Internet Security is a topic that has drawn a lot of attention over the past year. As awareness grows that cooperation in necessary, it dawns on people that there are many and very different stakeholders involved, stakeholders that may never have met before. Let alone have cooperated. An example of an approach is the National Cyber Security Council that was installed in The Netherlands on 30 June. This is a high level council that will give advice to public as well as private entities on how to be better secure themselves and society at large against cyber attacks and how to become more resilient. However, without the right approach it is doomed to become a talking shop. The aim must be to take down barriers, build trust and create the atmosphere in which new approaches are created and implemented. If this does not happen, not much will change and valuable time is lost. In short the difference between mopping and turning off.
Before I enter into this, I would like to present to you a few quotes from very various sources of the past few days (27 June – 1 July).
“Trust in ICT is threatened of being undermined. This is caused by a growing amount of digital attacks on governments and companies …”.
The total damage of spearphishing amounts to €89 billion, according to Cisco.
“Security and Trust in an open and free digital society are an important prerequisite for economic growth and innovation.
“…TDSS malware (a.k.a. TDL), a sophisticated malicious code family that includes a powerful rootkit component that compromises PCs below the operating system level, making it extremely challenging to detect and remove”. (Brian Krebs)
Brian Krebs: “The market for rogue pharmaceuticals could be squashed if banks and credit card companies paid closer attention to transactions destined for a handful of credit and debit card processors”.
Kaspersky Labs: “Once the genie is out of the bottle, everyone who isn’t up to date with the latest patches is vulnerable.”
Veni Markovski on CircleID: : “The key word is cooperation”.
Wout de Natris at the IGF in Vilnius on the Cyber Crime Working Party: “I… (came) back (from IGF Sharm el Sheikh, WdN) with the idea of the multistakeholder approach, and started to work on to create an environment to build trust”. (By comparison, this quote is from September 2010.)
Do you prefer mopping or turning off taps?
If something comes through from the various quotes it is that the world is, sort of, ready for cooperation to combat the multi-headed beast called cybercrime. There are two approaches:
1. Mopping spilled water
2. Turning the tap off.
Resilience, better security, patches, awareness and such all fall under mopping while the tap is turned on ever more and the water spills over the floor of the bathroom and eventually will run out into the street. Of course, this approach is important and necessary, but after a success the world can wait for an even more sophisticated attack, like the TDSS botnet Kaspersky Lab and Brian Krebs wrote on, a botnet that apparently borrowed it’s prowess from Stuxnet, implying how fast technology is copied through/on the Internet.
True security will come through international cooperation across many boundaries. Those who have read me before or heard me present will not be surprised by this claim. It implies discussing the (so far) undiscussable together, to build trust and to give the comfort that creates an atmosphere in which the topics that need to come unto the agenda are approached positively by “the multistakeholders”. An environment that truly addresses the individual concerns for what they are: concerns. And takes them away when possible. Only then will things take an alternate course. But, as I expressed in Vilnius: Do we know all the stakeholders? Are they present and what could or should be their role?
To step over your own shadow takes courage
All this implies topics that look at the flaws of the weaving in the digital world, the exchange of available information into the right hands, private-public cooperation, setting priorities that make it possible for law enforcement to make the necessary arrests and look into regulatory approaches. Together identify and go for the identified weak spots of cybercriminals. Hurt them where it hurts!
It takes courage to do this and the ability to step over one’s own direct personal interests in order to achieve a long term result. This should be of great interest to everyone concerned: a free and innovative Internet that is safe. As safe as is acceptable that is. Like “real” life.
So, is Internet security attainable through a multistakeholders’ approach? What would be good approaches? Interested? Come and talk with me on how to start this. You will find a willing ear, an inspired mind and ideas from experience.
Wout de Natris, De Natris Consult
Leiderdorp, 2 July 2011