Did you know that August 2003 was reportedly the worst month in history for virus attacks? With the “Win32.Blaster” virus rapidly spreading worldwide and several other disruptive worms following behind in quick succession, the total damage has been estimated by one source at some US$2 billion (see references). At the same time, the number of reported security incidents is constantly rising: the CERT Coordination Center at the Carnegie Mellon Software Engineering Institute reports a number of 114,855 incidents for the first three quarters of 2003 alone (compared with 82,094 for 2002).
The message is straightforward: insecurity is expensive. Security risks hamper economic potential and severely affect day-to-day activity in companies and institutions. The more economies become reliant on technology, the more they become vulnerable.
How did we get here? One main reason is that the nature of our electronic environment has changed. Since the early 1990s information technology has evolved from modest use of mainly stand-alone systems in closed networks – basically, office computers and home game machines – to the development of the Internet and other networks connecting businesses, governments, consumers and any “wired” individual or organisation. And beyond computer networks connecting end-users, important business sectors, from energy and transport to international banking, use intelligent networks. Access devices have multiplied and diversified to include a variety of portable and wireless accesses. The Internet increasingly plays a major part in shaping the way the world works. The trouble is, the pervasiveness of information technology and related networks has raised new and quite complex security challenges for society.
There is no question that wide access to information systems has the potential to greatly assist economic and social development, not just through e-commerce, but through other innovations, like e-medicine and learning. However, this same interconnected openness demands new practices to ensure proper functioning and resistance to internal and external threats and vulnerabilities. And security is critical to local, national and global communications, essential infrastructures such as power generation and distribution, financial markets or transportation, and economic welfare.
There is no easy or perfect solution, no “silver bullet” to eliminate the security risks. Threats and vulnerabilities are constantly evolving. Moreover, a network is as weak as its weakest point: if one component is compromised, whether deliberately or by accident, everyone connected to the network is potentially exposed. This is an occupational hazard of interdependency.
What can be done? An obvious answer is to invest in more technology. And indeed, such investments have been in constant growth in recent years. As regards investments by business users, respondents to the Deloitte Touche Tohmatsu 2003 Global Security Survey said they were spending on average about 6% of their total IT budgets on security.
Perhaps we are getting used to such sums. After all, in the now almost forgotten Y2K episode, an estimated US$200 billion was spent worldwide to prevent computer date-reading problems from occurring in 2000. But not only are business investments costly, spending on designing security technology is rising too. Also, virus attacks have not diminished, suggesting that a technology-only route would be a long battle and so can only be part of the answer. What is needed is nothing less than a general cultural change in the way society perceives information technology security. Nor is this being too ambitious. Just as in air travel, where people now accept that mobile phones must be switched off before takeoff and landing, a public attitude that understands risks and, as importantly, responsibilities can and must be cultivated. Such a change is the best possible way to reach real user trust in the online environment.
To help initiate such a sea change, in 2002 the OECD developed new Guidelines for the Security of Information Systems and Networks. Building on the 1992 OECD Security Guidelines, the revised version responds to the ever changing security environment and calls for a “culture of security”. Since their adoption in July 2002, the OECD Guidelines served as the basis for a United Nations General Assembly resolution for the “Creation of a Global Culture of Cyber Security” in December 2002, the European Council “Resolution on a European Approach towards a Culture of Network and Information Security” (February 2003) and have been recognised by the Asia Pacific Economic Co-operation (APEC) forum. Apart from raising awareness about the risk to information systems and networks, the new guidelines offer advice on the policies, practices, measures and procedures available to address those risks, while addressing the need for their adoption and implementation. In short, the aim is to foster greater confidence among all participants in information systems and networks and the way in which they are delivered and used.
However, there is much work to be done before a culture of security well and truly takes hold. A survey conducted by IDC/Bull in 2002 with the IT Divisions of 250 European companies showed that security was not yet a strategic consideration for two out of three companies. A more recent survey from September 2003 conducted by Watchfire and IBM Global Services shows that 66% of companies surveyed used at least one web form that collected sensitive personal information without any protective encryption.
Still, try we must. Already, in January 2003, OECD countries agreed on an implementation plan for co-ordinated national online security policies and a survey of progress is now under way. Then in October 2003, at a global forum on information security and networks hosted by the Norwegian government in Oslo, governments and civil society participants explained how they are implementing the online security guidelines and educating their citizens, customers and the general public about best practice online, including campaigns aimed at parents and children. These are not talk shops, but a vital way of identifying problems and developing the culture of online security real people need.
The OECD has launched a Global Culture of Security web site as a resource to help users everywhere learn how to follow online security practices. The best defence against information system viruses, hackers and other online risks is to strengthen the network through improving behaviour. That means spreading good practices around.
Computer Economics, Inc. (2003), “April 2003 – Worst Virus Season Ever?”, www.computereconomics.com/article.cfm?id=867
CERT Coordination Center at the Carnegie Mellon Software Engineering Institute (2003),CERT/CC Statistics 1988-2003, www.cert.org/stats/cert_stats.html
Deloitte Touche Tohmatsu (2003), 2003 Global Security Survey, www.deloitte.com/dtt/cda/doc/content/2003%20Global%20Security%20Survey.pdf
Getzinger, L., (2000), “Y2K Investments Were Sound, Industry Spokesmen Say”, Washington File, Office of International Information Programs, U.S. Department of State, http://usembassy-australia.state.gov/hyper/2000/0112/epf308.htm
OECD (2002), OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, www.oecd.org/dataoecd/16/22/15582260.pdf
OECD (2003), Implementation Plan for the OECD Guidelines for the Security of Information Systems and Networks www.olis.oecd.org/olis/2002doc.nsf/LinkTo/dsti-iccp-reg(2002)6-final
Watchfire and IBM (2003), The State of Online Financial Services, www.watchfire.com
©OECD Observer No 240/241, December 2003