The internet is a truly global resource which is part of what makes it so accessible and useful. The web joins us all together as one global community, making the world smaller and allowing nations to connect in new and constructive ways. However these unique characteristics also present challenges, most obviously around security. Traditional, national notions of legal governance are ill-equipped to deal with the challenges posed by the internet’s amorphous and international nature.
In short, tackling cyber-security is a global challenge which requires close collaboration between organisations and governments. This might sound like a fairly simple measure, but the reality is far from straightforward.
For a start, there are discrepancies between the levels of cyber-security that countries are perceived to have in place. According to a recent report commissioned by McAfee, from Brussels-based think tank Security & Defence Agenda, the UK is seen as lagging behind countries including Israel, Sweden and Finland in its preparation despite dedicating a $650m pot to cyber-security from its four-year budget. These differences can make it hard for government officials to trust one another as there are concerns around exposing public infrastructure and informational assets to potential threats. However, with just under half of respondents recognising cyber-security to be as important as border security, it is crucial to build up international relationships between governments.
While politicians work on addressing their differences and building common goals, there are some initial steps that can be taken to start developing a joint response to cyber-crime. If these can be met, the international community should be able to achieve the delicate balance of working as one, while maintaining their own public services on which citizens depend every day.
The use of cross-border services has significantly increased as a result of new technologies like cloud computing, and consequently the online world has become increasingly integrated. From a public services perspective, and specifically considering the UK’s ‘digital by default’ strategy, that means it is now more important than ever for the government to have faith in these systems. Wherever they are located, systems must be safe as well as functional as it is likely that the information they hold is sensitive and confidential. Moreover, it’s not just civil servants who need to have faith in information security. The success of upcoming government initiatives such as Universal Credit rely heavily on public trust in online services, and the belief that any data entered online is properly protected.
The information flow within governments, between governments and between governments and private sector partners mean that there are a number of touch points where data is at risk. With no single international body holding a cyber-security mandate; national and regional organisations need to improve their cooperation and information sharing. This is difficult due to the lack of trust between one government and another but is key to guaranteeing internet security.
With no chain stronger than its weakest link and information often following freely across borders, countries with an absence of cyber-focused legislation can provide a haven for criminals. At a macro level, the best way to help with this is to improve the economic situation as internet crime is closely linked to unemployment rates. At a micro level however, financial incentives can go a long way to improving practices within individual government offices. In the UK specifically, the pressure on project leaders to meet deadlines on time and in budget is a real focus and providing budget for doing things right, can be the way to ensuring no corners are cut.
Another incentive is the threat of penalties when an organisation falls short of expected standards. Debate is ongoing as to whether sanctions are appropriate for parties on the receiving end of successful cyber attacks. And who should bear the brunt of such penalties? A vulnerability in a particular piece of code would seem to be the software producer’s responsibility, were it not for the fact that producers absolve themselves of liability with contractual small print. The chain of responsibility is complex, and as a result it is unrealistic to pinpoint just one party as having ultimate liability.
Give power to global law enforcement
With network and content now separated by international borders, the laws governing copyright and territorial security are no longer straightforward. Google, for instance, hosts one third of its cloud services in Canada.
With this in mind, international collaboration on law enforcement is crucial with cyber-space now seen by many as the fifth dimension of warfare. Rulings need to be accepted across all countries in order to find a compromise between security and freedom, and the UK in particular has dedicated significant resource to this within its four-year budget.
The Cyber Defence Report acknowledges that cyber-crime is growing, and sets out three reasons for this trend: it’s profitable, low-risk and anonymous. There are no national boundaries in cyber-space, which presents difficulties around enforcing traditional legal powers. The cyber-criminal community on the other hand is supremely agile, has substantial funding streams and no barriers to information sharing. The contrast with national governments could barely be more stark, and yet these are the terms of combat.
There are a number of treaties and agreements already in place to guard against cyber-crime, the most promising of which is the Interpol framework, used to deal with cybercrime in countries which do not have a current legal ruling.
Develop international standards
Establishing best practices is a first step in ensuring that cyber-security is practical, low-cost and can be quickly implemented. It involves a holistic approach that accounts for legal, regulatory and technical considerations as well as providing an ethical code of conduct. An Integrated Supply Network to complement this should also ensure that similar procurement practices are followed around the world. Some standards are already in development however none have global support at this point. Those from ENISA, for example, only account for the 27 European member states.
But regulation alone is not a complete solution. Laws take a long time to draft, agree and implement, and fixed legislation can quickly become ineffective against cyber-threats which are in a constant state of flux. Most commentators agree that involving the private sector at an early stage in discussions around new legislation will help to counteract this problem. Guidance from businesses can help to prevent legislation being drafted with a short shelf-life, by informing legislators who may otherwise be too distant from industry to fully understand its challenges and concerns around cyber-security.
Secrecy concerns hamper the growth of trust between countries and can limit the success of conferences like the London Conference on Cyber-space. Fostering trust is the only way to develop agreements and standards internationally, otherwise the “good guys” are playing chess without half the pieces. One of the main reasons why cyber-criminals can prosper is their ability to share information quickly and without any regulation. This makes choreographing well-orchestrated attacks much more achievable.
One way to address distrust between governments is through the use of independent bodies like the Malaysia-based NGO, Impact. These types of organisations can give governments the confidence to share sensitive information, therefore alleviating concerns that any insight could be used to attack public services.
Certain industries have recognised that they are at heightened risk from cyber-attacks, and this realisation has acted as a catalyst for cooperation. The Night Dragon attacks launched in late 2009 targeted proprietary operations and project-financing information on oil and gas field bids and operations. This information is highly sensitive, with multibillion dollar deals at stake in what is an extremely competitive industry.
The oil and gas industries reacted by creating a global communication chain which became an industry group mirroring that set up by the US financial services industry – the Financial Services Information Sharing and Analysis Centre (FS-ISAC). These are both positive examples of competitors in an industry realising the need to share information in order to combat a bigger threat.
The internet was initially built on the basis of trust, but now with billions of pounds at stake and new global threats to infrastructure, that notion seems entirely outdated. Conversely the response to global cyber-crime now depends on such trust between national governments, and also private sector firms – which inevitably means working side-by-side with competitors.
Cyber-security also depends on the behaviour of government workers and public alike as hackers exploit social vulnerabilities. As a result, education is crucial as technology users need to understand how to behave responsibly. If nothing else, recent advancements in technology have permanently changed younger people’s conception of privacy; something that many policy makers are yet to fully comprehend.
Education should begin in schools, within school curricula, and be continued by companies teaching their employees. We are after all, in a new digital era and with government services increasingly moving online, it is more critical than ever that the right processes are put in place to ensure public sector security long term.