2013-02-04
Abstract
The topic of cybersecurity and international cooperation usually involves difficult discussions about cross border jurisdiction issues, the need for cooperation between very different actors, and privacy. Wout de Natris considers the issues and asks: are there first-mover advantages when it comes to cooperation in cybersecurity? Can a collective action make a difference, and if so what could the first actions be?
Copyright © 2013 Virus Bulletin
Several news items that appeared in the first two weeks of December 2012 prompted me to start thinking in more depth about cybersecurity and international cooperation. This topic usually involves difficult discussions about cross border jurisdiction issues, the need for cooperation between very different actors, and privacy. The term ‘public-private cooperation’ is often used, swiftly followed by ‘we have to break down barriers’. If barriers need to be broken down, we should be asking: by whom, and what for? It may not be as easy to move forward as it seems. There may be conflicting interests among key players. Organizations may not be (fully) equipped to work outside of their primary remit. These issues are well known and I will not go into them, but what I do want to ask is: are there first-mover advantages when it comes to cooperation in cybersecurity? Can a collective action make a difference, and if so what could the first actions be? I will also discuss the concept of the Internet as a modern version of 'the commons'.
Over the course of a single day in December I read three news articles on the subject of cybersecurity. The first reported the news that Internet-connected smart TVs had been hacked for the first time (the first TV botnet is predicted to appear in 2013). The second story was about false QR codes in the public domain that led to malicious websites. The third was about Bluetooth-enabled skimming devices that were being used at gas stations in the US [1], [2]. In a matter of days, this was followed by news of built-in software that allowed for the skimming of card payment devices in stores, and news of a new Android botnet using the lure of free games to spread.
In a matter of days, there had been five new developments demonstrating the resourcefulness of criminals in taking advantage of flaws in network and standard security. This was on top of the near daily news about incidents that suggest that lessons are not being learned by those responsible for the security of networks, SCADA systems, new products that go online, etc.
When the Internet of things really starts happening, all sorts of devices will be connected to the Internet: refrigerators, coffee machines, car ports and who knows what else – maybe even the collars of our pet cats and dogs. Game consoles, TVs, air conditioners, printers, etc. are already connected to the Internet. Just imagine the possibilities for doing harm, from simple fraud to more malicious attacks. Are the industries that manufacture these appliances prepared for the security issues surrounding Internet connectivity?
The evidence so far seems to suggest not. The list of products that have been introduced to the market without basic protection against malicious activities is long. What is more concerning is that there does not seem to have been any progress in the form of lessons learned. The same mistakes are made over and over again, as demonstrated by the recent case of smart TVs being sold to consumers without basic protection. Meanwhile, in the mobile phone world, lessons learned the hard way by fixed line and ISP colleagues were not heeded at the switch from mobile operator to mobile ISP.
If more appliances are to come online in the (near) future, there is one link in the Internet chain that should be hoping for well secured appliances: the Internet Service Provider. Why?
Recently, a representative of an Australian ISP walked out of official talks on anti-piracy, crying in outrage: ‘We are not the Internet police!’ [3]. This is just one example of the discussions ISPs get involved in. The ISP is seen more and more as a gatekeeper of the Internet: customers pay the ISP and receive Internet access in exchange. This puts the ISP in an awkward position as the only spot on the Internet where any end-user can easily be monitored and protected. Only, this is not the primary purpose of the ISP – like all businesses, its goal is to make a profit.
Governments increasingly turn to ISPs in their quest for greater security. For the ISPs, it is only the protection of their respective end-users (e.g. by filtering spam and malware or offering anti-virus products, etc.) that makes sense from the point of view of their business strategy. All other activities are costly, and as more and more duties are requested or made legal requirements by governments (e.g. botnet mitigation, monitoring, data retention, duty of care, reporting of incidents, etc.), ISPs may record a loss of profit. This puts them in a position in which they may want to influence certain discussions on Internet governance or reach out to certain parties in order to influence current developments. ISPs are not alone in this position of unused influence.
We can see from the daily news that organizations are under constant digital attack: DDoS attacks, extortion, hacks, website infections, theft of vital business and customer data, industrial espionage, etc.
As far as I can ascertain, cybersecurity discussions among large organizations are mainly aimed at improving internal security. Organizations may work together as part of a financial or energy ISAC (Information Sharing and Analysis Centre), e.g. through a common early warning system and lessons-learned programme, but the focus for action is aimed at the individual companies. Of course such steps need to be taken, but are these the only ones possible for them to take in order to become part of a safer environment?
All companies, whether large or small, have a vested interest in a safer, more secure Internet. Yet, I do not see much evidence of participation by industry in vital talks surrounding the Internet and its security. What would the influence of large companies and institutions be, if they were to discuss and demand security on and around the Internet from their suppliers and others? What could the influence of ISPs be if they joined the discussion?
The Internet and the industry around it is extremely diverse. Making matters more complex is the fact that interests are also diverse, and even conflicting if we discuss Internet security in a general sense. (I’m not talking politics here, just economics.) For all commercial participants maximizing profits is key, but the maximization efforts of one party may infringe on the maximization of profits for another. For example, a company registering as many domain names as possible may infringe on the maximization of profit for an ISP, while, for example, partaking in measures to introduce a higher level of vetting prior to registration of a domain name does the same for the registrar (especially if he is the only one amongst his competitors to do so). To be a first mover is not an advantage in any of these cases, as it may impact business negatively. In some cases there may even be perverse incentives not to act, as money can be made as a by product of cybercrime – for example, autodialling, SMS text fraud, direct messaging, registration of domain names for malicious intent and hosting the servers of spammers, all bring in revenues. In each case, a switch to an alternative provider can easily be made. A company that strives to be scrupulous not only has no first mover advantage, but may lose business.
On the regulatory side, the situation is not much different. A study conducted by my consultancy [4] showed that it is hard for an organization to act beyond its primary task. Establishing national and international cooperation is not a primary task for enforcement agencies, CERTs, national centres on online threats, etc., and in times of budget restraint intensive cooperation is one of the first items to be dropped. It may also be abandoned if efforts at better cooperation are tangled in legal red tape, privacy issues, or if there is insufficient knowledge or will on the other side. Here too, first movers go unrewarded.
Collective action theory is about an individual making choices about whether to join a common cause. When does he participate, why, and are there rational reasons for not participating? When is it better to let someone else do something? Or no one? [5]. Go to almost any international meeting about Internet governance and you will hear ‘We have to break down barriers!’ But it is more interesting to ask: who is to break down barriers? Which barriers? What for? What should the outcome be? Where should we start? Do ‘we’ make anyone responsible for doing so?
Talking about an issue is the first step, but as I’ve tried to show above, there are conflicting interests between the potential participants, and no incentives or profits to reap for those that are willing to make the first move.
However, there are several examples in the Internet world where collective action has been taken. Organizations like ICANN, the Regional Internet Registries, IETF, IGF, M3AAWG, FIRST, etc., bring people together to discuss and work on specific topics. Some may participate because their bosses tell them to, others because they believe in the cause, others perhaps only because of the funded trips to appealing locations, but experience shows that there are people willing to put in extra work on committees that prepare discussions, guidelines, standards and (self-)regulations from which we all benefit.
There are also examples where organizations try to break down barriers through projects. For example, ENISA brings together police law enforcement agencies and CERTs on a regular basis to discuss (the challenges of) cooperation, with the specific aim of breaking down barriers. What role could the new European Cyber Crime Centre (EC3) play in the future? How is the Dutch National Cyber Security Centre doing having been in place for a year? What is the experience of MELANI in Switzerland, FICORA in Finland and Botfrei in Germany?
It’s no longer just about work within one’s own community. In the end, everyone profits from a safer Internet, as this leads to more trust and thus more development, innovations and business for all involved.
The analogy I would like to make is with ‘the commons’, the pieces of land for common use in the form of free grazing and foraging for wood, etc. in the Middle Ages or in the sea where fishing is concerned. No one owns the land, so no one feels responsible. The Internet seems like a modern form of the commons. (This concept is not new, although I have not found references to the link with cybersecurity.) Although the consumer has to pay an entrance fee, after that he is in a limitless virtual environment, seemingly owned by no one, and no one on the consumers’ side feels responsible. Just as over-grazing led to the end of the commons, abuse of the Internet will be the end of the Internet as we know it. Could a commonly felt responsibility for the Internet change the attitude of players on and around it?
I am aware that the word ‘regulation’ causes many Internet veterans to stand up and protest strongly. Still I want to debate it here. It is important to focus on what can be done to maintain the Internet as we know it, while at the same time making it safer and more robust.
If we look at the commons analogy, Shepsle and Bonchek [5] quote from Elinor Ostrom’s book Governing the Commons. Overuse of the commons led either to a barren state that was of no use to anyone, or to a collective action in the form of self-regulation and severe self-restraint with (applied) sanctions and oversight. Times have changed since the commons of old, but Ostrom’s studies may be an inspiration for discussions. In other, more modern examples, Shepsle and Bonchek look into how a government became involved and set up regulation. In the case of over fishing this led to the involvement of the United Nations [5]. So what could the Internet world do, and how could governments be involved?
If regulating the Internet is not deemed acceptable, then self-regulation must be undertaken, even when there are conflicting interests. An example of a potential success story is the botnet mitigation centres or national centres on online threats. If all parties involved are willing to participate and act upon the warnings issued by these centres, self regulation could become the accepted norm.
As long as the national (botnet) centre involved is neutral and issues warnings one-on-one, the centre is a trustworthy party for all concerned. It accepts, analyses and shares data in a neutral and non-discriminatory way among partners and non-partners alike. By taking action, participants close down the windows of opportunity that are available to attackers.
Within these centres, industry and law enforcement can cooperate as well. Data available through the centres may help to track cybercriminals and achieve convictions.
For those that fail to cooperate or fail to act upon warnings from the national centres, regulatory steps may be necessary. But how about assisting self-regulation without stifling progress?
Even if the Internet industry, CERTs and enforcement agencies can break down the barriers between them through cooperation in national centres, this does not take care of the industries that manufacture products around the Internet. Software companies, appliance manufacturers, the gaming industry, banks, app stores, new digital payment systems, etc., must all be involved in the discussion about a safer Internet. Industry still delivers insecure products and companies buy insecure or insufficiently secured products, while at the same time being under attack from criminals, hackers, spammers, etc. – perhaps even through their own insecure products. This costs them large amounts of money. Could this not fuel the argument to get such companies involved in discussions surrounding a safer Internet? This will take time and patience, of course.
If governments do not wish to wait for this to happen, what could be an effective measure? Taking into account the fact that the Internet industry does not want regulation, it is necessary to look at more general measures. Specific regulation stifles all initiative, as one panellist at NLIGF’s workshop at the last Internet Governance Forum stated: ‘If you have a treaty or regulation that sets a bar, typically what businesses will do is to think “as long as I hit that regulation, I’m fine”. Whereas, right now, you have people constantly striving to be better and have higher and higher bars.’ [6].
At present, there is a continuous drive by companies like Google, Microsoft, anti-virus and commercial security vendors, etc. to come up with better security measures. However, this is not the case in a general sense. New products are insecure almost as a standard. I would like to see a general duty of care regulation imposed: a best practice regime in combination with the obligation to respond to incidents as well as notify a national agency (e.g. the Govcert) about them. In this way, the manufacturer learns from the incident and improves the practice, which becomes the new standard. Cybersecurity is a national priority these days, so why not impose a regulation that allows for best practices to be developed, employed and bettered within the Internet(-related) industry? Do you want to connect your product? Be sure to be secure! This way the prime initiative lies with industry, not the government, which can hold back, with a regulatory stick at hand when all else fails. The same should go for governmental and industry functions for the public good, like the security of SCADA systems, website, databases and privacy protection, etc.
If we add to this the notion that certain functions on and around the Internet are public, or at least very much in the public interest, but in private hands, the concept of responsible action, even in a highly competitive market, should not come as a surprise to those involved. Some measure of self-restraint may be called upon by society in a quest for a higher level of safety and security. And if this costs money, then we should all pay for the heightened security.
It seems that actions like these could be a middle ground for (preferably) self-regulation in favour of a more secure and free-flowing Internet that allows free speech, innovation and economic growth. A duty of care for Internet safety and security puts a non-discriminatory responsibility on all involved: those that provide access, host, distribute IP resources, manufacture software and hardware, deliver services on the Internet, connect to the Internet, etc. It could bring the Internet(-related) world, larger corporations and the public sector to the negotiating table, as they are invited to look at cybersecurity as a common challenge.
It will be of interest to see whether there is a vanguard of interested parties that are willing to lead in these discussions. People who are leaders in their respective communities and can take issues, discussions and actions back to their communities to discuss them further and assist in getting them implemented. Our world is changing quickly, and there are some in the Internet security community who are afraid that they will never catch up if cooperation and data sharing do not take place soon, and quickly [6]. The Internet is a great gift to society, industry and consumers alike. It is time to find a way to protect it, without losing its finer qualities.
In this article I have touched upon issues that at present prevent the very different entities involved in establishing a safer Internet from ‘breaking down barriers’. Undoubtedly there is enough here to fill an academic study or two. By looking at the Internet as the modern commons, we can see that collective action is vital to protect it from abuse and crime. Industry needs to step beyond the inner security debate and start to reach out to and influence other players. It can, for example, play a role by setting up rulings for itself and self-regulate by active and responsive participation in national initiatives. For industry as a whole, there are enough incentives to participate in activities that make the Internet more secure, but it is necessary to approach the topic from more than one angle. The same goes for governments, institutions and (privatized) public functions.
Governments can play the role of last resort should self regulation fail, and can coax industry, should it be necessary, to use more self-restraint or self-regulation. A general duty of care regulation imposed upon industry, government and public functions alike could do a lot to establish a level playing field which would create an environment in which there are first-mover advantages.
Inspiration on collective action theory was provided by Joes de Natris.
[1] De Natris, W. One day, three new threats noted. International cooperation on cyber crime. The bridgebuilder’s blog. http://woutdenatris.wordpress.com/2012/12/12/one-day-three-new-threats-noted/.
[2] De Natris, W. Cyber security. A duty to care? International cooperation on cyber crime. The bridgebuilder’s blog. http://woutdenatris.wordpress.com/2012/12/13/cyber-security-a-duty-to-care/.
[3] ISP Walks Out of Piracy Talks: “We’re Not The Internet Police”. Torrent Freak. http://torrentfreak.com/isp-walks-out-of-piracy-talks-were-not-the-internet-police-121217/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Torrentfreak+%28Torrentfreak%29.
[4] De Natris Consult report on (inter)national cooperation. http://woutdenatris.wordpress.com/2012/09/17/581/.
[5] Shepsle, K.A.; Bonchek, M.S. Analyzing Politics: Rationality, Behavior, and Institutions. W.W. Norton (1997).
[6] Internet Governance Forum (IGF). IGF Baku transcripts (Workshop 87). http://www.intgovforum.org/cms/2012-igfbaku/transcripts.