Threats to the information society

Directorate for Science, Technology and Industry

The security of information systems is constantly being improved. Unfortunately, so are the skills of the hackers waiting to stage a “cyber attack”. 

Technological development may have greatly enhanced the security of the information system as a whole. But it has also given potential attackers the chance of far faster penetration into data systems (whether personal, corporate or government) and with wider and deeper effects. What’s more, new technology allows attackers to leave few traces behind, all of which makes the criminal investigators’ task difficult. Meanwhile, the international network enables almost anyone to get hold of the tools they need to attack systems.

Today’s heavier reliance on information systems makes the potential impact of "cyber" attack more significant than ever. And statistics from CERT, a leading centre of Internet security expertise operated by Carnegie Mellon University in the United States, show a rapid increase in reports of incidents affecting security.

Typical examples of 'modern' threats were seen in early 2000, when two kinds of threats to Internet security emerged. In May 2000, the I Love You e-mail virus seriously affected the world network of e-mail communication, wiping out some hard drives in the process. Earlier, in February 2000, there were the Distributed Denial of Service Attacks (DDoS attacks), which were aimed at a number of well-known electronic commerce web sites.

These DDoS attacks underlined the vulnerability of the present network system. The hacker takes control of a number of systems with weak security levels, mainly on sites that contain information requiring low levels of security, such as a server at a remote-sensing weather station. The hackers covertly install self-operating software (called Denial of Service agents), which sends out a huge number of requests at once, saturating the targeted system’s resources.

When systems are interconnected through a network, the weakest systems that are connected to the network are generally the most vulnerable to attack. In effect, these weaker sites determine the overall strength of the network itself. But before jumping to the conclusion that the overall security level of a system has to be improved, a more detailed risk and cost analysis must be undertaken to decide whether such investments are justified. Issues that are related to increasing security in the network layer protocols, such as the proposed next generation of Internet Protocol, IPv6, should also be explored.

The I Love You virus was a lesson for everyone in how far and fast even a simple virus can spread via the Internet. It raised awareness levels at the time, but perhaps more could have been done to educate users in advance. Simple precautions by users (and basic rules set by managers) could have contained the spread of the virus; for example, teaching how to recognise risky file extensions. The I Love You virus was clever, in that recipients were fooled into opening the carrier email because they recognised the name of the sender. This was because it only required one company or organisation employee to open an e-mail for the virus to enter his or her database of e-mail addresses. It was a grand exercise in deception. By the time managers and gatekeepers knew what was going on and alerted their staff, the virus had already spread around the world. How to stop (innocent) early openers of the message is not that easy.

Another lesson from I Love You is how difficult it is for the criminal law system alone to address international cases, especially when the parties involved might include countries with immature legal systems that are not prepared to handle criminal actions related to electronic commerce. And, like the DDoS Attacks, it highlighted how difficult it is to track or trace international transmissions of viruses and agents.

What can governments do? 

OECD ministers have woken up to the problem, calling in a communiqué in June 2000 for more "confidence in authentication and privacy protection" to be built and for OECD to "engage with the private sector and other stakeholders to develop effective policy responses to urgent Internet security issues such as hacking and viruses". The OECD had already formulated, in 1997, Guidelines on Cryptography to enable safer data transmission and secure information storage at national and international levels.

Already recent G8 and Council of Europe initiatives on cyber crimes have placed a focus on imposing civil liability and criminal prosecution after security violations. Security in global electronic commerce by its nature highlights the importance of international protocols and procedures. A legal means may have to be found to make those who are responsible for providing security accountable, and to prosecute those who violate security . The international nature of the threat also requires private sector initiatives in applying global solutions in a uniform manner, so that more secure and reliable protocols and authentication systems may be widely used.

But the trouble is that the approaches so far have been reactive and do not help to prevent cyber crimes. Just as in traditional commerce, active prevention is more economical and efficient than reactive measures.

In other words, it is time to think hard about how to go beyond traditional governmental "police" efforts if trust in the security of information systems is to be strengthened. Prevention can be achieved mainly by constructing stronger, tighter systems that are relatively free of security holes. Until now, this has been an issue solely for the private sector, especially businesses which supply and use the systems. Governments cannot, of course, control the activities of business, but they may be able to help co-ordinate initiatives on their behalf, as well as for other stakeholders, such as consumers and international organisations. Even information exchange has a valuable role to play, about cyber attacks (perhaps the stories we know are but the tip of the iceberg), known vulnerabilities and experiences of effective countermeasures.

The basic fact is that so far all approaches to global information security suffer from a sheer lack of interdisciplinary and international co-ordination. Any effort to improve matters would have to involve a range of players, from business people to leaders of international institutions, user groups, and security experts, including "ethical" hackers. The operative word of such coming together would be co-ordination, rather than control. The OECD, along with its outreach programmes to non-members, could act as a catalyst for enhancing discussions and information sharing, via its conferences, workshops and joint meetings.

One possible framework for building international co-operation on security is the 1992 OECD Guidelines for the Security of Information Systems, which were reviewed in 1997. A new review will be completed by 2002, but there is a question about whether this instrument will be sufficient to address today's security issues. That's how fast today's information world has evolved. We have to act fast and with determination. In the meantime, the advice is simple: think more than twice before you open those e-mails.

©OECD Observer No 224, January 2001 




Economic data

E-Newsletter

Stay up-to-date with the latest news from the OECD by signing up for our e-newsletter :

Twitter feed

Suscribe now

<b>Subscribe now!</b>

To receive your exclusive paper editions delivered to you directly


Online edition
Previous editions

Don't miss

  • Africa's cities at the forefront of progress: Africa is urbanising at a historically rapid pace coupled with an unprecedented demographic boom. By 2050, about 56% of Africans are expected to live in cities. This poses major policy challenges, but make no mistake: Africa’s cities and towns are engines of progress that, if harnessed correctly, can fuel the entire continent’s sustainable development.
  • “Nizip” refugee camp visit
    July 2016: OECD Secretary-General Angel Gurría visits the “Nizip” refugee camp, situated between Gaziantep and the Turkish-Syrian border, accompanied by Turkey’s Deputy Prime Minister Mehmet Şimşek. The camp accommodates a small number of the 2.75 million Syrians currently registered in Turkey, mostly outside the camps. In his tour of the camp, Mr Gurría visits a school, speaks with refugees and gives a short interview.
  • OECD Observer i-Sheet Series: OECD Observer i-Sheets are smart contents pages on major issues and events. Use them to find current or recent articles, video, books and working papers. To browse on paper and read on line, or simply download.
  • Queen Maxima of the Netherlands gives a speech next to Mexico's President Enrique Pena Nieto (not pictured) during the International Forum of Financial Inclusion at the National Palace in Mexico City, Mexico June 21, 2016.
  • How sustainable is the ocean as a source of economic development? The Ocean Economy in 2030 examines the risks and uncertainties surrounding the future development of ocean industries, the innovations required in science and technology to support their progress, their potential contribution to green growth and some of the implications for ocean management.
  • OECD Environment Director Simon Upton presented a talk at Imperial College London on 21 April 2016. With the world awash in surplus oil and prices languishing around US$40 per barrel, how can governments step up efforts to transform the world’s energy systems in line with the Paris Agreement?
  • Happy 10th birthday to Twitter. This 2008 OECD Observer interview with Henry Copeland said you’d do well.
  • The OECD Gender Initiative examines existing barriers to gender equality in education, employment, and entrepreneurship. The gender portal monitors the progress made by governments to promote gender equality in both OECD and non-OECD countries and provides good practices based on analytical tools and reliable data.
  • Once migrants reach Europe, countries face integration challenge: OECD's Thomas Liebig speaks to NPR's Audie Cornish.

  • Message from the International Space Station to COP21

  • The carbon clock is ticking: OECD’s Gurría on CNBC

  • If we want to reach zero net emissions by the end of the century, we must align our policies for a low-carbon economy, put a price on carbon everywhere, spend less subsidising fossil fuels and invest more in clean energy. OECD at #COP21 – OECD statement for #COP21
  • They are green and local --It’s a new generation of entrepreneurs in Kenya with big dreams of sustainable energy and the drive to see their innovative technologies throughout Africa. blogs.worldbank.org
  • Pole to Paris Project
  • In order to face global warming, Asia needs at least $40 billion per year, derived from both the public and private sector. Read how to bridge the climate financing gap on the Asian Bank of Development's website.
  • How can cities fight climate change?
    Discover projects in Denmark, Canada, Australia, Japan and Mexico.
  • Climate: What's changed, what hasn't, what we can do about it.
    Lecture by OECD Secretary-General Angel Gurría, hosted by the London School of Economics and Aviva Investors in association with ClimateWise, London, UK, 3 July 2015.
  • Is technological progress slowing down? Is it speeding up? At the OECD, we believe the research from our Future of ‪Productivity‬ project helps to resolve this paradox.
  • Is inequality bad for growth? That redistribution boosts economies is not established by the evidence says FT economics editor Chris Giles. Read more on www.ft.com.
  • Interested in a career in Paris at the OECD? The OECD is a major international organisation, with a mission to build better policies for better lives. With our hub based in one of the world's global cities and offices across continents, find out more at www.oecd.org/careers .

Most Popular Articles

Poll

What issue are you most concerned about in 2016?

Unemployment
Euro crisis
International conflict
Global warming
Other

OECD Insights Blog

NOTE: All signed articles in the OECD Observer express the opinions of the authors
and do not necessarily represent the official views of OECD member countries.

All rights reserved. OECD 2016