Threats to the information society

Directorate for Science, Technology and Industry

The security of information systems is constantly being improved. Unfortunately, so are the skills of the hackers waiting to stage a “cyber attack”. 

Technological development may have greatly enhanced the security of the information system as a whole. But it has also given potential attackers the chance of far faster penetration into data systems (whether personal, corporate or government) and with wider and deeper effects. What’s more, new technology allows attackers to leave few traces behind, all of which makes the criminal investigators’ task difficult. Meanwhile, the international network enables almost anyone to get hold of the tools they need to attack systems.

Today’s heavier reliance on information systems makes the potential impact of "cyber" attack more significant than ever. And statistics from CERT, a leading centre of Internet security expertise operated by Carnegie Mellon University in the United States, show a rapid increase in reports of incidents affecting security.

Typical examples of 'modern' threats were seen in early 2000, when two kinds of threats to Internet security emerged. In May 2000, the I Love You e-mail virus seriously affected the world network of e-mail communication, wiping out some hard drives in the process. Earlier, in February 2000, there were the Distributed Denial of Service Attacks (DDoS attacks), which were aimed at a number of well-known electronic commerce web sites.

These DDoS attacks underlined the vulnerability of the present network system. The hacker takes control of a number of systems with weak security levels, mainly on sites that contain information requiring low levels of security, such as a server at a remote-sensing weather station. The hackers covertly install self-operating software (called Denial of Service agents), which sends out a huge number of requests at once, saturating the targeted system’s resources.

When systems are interconnected through a network, the weakest systems that are connected to the network are generally the most vulnerable to attack. In effect, these weaker sites determine the overall strength of the network itself. But before jumping to the conclusion that the overall security level of a system has to be improved, a more detailed risk and cost analysis must be undertaken to decide whether such investments are justified. Issues that are related to increasing security in the network layer protocols, such as the proposed next generation of Internet Protocol, IPv6, should also be explored.

The I Love You virus was a lesson for everyone in how far and fast even a simple virus can spread via the Internet. It raised awareness levels at the time, but perhaps more could have been done to educate users in advance. Simple precautions by users (and basic rules set by managers) could have contained the spread of the virus; for example, teaching how to recognise risky file extensions. The I Love You virus was clever, in that recipients were fooled into opening the carrier email because they recognised the name of the sender. This was because it only required one company or organisation employee to open an e-mail for the virus to enter his or her database of e-mail addresses. It was a grand exercise in deception. By the time managers and gatekeepers knew what was going on and alerted their staff, the virus had already spread around the world. How to stop (innocent) early openers of the message is not that easy.

Another lesson from I Love You is how difficult it is for the criminal law system alone to address international cases, especially when the parties involved might include countries with immature legal systems that are not prepared to handle criminal actions related to electronic commerce. And, like the DDoS Attacks, it highlighted how difficult it is to track or trace international transmissions of viruses and agents.

What can governments do? 

OECD ministers have woken up to the problem, calling in a communiqué in June 2000 for more "confidence in authentication and privacy protection" to be built and for OECD to "engage with the private sector and other stakeholders to develop effective policy responses to urgent Internet security issues such as hacking and viruses". The OECD had already formulated, in 1997, Guidelines on Cryptography to enable safer data transmission and secure information storage at national and international levels.

Already recent G8 and Council of Europe initiatives on cyber crimes have placed a focus on imposing civil liability and criminal prosecution after security violations. Security in global electronic commerce by its nature highlights the importance of international protocols and procedures. A legal means may have to be found to make those who are responsible for providing security accountable, and to prosecute those who violate security . The international nature of the threat also requires private sector initiatives in applying global solutions in a uniform manner, so that more secure and reliable protocols and authentication systems may be widely used.

But the trouble is that the approaches so far have been reactive and do not help to prevent cyber crimes. Just as in traditional commerce, active prevention is more economical and efficient than reactive measures.

In other words, it is time to think hard about how to go beyond traditional governmental "police" efforts if trust in the security of information systems is to be strengthened. Prevention can be achieved mainly by constructing stronger, tighter systems that are relatively free of security holes. Until now, this has been an issue solely for the private sector, especially businesses which supply and use the systems. Governments cannot, of course, control the activities of business, but they may be able to help co-ordinate initiatives on their behalf, as well as for other stakeholders, such as consumers and international organisations. Even information exchange has a valuable role to play, about cyber attacks (perhaps the stories we know are but the tip of the iceberg), known vulnerabilities and experiences of effective countermeasures.

The basic fact is that so far all approaches to global information security suffer from a sheer lack of interdisciplinary and international co-ordination. Any effort to improve matters would have to involve a range of players, from business people to leaders of international institutions, user groups, and security experts, including "ethical" hackers. The operative word of such coming together would be co-ordination, rather than control. The OECD, along with its outreach programmes to non-members, could act as a catalyst for enhancing discussions and information sharing, via its conferences, workshops and joint meetings.

One possible framework for building international co-operation on security is the 1992 OECD Guidelines for the Security of Information Systems, which were reviewed in 1997. A new review will be completed by 2002, but there is a question about whether this instrument will be sufficient to address today's security issues. That's how fast today's information world has evolved. We have to act fast and with determination. In the meantime, the advice is simple: think more than twice before you open those e-mails.

©OECD Observer No 224, January 2001 




Economic data

GDP growth: +0.6% Q4 2017 year-on-year
Consumer price inflation: 2.6% May 2018 annual
Trade: +2.7% exp, +3.0% imp, Q4 2017
Unemployment: 5.4% Mar 2018
Last update: 06 Jul 2018

E-Newsletter

Stay up-to-date with the latest news from the OECD by signing up for our e-newsletter :

Twitter feed

Suscribe now

<b>Subscribe now!</b>

To receive your exclusive paper editions delivered to you directly


Online edition
Previous editions

Don't miss

  • Watch the webcast of the final press conference of the OECD annual ministerial meeting 2018.
  • International co-operation, inclusive growth and digitalisation lead the themes of the 2018 OECD Forum in Paris on 29-30 May, under the banner of What brings us together www.oecd.org/forum. It is held alongside the annual OECD Ministerial Council Meeting on 30-31 May, chaired this year by France with a focus on multilateralism www.oecd.org/mcm.
  • Listen to the "Robots are coming for our jobs" episode of The Guardian's "Chips with Everything podcast", in which The Guardian’s economics editor, Larry Elliott, and Jeremy Wyatt, a professor of robotics and artificial intelligence at the University of Birmingham, and Jordan Erica Webber, freelance journalist, discuss the findings of the new OECD report "Automation, skills use and training". Listen here.
  • Do we really know the difference between right and wrong? Alison Taylor of BSR and Susan Hawley of Corruption Watch tell us why it matters to play by the rules. Watch the recording of our Facebook live interview here.
  • Has public decision-making been hijacked by a privileged few? Watch the recording of our Facebook live interview with Stav Shaffir, MK (Zionist Union) Chair of the Knesset Committee on Transparency here.
  • Can a nudge help us make more ethical decisions? Watch the recording of our Facebook live interview with Saugatto Datta, managing director at ideas42 here.
  • Ambassador Aleksander Surdej, Permanent Representative of Poland to the OECD, was a guest on France 24’s English-language show “The Debate”, where he discussed French President Emmanuel Macron’s speech at the World Economic Forum in Davos.
  • The fight against tax evasion is gaining further momentum as Barbados, Côte d’Ivoire, Jamaica, Malaysia, Panama and Tunisia signed the BEPS Multilateral Convention on 24 January, bringing the total number of signatories to 78. The Convention strengthens existing tax treaties and reduces opportunities for tax avoidance by multinational enterprises.
  • Rousseau
  • Do you trust your government? The OECD’s How's life 2017 report finds that only 38% of people in OECD countries trust their government. How can we improve our old "Social contract?" Read more.
  • Papers show “past coming back to haunt us”: OECD Secretary-General Angel Gurria tells Sky News that the so-called "Paradise Papers" show a past coming back to haunt us, but one which is now being dismantled. Please watch the video.
  • When someone asks me to describe an ideal girl, in my head, she is a person who is physically and mentally independent, brave to speak her mind, treated with respect just like she treats others, and inspiring to herself and others. But I know that the reality is still so much different. By Alda, 18, on International Day of the Girl. Read more.
  • Globalisation’s many benefits have been unequally shared, and public policy has struggled to keep up with a rapidly-shifting world. The OECD is working alongside governments and international organisations to help improve and harness the gains while tackling the root causes of inequality, and ensuring a level playing field globally. Please watch.
  • Read some of the insightful remarks made at OECD Forum 2017, held on 6-7 June. OECD Forum kick-started events with a focus on inclusive growth, digitalisation, and trust, under the overall theme of Bridging Divides.
  • Checking out the job situation with the OECD scoreboard of labour market performances: do you want to know how your country compares with neighbours and competitors on income levels or employment?
  • Trade is an important point of focus in today’s international economy. This video presents facts and statistics from OECD’s most recent publications on this topic.
  • The OECD Gender Initiative examines existing barriers to gender equality in education, employment, and entrepreneurship. The gender portal monitors the progress made by governments to promote gender equality in both OECD and non-OECD countries and provides good practices based on analytical tools and reliable data.
  • Interested in a career in Paris at the OECD? The OECD is a major international organisation, with a mission to build better policies for better lives. With our hub based in one of the world's global cities and offices across continents, find out more at www.oecd.org/careers .
  • Visit the OECD Gender Data Portal. Selected indicators shedding light on gender inequalities in education, employment and entrepreneurship.

Most Popular Articles

OECD Insights Blog

NOTE: All signed articles in the OECD Observer express the opinions of the authors
and do not necessarily represent the official views of OECD member countries.

All rights reserved. OECD 2018