Recommendations for Computer Security

The recommendations we make with regards to computer security is to mitigate the threat of both logical theft and sabotage, as well as logical espionage.

As a general rule and a way to ensure the most impenetrable computer security regime possible, our recommendation is to the guidelines set forth by the Norwegian National Security Authority [70]. Our view is that the routines of best practice laid out here must be in place. There are four main guidelines and six additional ones. These stipulate: make sure that all hardware and software is state of the art; update new security software as fast as possible; never distribute administrator rights to end-users; and block any and all running of unauthorised programmes.

According to NSM, studies show that these four measures stop about 80-90 % of all internet related attacks [70]. The additional six guidelines stipulate: activate code protection against unknown vulnerabilities; harden applications; utilise firewalls on client interfaces; use secure booting and hard disk cryptography; use antivirus and anti-malware; and never utilise more applications and functions than strictly necessary.

Chapter 9 pointed to a minor flaw in the Piql IT system regarding the physical connectivity between the Piql (reception) computer and the Piql I/O (production) computer. One of the scenarios in the scenario analysis describes how a threat actor can utilise this connectivity to create a logical connection between the two computers and as a result alter the information being written onto the piqlFilm. To mitigate the effects of this, constant monitoring is required.

Another option is to create a true air gap between the two computers’ CPUs, i.e. use a USB memory stick or the likes to transfer the files between the computers. Although this will not stop the threat actor from gaining access into the Piql IT system, it will make it impossible to alter the received client data undetected. However, such a measure is an unlikely feature of a production process, as it would make the production too inefficient, but it is food for thought.

Verification of the integrity of the digital file upon receiving it from the client and after it has been prepared for printing is key. Piql AS already has this measure included in their security setup, and the recommendation is to always ensure that it is state of the art.

The last recommendation we make to Piql AS and to the Piql partners is regarding

cryptography, a recommendation we also elaborated upon in chapter 9. Our view is that any computer security architecture which does not offer cryptographic methods is an unnecessarily weak one. Though it would compromise Piql AS’ vision of the Piql Preservation Services as self-contained, whether this feature should be intact or not should be up to the individual user to decide. Measures should be implemented to protect the information also after it enters the Piql IT system, not only at the Front-End Service before it enters. Piql AS should therefore offer this solution to its users, though not all will want to utilise it. A caveat is, however, appropriate to issue here. Though FFI recommends cryptography to be part of the service which Piql AS offers their user to enhance security, we have no way of knowing how secure cryptographic methods will be considered in the future, i.e. how easy it would be to break the cryptographic code.

Nevertheless, for the present this is the keenest recommendation we can make to ensure the confidentiality of the information stored using the Piql Preservation Services.

12 Conclusions

FFIs assignment in the PreservIA project has been to identify vulnerabilities and security challenges faced by the Piql Preservation Services today and in the next 500 years. As it is difficult to analyse something we cannot observe, we have had to base our assessment on risks and threats present in the foreseeable future. We have, however, tried to include a longer timeline by including scenarios which account for a high degree of uncertainty, such as terrorism, armed conflict and nuclear war.

The vulnerabilities and security challenges which were identified in the scenario analysis may seem numerous, and, as such, paint a bleak picture. However, the outlook is not so grave. We have deliberately chosen to include descriptions of worst case scenarios in the assessment, and many of the vulnerabilities identified will only materialise under the worst of circumstances.

Often there is also an easy solution to the problem. Our aim for presenting the vulnerabilities in this fashion is simply to emphasise that the event which so negatively affected the Piql

Preservation Services can be a risk, so that Piql AS and Piql partners supplying the service are aware of the dangers and are consequently motivated to plan for them.

Our scenario analysis identified several vulnerabilities: some severe, such as fire, chemical compounds and the threat of the insider in theft and sabotage; some not so severe, such as the effect of electromagnetic pulses and nuclear radiation; and some which simply require more testing before we can say anything definitive about their effects and consequences for the information stored with the Piql Preservation Services, such as the effects of water, smoke and physical pressure. Additionally, the PreservIA Consortium will conduct more tests regarding the effects of oxidative chemicals, such as ozone, which will enhance our understanding of how the piqlFilm reacts when exposed to chemical compounds.

The main finding of the assessment with regards to identifying vulnerabilities is that the gelatine emulsion layer on the piqlFilm is the weakest link. As this is where the information is written, this vulnerability can have grave consequences for the security of the information stored.

Though it does not stand to affect the confidentiality of the information, it highly influences the integrity and thus availability of the information. It should be noted, however, that the gelatine silver print method – preserving information using silver halides in gelatine on a base – is a technique that has been in use since 1874 to preserve photographs and later moving images [71].

Despite imperfect environmental conditions, such images still exist today, implying that this technology has withstood the test of time and proven its basic robustness.

Nevertheless, the Piql Preservation Services has many strengths. For instance, though it seems like the gelatine emulsion layer is very vulnerable to external influences, the choice of material for the rest of the Piql components – the plastic of the piqlFilm, piqlBox and piqlBin – can serve to increase the security of the information stored. Especially the properties of the PP of the piqlBox and the PET of the piqlFilm seem to be able to withstand a great deal of external influence, and their longevity is proven [3].

Another choice made by Piql AS that has enhanced the security and safety of the Piql

Preservation Services – a subject we have touched upon in some sections of the report already – is the choice of an automated storage system: the modified piqlVault storage system. This does seem like a very robust choice of storage system which may eliminate many risks. Firstly, the design of the piqlVault system grid seems quite stable and cannot easily be tilted or overturned.

This stability is strengthened by the tight stacking of the piqlBins within the grid. In this way, the piqlFilms are better protected from falling to the floor and being damaged as a result than if they were stacked on shelves. Secondly, it seems more difficult for an outsider to simply grab a piqlFilm reel and run. Should a threat actor be able to break through the security regime and is able to gain access to the storage room, the piqlVault system will serve as an extra obstacle, as one also needs to be able to work the system in order to extract anything from it. And thirdly, the system seems better protected against human error. The risks of human error causing damages to the piqlFilms decreases with an automated system, as the piqlFilms are exposed to potentially dangerous situations less often when handled by machines than if personnel were the main way of handling the piqlFilms.

An additional, and perhaps the most significant, strength of the Piql Preservation Services is being offline. As most other digital storage media, where the digital data is written onto a physical medium stored separated from online networks, there is limited opportunity for a threat actor to attempt to steal or otherwise harm the information stored on the piqlFilm by logical means. What sets the Piql Preservation Services apart, however, is the prolonged period of time in which is it offline, i.e. the fact that there is no need for the migration of the digital data onto a new ―healthy‖ medium every few years. Such frequent migration requires more regular

connection to online networks, as well as more parties involved with the management of the data. With the elimination of this need for migration, the content data stored on the piqlFilms has to be connected to online networks only once, and only a handful of people must ever be involved in the process of managing the data. The number of potential risk sources eliminated by the offline properties of the Piql Preservation Services is therefore great.

Another strength of the Piql Preservation Services which is tied to this topic is the relative solidity of the Piql IT system security architecture. Even when the content data is connected to online networks, the computer security mechanisms put in place by Piql AS are relatively strong – relatively in the sense that complete protection from all logical attacks of some kind is very difficult to achieve. In consequence, the client data is kept relatively protected throughout its journey with the Piql Preservation Services, at least with regards to computer security.

When it comes to physical security, there are some issues, but these are often a result of, and an inherent part of, being part of a larger context where external forces outside of your control – be it forces of nature or threat actors with malicious intent – can somehow affect you. Taking necessary precautions and constantly being alert and aware of potential risks should be

sufficient. The risks to the Piql Preservation Services may be made to be even lower with time if alterations are made to the Piql components in later work packages of the PreservIA project as a result of this assessment. Risks may also be reduced if users apply our general recommendations of increased safety and security – adjusted to their needs and circumstances, of course.

Ultimately, the decision to store information using the Piql Preservation Services or in any other manner, is a matter of risk acceptance. There will always be risks involved with every storage system when valuable information is involved, it is simply a matter of placing the risk at a level which is acceptable to the user and implement measures accordingly. This would, of course, also be very different between users.