It’s a sobering experience to read the Security and Defense Agenda’s (SDA) just-released report, Cybersecurity: The Vexed Question of Global Rules. The report, sponsored by McAfee, culls together interviews with 80 cyber-security experts in government, business, international organizations, and academia with a survey of 250 senior security practitioners, to get a handle on the cybersecurity challenges nations face today and the measures they must take to protect the Internet and its business, government, and other users tomorrow. The report also rates the cybersecurity preparedness of 21 countries, including the United States. The U.S. comes out very well, though behind Israel, Sweden, and Finland.
The conclusion is best summed up in this sentence, “For the moment, the “bad guys” have the upper hand … because the lack of international agreements allows them to operate swiftly and mostly with impunity.” And, the more you read the report, the more you conclude that “for the moment” really means for the foreseeable future.
Global cooperation and information sharing are the keys to managing this threat, according to the report, yet the parade of new technologies such as mobile devices and the cloud, competing interests, and lack of agreement on what that cooperation should look like are huge challenges that won’t be solved any time soon.
First, according to Patrick Pailloux, Director General of the French Network and Information Security Agency (ANSSI), individual users and much of corporate IT are essentially where doctors were before they started washing their hands and sterilizing equipment when it comes to cybersecurity.
Businesses are reluctant to share information for fear of harming customers and damaging their reputations and stock prices. Individuals are not willing to give up any aspect of Internet freedom. Nations have widely disparate perspectives and interests regarding cybersecurity: North American and European Countries aim to preserve privacy and freedom, while countries like Russia and China see that freedom as a threat to their regime stability. Most countries see cooperation as a potential threat to sovereignty. While regulations and accountability are a necessity, the anonymous nature of the Internet makes it almost impossible to prove who is really accountable for a cyberattack, and the need to encourage cooperation makes it a dicey proposition to punish any of the players if they’re perceived to break the rules.
The report also highlights a clash of interests among generations, with the younger generation feeling much less threatened by the loss of privacy than past generations. And finally, there’s a clash of expertise and comfort between tech-savvy users and IT and less tech-savvy politicians who make the laws and attempt to regulate cyberspace.
Protecting the SCADA systems that run critical infrastructure remains a tremendous challenge with very frightening implications. Even Israel, considered perhaps the most advanced country in terms of cybersecurity, confesses that its SCADA systems are still not protected and that “there is still a lot to do.” Many of those interviewed expressed the opinion that genuine cooperation will probably not happen until a cyber version of 911 occurs.
One gets the feeling that all aspects of this issue will require many more years of evolution. As a start the report recommends global trust building through information sharing bodies such as the Common Assurance Maturity Model (CAMM) and the Cloud Security Alliance (CSA). Perhaps another likely scenario for now is one similar to the shunning of money laundering safe havens by the larger global financial participants several years ago, which reduced the number of places where money could be hidden safely. The more cyber responsible nations may have to make life difficult for the nations perceived to be less responsible, a very risky proposition.
By Leon Erlanger