Testing, testing, testing for a more secure (internet) world

If there’s one analogy between the Covid-19 crisis and cyber security, it is the lack of testing in many places across the globe. In both cases to truly know how safe and secure we are, testing needs to be stepped up considerably. As this is a blog about cyber security let’s put our focus there.

Over the past days and weeks more and more organisations have switched to digital products and services to sustain working from home, to keep productivity up and to be connected. Our dependency on the internet has become even larger, with perhaps one large difference: more people are actively aware of their dependency and not as something they see as normal without thinking about it. Let’s not forget that by far most people have slipped into the digital age, without comprehending the implications. Let alone how it works. With this newly found realisation, this is the time to act where cyber security improvements are concerned. First let me give a few examples of how we slipped into the digital age.

How we moved to the internet
Over the past years we all have started to use products and services we do not truly understand nor do we have an overview of the implications coming with the use of these products. This goes for apps that transgress every basic rule of privacy without any hindrance, but also for government organisations using cloud services in the U.S.. We use Google, Facebook, Whatsapp, etc. multiple times daily without being aware that we are the product, “the user”, of these companies. Energy companies connecting a nuclear reactor to the internet as running maintenance from the home if necessary is so easy. Or, a machine in a factory that is directly connected to the manufacturer for maintenance without built in security. And what about all those connecting devices entering our home without basic security installed. Etc., etc., etc. All were decisions with large implications, usually made without security in mind, not offered, not asked for, not (fully) understood. Let’s make it more tangible.

Secure/insecure?
On Wednesday 31 March Boris Johnson, U.K. prime minister, posted a photo online, showing his cabinet’s video conference, giving away a load of data about his workplace, gear and even his unique username to the Zoom application the U.K. cabinet used for the conference. Twitter sort of exploded because of it, and yes, the lack of understanding in the PMs office is extremely disconcerting, but a part of the Twitter explosion focused on the program used. Zoom is an application that is used all over the world for video conferencing, one of many. What was pointed out yesterday, at a time that almost every organisation depends on video conferencing, that Zoom is not as secure as it advertises. Many people pointed out that Zoom blatantly lies about its level of security on offer.

And here is where I am coming to my point that we need to test, test, test. An important question ought to be: Why did some people only bother to test the service now and not last year or the year before? Can you tell me whether any of the other services are better? I can’t.

Responsibility for a secure internet
The world fully depends on ICT products and services, something that today is more clear than ever. It also means that the products and services need to become more secure. 100% Security is something no one can offer. Avoidable mistakes though should no longer be acceptable when a product or service enters the marketplace. Not in a product connecting to the internet, not in software and not in online services and hosting. If the current crisis shows us anything, it is the responsibility the internet market has where the world’s security is concerned.

Making the internet more secure
This can easily be improved if during the production phase testing becomes a prerequisite. For everything already on the market, it is quite clear that the status quo is that a company awaits an alert or a breach before taking action to amend the flaw in its product, if even then. To become more safe there are three ways forward:

1) New products are made by new rules assuring a higher level of quality and security;
2) Testing;
3) Attribution.

White hat testing
I would like to focus on the last two. Mark Goodman proposed in his book ‘Future Crimes’ to create a worldwide pool of white hat hackers who test products and alert a company or a central agency on discovered flaws that are then repaired and updated. One thing is certain, the “bad guys” test products 24/7 in search of flaws and use them for their own nefarious purposes. So why don’t the “good guys” do this in an organised way? Yes, this is a challenge to organise, but the white hat hackers already exist. So why not pool them and make use of their energy? Finding flaws before the bad guys do saves everybody money, time, losses, hurt, bankruptcy, etc. Yes, it is a burden on the manufacturers but then they are the source of the flaws. Not the consumers. In fact not even the “bad guys” are the source, they are just using what is on offer in a bad way.

A related example is the city of The Hague that organises a yearly hack contest on itself. Something more companies and organisations should do.

Consumer organisation testing
A second way of testing is through consumer organisations. Products and services with online components from now on need to be tested on cyber security aspects. Are certain internet standards deployed? Are passwords in place? Are patches guaranteed? Is data protected? Etc., etc. This way pressure is applied to manufacturers and service providers to up their game. This way consumers can compare products. The test of webshop websites in The Netherlands and privacy adherence in an app in Belgium are good examples of this.

Attribution of breaches
When hacks or other digital breaches occur, one way forward is to collectively learn from the cause(s). E.g. by making it known the breach was caused by a lack of security in product X or service Y. This puts pressure on manufacturers who currently produce sub-optimal or even less safe products. No product wants to be associated with negative news, so most likely all will progress because of it.

A milder form is to mention the cause without the name but including explicit mention of costs and losses, in combination with suggested questions consumers can ask to their vendors or demands they can make for a more secure product. This creates awareness at the customer side and puts pressure on the manufacturer.

Is this bad for innovation? All other products in the world show that rules or regulations do not stop progress. So why would the internet be different?

Security investments come with costs
More than ever before the world has become dependent on the internet. It is time that the internet business takes the responsibility for this dependency. This comes at a cost. Yes, there is another side to this debate. It has to become normal to pay for internet security. It is only fair money is made on the investment industry has to make to provide cyber security.

Conclusion: start testing!
Just like at this point in time in the Covid-19 crisis a lot of people are not aware whether they have attracted the disease and are cured because they have not been tested, many internet services and products can get on the market, even with false claims, without testing. It is time for change. Societies have to start testing.

In a recent report published on the website of the Internet Governance Forum I have identified 25 pressure points in society that can aid in making the internet more secure. If you are interested to learn more you can download it here:

https://www.intgovforum.org/multilingual/index.php?q=filedepot_download/9615/2023

About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in Cyber awareness, Cyber crime, Cyber security, Internet standards; and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s