Yesterday, in my post on three new threats in one day (click here), I posed the question whether it was necessary to develop regulations that would set a minimum standard on cyber security for devices that connect to the Internet. I’m having second thoughts here, which I’ll explain below, but also try to look at a way forward and ask you to engage.
IGF 2012, Workshop 87
In this workshop on international cooperation and critical (Internet) infrastructure the debate also was on standards. There was a very clear call not to regulate on security standards. For two reasons. The minimum standards will be what everyone adheres to, while at present we try to better ourselves each and every day.
“If you have a treaty or regulation that sets a bar, typically what businesses will do will think as long as I hit that regulation, I’m fine. Whereas right now, you have people constantly striving to be better and have higher and higher bars…”.
It seemed like all in the panel, from very different backgrounds, agreed on this quote.
This may be true for companies like Google, SIDN, Anti-Virus, for CERTs, etc. On the other hand it’s quite clear that for companies that are more on the fringes of the Internet, cyber security does not seem to be a priority. At least where the product for the end user is concerned. Whether this has a financial background, stems from ignorance or a naiveté towards the Internet, I do not know. Probably a combination. It doesn’t really matter, what does matter is that this behaviour has to alter. How to go about this?
First I look at an example of minimum regulation and the effect on the Dutch National Railways (NS) which made me doubt regulation.
Minimum standards. A good thing?
The inspiration for this post I found last night while reading NRC Handelsblad. The National Security Board released a report on a train accident which caused 1 death, 24 severely injured people and an overall 165 injuries. The story is quite telling on two accounts, which, I think, are directly juxtaposable to Internet security, as you will see.
Before giving the facts around this story I have to explain the following. Since the liberalisation of the railways the national company has been split into several companies among whom transport (NS) and rail system (ProRail). This complicates this story a little, but let’s pretend it’s still one as it does not change the insight I’ve gained. The report delivers the following facts on the NS:
– new trains meet only the bare minimum of technical standards;
– the decorations in the train were not checked for security;
– chairs are made to clean easily but are dangerous for passengers;
– tables are to thin and caused the death and serious injuries;
– the security system is mainly still based on 1950’s technology;
– during construction work the network is over-used;
– 150x a year a red light is ignored with no emergency brake in place in many cases;
In short NS has cut on the budget of securing its network optimally for years, backed by budgets determined at government level I suppose. Perhaps the discussion whether one major accident a year is allowable is at work here. The other part of the examples is about the interior of the trains. Cleanness over security. Decorations that may not have been tested properly, endangering the passengers/costumers. The NS has not adhered to a duty to care for its customers, one conclusion reads.
The main question however is would the NS have performed better without regulation, without the minimum standard for technical security? At present it seems to stick to the minimum requirements, with the present results on in-car security for the passengers. A point for Google in this discussion it looks like.
Let’s go back to the Internet world.
How to engage industry?
More and more devices will connect to the Internet over the next years, “The Internet of things”. From coffee machines, to refrigerators, TVs, aircos, perhaps even the dog’s leash. Who knows? Every single device will need to have a built in security, securing the end user from harm. Let me give some examples of threats I can think up here.
Expensive TV programs ordered through hacks at high cost to the unsuspecting end user? Fridges that order new stock to other addresses? Garage doors opened through hacks? Cars that could do …? Game consoles that spy on the use of other devices in the home? Just guessing here from the past examples of sms scams, autodialers, spying webcams, etc.
Often I suspect that the ability to do something technically leads to implementation, while cyber security is only thought of after implementation. Money was saved, processes automated, remote access granted, etc. Leading to high costs to mend things. Again we are on this road, towards the Internet of things. How can we prevent making the same mistakes again? How can high-tech device and appliance companies be engaged in discussions on security before the product is unleashed at the totally unaware public?
What about engaging these companies through an organisation like MAAWG? Awareness raising, trainings, the exchange of useful knowledge that is already available in the Internet industry to prevent further harm? Determine the current best practice together and implement them? It sounds like a plan. But who makes himself available to do the reach out, invitations, program building? Still these are steps that need to be taken to secure the Internet of the future.
Is it an idea to impose a duty to care for the customer where (all) Internet related products are concerned? Not a regulation of minimum standards, but a duty to deliver secure products at ever bettering, competitive standards? And who regulates negligent companies? Consumer Authorities, judges?
What is the way forward?
This is just an idea. There may be other ways. What are your ideas? Let’s try and put them together and discuss. Something needs to happen soon and every day lost is a day wasted where cyber security is concerned. I’m looking forward to hear your ideas.
Wout de Natris, De Natris Consult
13 December 2012, Leiderdorp