longer worrying about any of the operating system, the patching or anything else, cause it's all frozen. It's put in a container and it's deployed. But these

containers with software development are getting continuously integrated[33].

So that's, what's known as continuous integration and above the container layers is the orchestration layer [34]. The configuration files are what you need to be really aware of, especially around the assurance

and the configuration side. You mustn't forget about penetration testing, the configuration and system.[35] You mustn't forget about code reviews[36] and Business Continuity Plans[37], and which is

absolutely critical.

Zero Trust Networks

Zero Trust Networks[38] have been around for some considerable time. It's not, it's not anything new, but a Zero trust network is where potentially you don't mind who's actually floating around in your

network because they can't access anything[39]. The biggest one that we're all used to without necessarily

realising it is their NHS network, because the NHS network, all of the access control to their services and

systems is through their smart card. It's all controlled for their access and identification management.

So access and identity management is really important is something that's emergent. And what it does ultimately is it, the zero trust network takes a nice fat, attractive attack surface and turns it into something that's a knife edge. The zero trust network has got very little that you can attack. And whilst it won't be

dwelling on it this afternoon as, and when details come out about the recent London Borough that was attacked, they are moving towards zero trust network. The zero trust part of the infrastructure was not

affected by the attack. The legacy part of their network part of their network was affected. The zero trust

stuff they're putting in is very robust. This is a good point to mention Network Architecture the NCSC[40] Network Architecture Guidance is a good starting point[40], we suggest that you implement Security Zones[41], which can really help to break a network up into the Conceptual, logical and Physical domains, as recommended by Zachman[42] and the TOGAF[43] and SABSA[44] methodologies . It's got a very, thin attack surface works on micro services[45], and it's far easier to control, but access control becomes

very important when you're looking at, zero trust networks [46].

Internet of Things (IOT)

The Internet of things, this is the big emergent technology[47] which is going to affect everybody.

We've already got an awful lot of devices on our networks, which all sort of working around IOT.

Whereas we've been used to dozens of servers, hundreds of connected enduser devices, you know, thousands of packets of information, indeedmillions of packets of information flying around the internet.

IOT is going to start bringing sensors[48] and a whole range of different things into your core network

potentially. So what you need to do is think long and hard about network security architecture and

introducing multiple in-securities into your network.

Looking at cloud computing, building out software defined networks, zero trust security around it will

get you to a point where you can deal with the internet things. It's very much about internet zoning. Also known as “Security Zones”. This is a Security Architectural Approach, advocated by the NCSC [40] you need to also understand with all the devices you're going to connect, what is the “Providence” of the

device Where's it come from Who's manufactured it, what code is there in it It is critically important that

you understand these things and actually monitor what's going on. Supplier provenance [49], will become another very important factor moving forward, as will supplier assurance. The MOD have done much leading work in this area and are developing a supplier product assurance scheme, which will be of great benefit and use moving forward.

Some of the work we've been doing my with C-TAG and other groups through the warps, looking at

things like LoRaWAN [50], is also very useful.

IOT is going to be here and it's going to come in and anger. This is relevant especially for things for instance adult social care and allowing people to be able to live independently really important as we

move forward. But you do need to think about things differently with IOT.

You sould ensure that you put security zones in place and you do need to making the network harder to attack thorough segmentation, security domains and zones.

Artificial Intelligence (AI)

Artificial intelligence[51], machine learning and algorithms builds on what I've just been talking about

because with both artificial intelligence and machine learning, you're going to be

doing stuff at scale. We'll start seeing, things like, CRM(Customer Resource Management Systems),

which have been around for 25 years where you've Integrated telephony and web services for payment processing and customer service, where it's press one for this press two, for that, we're going to

start seeing chatbots more and more. Some of you using them already. You're going to see far more,

artificial intelligence engines behind applications. Automated workflow channels, called funnels,

they are already being used all over the web for marketing and sales.

There've been great advances in medical science around this where hospital doctors and GP’s have

been using artificial intelligence, not instead of, but actually to help them with diagnosis. Because by

understanding certain things, you can build up a massive volume body of knowledge, way beyond

our own understanding. We can leverage that extra knowledge through the sorts emergent technologies around the automated translation of voice and video files into text, this complements the existing text to speech technologies.

It's amazing some of the software out there and what's capable now, but you've got to remember that

machine learning is collecting a lot of information that wasn't being collected before. It's all anonymised.

for instance, things like Apple iPhones, Apple track finger movements on the screen. So they know when

they're designing products and software and things, how to actually help make these things better because

they know which parts of the screen you touch most often. And what sort of, behavioral gestures you use, how you use applications together, how you're using workflow. All of this enhances and improves the user experience (UX) through improving the user interface (UI).

If I was starting my career now, I'd be a data scientist now because data science is actually the future. I'm

looking at all the stuff, the NCSC working on active cyber defense and all those sorts of products[52].

We're now starting to see a lot more stuff around, log analysis as and emergent mainstream topic. The warps have been discussing log files and their relevance and use in cyber security for a long time.

Information and network asset management, are newly emergent themes. To gain situational awareness of your network, the systems your running and the infrastructure your supporting to provide accurate context for network defenders. There may be a dozen new Apple MAC vulnerabilities identified, no use if you only run Windows. Palo Alto patches are useless to a Fortinet site.

The types of equipment you're running, the versions you have and critically their patch levels. By having this detailed information we are then able to tailor solutions to particular problems.

Artificial intelligence is growing into a very, very large thing. And it's becoming far more

pervasive.

Digital Ethics

Digital Ethics[53] are something you might not consider. It might not have heard of, but it is

really important. Why are ethics so important then? Ultimately ethics define the moral boundaries that we need to stay within, through policy and consideration of societal acceptability. We all know about Human Rights, well that’s what ethics are. My philosophy has always been “At what price?” That relates to how badly you want something and the lengths your prepared to go to get them, “At what cost” to friends, relationships and consequences. The law also reflects a set of societal norms, in terms of our criminal laws and the punishments we have for breaking them. There are many ethical concerns at this time around Covid-19, Social distancing, lock downs, the acceptable way to behave and of course the vaccines being developed, who get them first, prioritisation and the order of events, these are all ethically driven [54]decisions. That set’s the context for ethics, as we turn to digital ethics, they are the rules and algorithms that drive machine learning and artificial intelligence[55]. We are getting use to the idea of driverless autonomous cars and vehicles, we hope they are programmed to do the right thing. Would we be as happy knowing a car had a peace and as war mode?....

When cybernetics first started and robots were the stuff of science fiction stuff, right back in the days

of guy Norbert Wiener[29] a brilliant MIT Student in the 1950’we know that some of you might never

have heard about him, he was an MIT student and went on to doing some of the founding work

on cybernetics. It was always the intention to design machines that must not hurt the creator[56].

So if you think about the Terminator film and the robots, not to destroy their creators. That's called non malfeasance, do no harm. Digital Ethics is looking at how machine learning and artificial

intelligence is actually helping shape how these things work, Tesla cars, you don't own the software, you licence it. I'll talk about it more a bit later, but you're actually licensing the software. So when you get

into a car and it's driving itself, it's been driven by algorithms. The algorithms get to make we hope ethical decisions all the time about what to do and what not to do. Is it a good thing trusting our lives to hope? you really need to have an understanding about digital ethics.

Smart Cities

Smart Cities[57]. Again, it's something that's emerging is bringing all the bits together. Because if you look at the internet of things, that's given us far more contextual information.

If you look at some machine learningartificial intelligence and algorithms it, then culminates in what we're doing is smart cities . Aren't anything new, but bringing them all together actually is we're getting

far more integrated around our CCTV and transport networks. We've got travel cards.

It's the Oyster card down in London.

There are lots of other travel cards. Now, bike hire school, scooter hire all those fobs. Every time you get

one of these higher bikes out, you “touch-in” your smart token on NFID device (such as your smart phone). Your then charged through your user account. But that token and account is tracking where you

got the bike/scooter from, where you started your journey at what time, where you checked the bike/scooter back in (your Destination), the duration of your travel and likely through Geo-tracking technology in the bike/scooter, your route. This Geo-Temporal information is you leaving a deep, rich, digital footprint everywhere you go. Your journeys are being tracked so this is where ethics and privacy come into play in this poor wifi smart roadsigns smart motorways. It's all really joining everything up. A person, event, location and time. The Law Enforcement, Military and intelligence Agency dream.[58]

People will know where you are, what you're doing. Data protection, privacy and Civil Liberty, and freedom, and everything is going to go far beyond where we've been in the past. In the past, it's all been

about geo temporal information, but in the future, it's all about geospatial information as well. So the

world is moving on at pace, but all of these disparate things are building up into a layered taxonomy. Now through cloud, through the software defined networks, zero trust the algorithms, digital ethics, and then

culminates in smart cities. Not just what building you were in, but the floor, desk and device locations too.

Good security network architectural design, understanding that there are work flows following the

data which we've always been doing with data protection and data privacy impact assessments.

But you do need to understand your suppliers and your third parties, especially those processing your data that they are doing so in an ethical way.

You do need to understand your supply chain, what kit you're buying works come from. Have they tested itYou do need to have dynamic business continuity. Now you need to start making staff aware of all this

new technology and how it affects them. And if you need to have really good detailed documentation and

you need to have a really good detailed diagrams and configuration, that's really important.

Section 2 - Emergent Threats – What we’re seeing on the radar

Introduction

Emerging threats again are some familiar topics that are today coming to the forefront of the threats we are facing on and seeing in our networks and on the Internet. Many of these you will know about, we aim to give you a better context. A quick recap on what we talk about as information assurance.[59]

Confidentiality, keeping information safe and secure accessible to those who are authorised
Integrity – Ensuring the Information is accurate and hasn’t been altered.
Availability – The ability to ensure we can access these systems and services when we need to.

Virtualization.

Virtualization issues haven't gone away. The technology has been with us around forty years, going back to mainframes. The VMware sever is a great product, but it's got to be properly configured it can still be compromised. We need to make sure that the management layer is all completely locked down and is

being monitored. Understanding who's got access to it and all the different workloads are properly segmented and configured [60].

Having remote suppliers providing technical via VPN connections into your network, is fine, but do you monitor their activities and ensure their sessions are terminated and logged afterwards? This issue has been with us for the past fifty years, going back to the days or remote mainframe access via remote dial up terminals and even teletypes, yet in this automated digital Internet, mobile device age, it is still a current problem!

If they're looking after, a server farm on your premises and keep using a VPN to gain access, especially working from home, do you close that session down afterwards? Technical Support with Remote Desktop Access enabled, are the remote access sessions monitored and recorded?

Containers as a technology have been used for a long time, but it's only just beginning to find

its way into local government circles, but certainly been in central government for the past eight years and all the digital transformation stuff we're doing now, as you moved towards cloud and everything,

it's becoming to be very, very pervasive, but a badly configured Docker container is a very dangerous thing

you need to do code reviews and smoke tests. Only then can you trust the container configuration for automated continuous integration and deployment.

I've been playing around with some security tools, which are on Git Hub and downloading other people's

Docker containers. If you're going to play with stuff make sure you trust the source code, use a sandbox machine and monitor what he containers are doing on your systems.

I was looking at some particular containers and what was going on inside it looking at what was going on

behind the scenes, via a command line terminal as they're spinning up, there were all sorts of erroneous

bits of code being spun up in the background. That wasn't necessarily part of the thing that the container

was being used for. So when you start getting into these things, make sure you understand how it works

and make sure you do code reviews and smoke testing and monitoring of the traffic and know what data is going into the containers and what's coming out of it. Continuous integration is the orchestration layer I

was talking about earlier. Software like Jenkins and chef and lots of other new tools that are coming along.

Virtualization you really need to understand it. Quizzing your suppliers on the assurance side, might

not only show you understand your supply chain security. might show, you know, what's happening.

Phishing

Phishing might seem like it was yesterday's news, but it isn't. At the moment, it is the single biggest attack

vector and the problem with phishing is that getting more and more sophisticated, starting to introduce

primary, secondary and tertiary types of attack vectors. You may get an email that might also get an SMS message. You might even get a voice call and an awful lot of financial fraud is happening as the criminals themselves are going on-line because of the Covid restrictions and change of opportunities.

For instance, in the banking sector. Now you're getting it all followed up with a phone call. You're on a

telephone to somebody and their say about this problem, you’re your bank account or they have detected a virus remotely on your computer. It's getting very, very sophisticated.

We're actually seeing things out there now where you're getting SIM takeovers, so they can make their mobile phone look like your to the bank. Spoofing you number or that of your banks.

So you can't even rely on the phone number to be truthful. There is fraud utilising the SIPP IP Protocol, spoofing messages and contact centre details.

SIP is the voiceover IP protocols being used in some of this stuff[61]. And the other thing that's starting

to emerge with phishing attacks, I'm afraid issues and things like that. teams. So even Microsoft Teams[63], is now becoming an attack vector[64]. You need to bear in mind that these attackers

are getting more and more sophisticated. Make sure you are talking to our staff and doing awareness

raising because partially it's it's high, but awareness raising campaigns are the best line of defense. You've got the next slide please.

Blended attacks, are where you're starting to see attackers as I was just saying with phishing building

stuff up. So NCSC National Cyber Security Centres, active cyber defence, ACD tools, come in really useful. The public DNS service (PDNS) [65] is available to all public sector bodies

free of charge. The only problem with not using PSNs is of you running things like Cisco umbrella because NCSC are aware of incompatibilities. But when I was talking about, security zoning and domains earlier on, you might even want to think about splitting up some of your and IP ranges for different parts of

what you're doing and using PDNS, which when connected immediately flags malicious activities.

You have to remember is that the criminals now all starts in with their own pyramid of pain, because a lot of the, people deploying EMOTET[64] at the bottom of the pyramid , the bottom level of these attacks

are script kiddies, low value attackers and hackers. But the minute a machine beacons out after a successful takeover, phone's back and says, yep, I've got into that network. They are then selling those credentials on those IP addresses to the next level of criminals up. Finally that's when you get in a tight spot of really

serious people doing the malware attacks. And there has been a massive prevalence of malware and the

ransomware as an attack vector, especially since we've experienced the Covid lockdown and are working from home. The criminals are sitting at home plenty of time on their hands and they follow the money.

PROINT (Protected Information Intelligence)

A new Provence is Protected Information Intelligence. This is where criminals are trying to steal

protected, credential information, credit card information, you private identity information.

But apart from these identities, the other stuff you've got to be aware of now is location information is becoming to be valuable because criminals know where you are.“I know you're not at home”. That is scary that you need to think through where this stuff's all going and biometric data as well. Biometric facial recognition say for mobile phone or laptop login. It's all new types of information and

credentials that criminals are after.

So you need to think that now it's all about passwords to biometrics, putting multiple lives, the text, Memphis there's personal information and privacy, all the same thing that you've got to remember that youngsters have a very different feel about privacy. And the fact that sometimes convenience can override privacy

and they don't necessarily have the same view about this as we do in our generation.

So you need to bear that in mind, protected information is what people are after, because that's where the money is, wearables, body networks, smartphones, Fitbits etc. It's collecting all sort of information,

proximity networks as well. Cars now have wifi networks or their own Bluetooth. It's always on, it's a new world we're moving into, but the really exciting stuff.

The core of this whole talk for this second part of emerging threats, everything we do, which gives us an

opportunity, brings me challenges and attack vectors. We've augmented reality now (Some will have seen tee new EE mobile phone advert for the iPhone 12) which shows an augmented reality scene over the roof tops of the city of London.

It is as much about geospatial information, not just knowing where you are, but what floor you're on, what

office you're in. You're in, within a building, what shop you're in, in, within a shopping center, it's tracking these metrics. In time as we get more into this augmented reality and Facebook, Google, Apple, they're all working on new sets of super specs. The age of Joe 90 really is upon us.

A whole new world that is going to be a very different place in the next couple of years, what life

boundaries are going to get blurred and working from home is going to be the new normal. So you need to think these issues through. Oculus has now been bought out by Facebook. You can't use the new Oculus

Quest 2 devices unless you've got Facebook account. I've started doing some research on all of this

right now, and it's going to take me a while to synthesize it all. Believe me, sitting there with a virtual

reality headset on and doing work and coming up with all these computer screens from the fiscal world,

moving into that new, augmented reality and virtual reality is going to be a way that if we're going to be

working from home, someone's going to have the bright idea of, Oh, you won't be just about MS teams

anymore.

Should we use the, the new Facebook infinity office that, Facebook's working on right now. If you

haven't do it, go and have a look, but that's where ethics come in. New personas. Will you have a different view for work and virtual reality to your persona at work and in our climate, in the real world, all you start to think about, especially with data protection, for the right speed forgotten. It's a new world of pain trying to manage multiple personas because Facebook won't let you do that. You've got to use your real personal Facebook account with your real personal identity to use the virtual reality stuff. Interesting times ahead.

References: (All accessed November 2020)

[1] https://www.gov.uk/government/groups/horizon-scanning-programme-team

[2] http://portal.healthworkforce.eu/what-is-horizon-scanning-and-why-is-it-useful/

[3] https://www.theirm.org/media/7423/horizon-scanning_final2-1.pdf

[4] https://www.rand.org/blog/2019/02/how-horizon-scanning-can-give-the-military-a-technological.html

[5] https://www.kent-life.co.uk/people/the-global-business-forecaster-kent-s-richard-scase-1-4435705

[6] https://www.kateraworth.com/doughnut/

[7] https://www.gov.uk/government/collections/joint-doctrine-publication-jdp

[8]https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/549291/20160720-Cyber_Primer_ed_2_secured.pdf

[9] https://www.nao.org.uk/report/progress-of-the-2016-2021-national-cyber-security-programme/

[10] https://www.ncsc.gov.uk

[11] https://study.sagepub.com/sites/default/files/Birks_2008.pdf