This week bank costumers of The Netherlands were shocked when they realised that online banking may not be as safe as they thought. Perhaps some were surprised to hear that what they think is money, is nothing but digits, something that does not exist. Their money only exist because we all act as if it exists and accept transactions between each other aided by software run by banks, if they haven’t outsourced that function. The good people found out the hard way that by, in this case involuntarily, changing a few digits, their money just disappeared (and some became millionaires without being able to access this money).
The next day new malfunction of banks’ websites were reported. For the first time it was openly admitted that all our banks’ and payment intermediary iDeal’s website were down, due to an attack in the form of a ddos attack, making the website of the respective banks unreachable for regular traffic. The assailants tried to log in also.
This resulted in headlines, Tweets, blogs and opening news items, the one at the 8 o’clock news on the public channel ending with: “in the USA this happens nearly every day”. In the following I’d like to take a look at a few related comments, a tweet by a politician, before coming to some questions. The main one reflects the title most: “Who’s responsible for cyber security?”
If anything the chaos or perceived chaos in banking transitions led to angry or confused people, famous short fuses and loads of attention from the media. The cyber security world is waiting for years for a major cyber incident.One causing great damages, in the hope governments and companies start moving in the right direction. Some experts are even totally resigned to this way of thinking. This is not that incident. Sure, it shocked end users, led to some reactions from politicians, but in the end nobody seems to have lost money and there are so many other issues calling out for attention.
In the past week high level tax evasion by multi nationals, top-executives, politicians, etc., let’s say the top of societies, was prominent in the news. A conclusion in a column in NRC Handelsblad stated, to this problem decisions at world level are needed. (If I’m cynical, look at the list at the start of this section and ask yourself the following question: Who decides on worldwide solutions?) What struck me, also, is that this is the exact same conclusion that is derived at when talking about Internet governance, international cooperation against cyber crime, spam and malware enforcement, etc., etc. In short, what I recently heard someone call “the glass ceiling of Internet governance”. Most discussions stop here. Another variant to this discussion is: “we need to break own silos!”. Okay, but who is “we”? Is someone made responsible for this breaking down, silos or ceilings? What are the right questions to ask here? Questions that lead to answers that could take the discussion forward and actually change the outcome? A topic for the upcoming IGF in Bali I’d say.
The near future
The comment in the 8 o’clock news cited above, caught my attention most. “This happens nearly every day in the US”. I read somewhere that 267 out 365 days there were problems accessing major banks’ websites. In other words this is something we are to expect also? Are there contingency plans? Do governments allow that payments can’t be made (parts of) 267 days in the year? The economic impact is gigantic. Does it matter then whether the attacks stem from criminals, free speech advocates, “fun hackers” or state-to-state activities? I’d say not.
How can banks ever guaranty the safety of our money?…
…is the question Dutch parliamentarian Kees Verhoeven (D66) asked on Twitter. (This is the Tweet: “Heftig. De storing blijkt nu een #DDoS aanval! De vraag is hoe banken de veiligheid van ons geld kunnen blijven garanderen. #cybersecurity”). I responded to him that this was totally the wrong question to ask. There is nothing banks can do against ddos attacks, beyond preventive measures. The attackers, the tools they use, the infected pcs and other devices used, the command and control servers hosted anywhere in the world, are all far beyond the control of banks. As long as banks run state of the art security measures (even if they don’t), they are victims and not attackers. Perhaps the banks need support from other entities on and around the Internet to solve this problem.
The tools used are infected pcs of end users, companies, governments, industry, etc. and other devices like smart phones, smart tvs, up to a hacked chip in your cat’s collar (and this is no joke). There are a million reasons why these devices are infected. From irresponsible use by end users, flawed software, a lack of security by design in anything with “i” in front if it, negative incentives to deal with botnet mitigation or notice and take down requests, a lack of understanding in general, right up to a lack of government regulation, enforcement or incentives. All measures or better a lack of measures, banks have no influence over at all. They have an influence over the quality products they buy themselves in the future, over internal policy and security measures and perhaps they can reach out more to discuss Internet governance actively, which I advice them to do, but it stops there.
So, taking this all in, can banks guarantee the safety of our money? Answer this question yourself and continue to ask yourself the question who is responsible for cyber security? A virtual plethora of parties involved and where to start? What I have to conclude is that almost every single decision is to be made in the private sphere. In a competitive world. Where does that leave governments? Where does this leave decisions consciously made with the common good in mind?
So, who’s responsible?
I’m not going to answer this question here. Those who follow me here, on CircleID or in Virus Bulletin know my points of view. What I’d like to ask you is to think about this question for one minute and share your thoughts with me here on within an(y) other context. It may just get a discussion going.
Wout de Natris, De Natris Consult
Haarlem, 7 april 2013