Threats to the information society

Directorate for Science, Technology and Industry

The security of information systems is constantly being improved. Unfortunately, so are the skills of the hackers waiting to stage a “cyber attack”. 

Technological development may have greatly enhanced the security of the information system as a whole. But it has also given potential attackers the chance of far faster penetration into data systems (whether personal, corporate or government) and with wider and deeper effects. What’s more, new technology allows attackers to leave few traces behind, all of which makes the criminal investigators’ task difficult. Meanwhile, the international network enables almost anyone to get hold of the tools they need to attack systems.

Today’s heavier reliance on information systems makes the potential impact of "cyber" attack more significant than ever. And statistics from CERT, a leading centre of Internet security expertise operated by Carnegie Mellon University in the United States, show a rapid increase in reports of incidents affecting security.

Typical examples of 'modern' threats were seen in early 2000, when two kinds of threats to Internet security emerged. In May 2000, the I Love You e-mail virus seriously affected the world network of e-mail communication, wiping out some hard drives in the process. Earlier, in February 2000, there were the Distributed Denial of Service Attacks (DDoS attacks), which were aimed at a number of well-known electronic commerce web sites.

These DDoS attacks underlined the vulnerability of the present network system. The hacker takes control of a number of systems with weak security levels, mainly on sites that contain information requiring low levels of security, such as a server at a remote-sensing weather station. The hackers covertly install self-operating software (called Denial of Service agents), which sends out a huge number of requests at once, saturating the targeted system’s resources.

When systems are interconnected through a network, the weakest systems that are connected to the network are generally the most vulnerable to attack. In effect, these weaker sites determine the overall strength of the network itself. But before jumping to the conclusion that the overall security level of a system has to be improved, a more detailed risk and cost analysis must be undertaken to decide whether such investments are justified. Issues that are related to increasing security in the network layer protocols, such as the proposed next generation of Internet Protocol, IPv6, should also be explored.

The I Love You virus was a lesson for everyone in how far and fast even a simple virus can spread via the Internet. It raised awareness levels at the time, but perhaps more could have been done to educate users in advance. Simple precautions by users (and basic rules set by managers) could have contained the spread of the virus; for example, teaching how to recognise risky file extensions. The I Love You virus was clever, in that recipients were fooled into opening the carrier email because they recognised the name of the sender. This was because it only required one company or organisation employee to open an e-mail for the virus to enter his or her database of e-mail addresses. It was a grand exercise in deception. By the time managers and gatekeepers knew what was going on and alerted their staff, the virus had already spread around the world. How to stop (innocent) early openers of the message is not that easy.

Another lesson from I Love You is how difficult it is for the criminal law system alone to address international cases, especially when the parties involved might include countries with immature legal systems that are not prepared to handle criminal actions related to electronic commerce. And, like the DDoS Attacks, it highlighted how difficult it is to track or trace international transmissions of viruses and agents.

What can governments do? 

OECD ministers have woken up to the problem, calling in a communiqué in June 2000 for more "confidence in authentication and privacy protection" to be built and for OECD to "engage with the private sector and other stakeholders to develop effective policy responses to urgent Internet security issues such as hacking and viruses". The OECD had already formulated, in 1997, Guidelines on Cryptography to enable safer data transmission and secure information storage at national and international levels.

Already recent G8 and Council of Europe initiatives on cyber crimes have placed a focus on imposing civil liability and criminal prosecution after security violations. Security in global electronic commerce by its nature highlights the importance of international protocols and procedures. A legal means may have to be found to make those who are responsible for providing security accountable, and to prosecute those who violate security . The international nature of the threat also requires private sector initiatives in applying global solutions in a uniform manner, so that more secure and reliable protocols and authentication systems may be widely used.

But the trouble is that the approaches so far have been reactive and do not help to prevent cyber crimes. Just as in traditional commerce, active prevention is more economical and efficient than reactive measures.

In other words, it is time to think hard about how to go beyond traditional governmental "police" efforts if trust in the security of information systems is to be strengthened. Prevention can be achieved mainly by constructing stronger, tighter systems that are relatively free of security holes. Until now, this has been an issue solely for the private sector, especially businesses which supply and use the systems. Governments cannot, of course, control the activities of business, but they may be able to help co-ordinate initiatives on their behalf, as well as for other stakeholders, such as consumers and international organisations. Even information exchange has a valuable role to play, about cyber attacks (perhaps the stories we know are but the tip of the iceberg), known vulnerabilities and experiences of effective countermeasures.

The basic fact is that so far all approaches to global information security suffer from a sheer lack of interdisciplinary and international co-ordination. Any effort to improve matters would have to involve a range of players, from business people to leaders of international institutions, user groups, and security experts, including "ethical" hackers. The operative word of such coming together would be co-ordination, rather than control. The OECD, along with its outreach programmes to non-members, could act as a catalyst for enhancing discussions and information sharing, via its conferences, workshops and joint meetings.

One possible framework for building international co-operation on security is the 1992 OECD Guidelines for the Security of Information Systems, which were reviewed in 1997. A new review will be completed by 2002, but there is a question about whether this instrument will be sufficient to address today's security issues. That's how fast today's information world has evolved. We have to act fast and with determination. In the meantime, the advice is simple: think more than twice before you open those e-mails.

©OECD Observer No 224, January 2001 

Economic data


Stay up-to-date with the latest news from the OECD by signing up for our e-newsletter :

Twitter feed

Suscribe now

<b>Subscribe now!</b>

To receive your exclusive paper editions delivered to you directly

Online edition
Previous editions

Don't miss

  • When someone asks me to describe an ideal girl, in my head, she is a person who is physically and mentally independent, brave to speak her mind, treated with respect just like she treats others, and inspiring to herself and others. But I know that the reality is still so much different. By Alda, 18, on International Day of the Girl. Read more.
  • Globalisation’s many benefits have been unequally shared, and public policy has struggled to keep up with a rapidly-shifting world. The OECD is working alongside governments and international organisations to help improve and harness the gains while tackling the root causes of inequality, and ensuring a level playing field globally. Please watch.
  • Read some of the insightful remarks made at OECD Forum 2017, held on 6-7 June. OECD Forum kick-started events with a focus on inclusive growth, digitalisation, and trust, under the overall theme of Bridging Divides.
  • Checking out the job situation with the OECD scoreboard of labour market performances: do you want to know how your country compares with neighbours and competitors on income levels or employment?
  • Trade is an important point of focus in today’s international economy. This video presents facts and statistics from OECD’s most recent publications on this topic.
  • How do the largest community of British expats living in Spain feel about Brexit? Britons living in Orihuela Costa, Alicante give their views.
  • Brexit is taking up Europe's energy and focus, according to OECD Secretary-General Angel Gurría. Watch video.
  • OECD Chief Economist Catherine Mann and former Bank of England Governor Mervyn King discuss the economic merits of a US border adjustment tax and the outlook for US economic growth.
  • Africa's cities at the forefront of progress: Africa is urbanising at a historically rapid pace coupled with an unprecedented demographic boom. By 2050, about 56% of Africans are expected to live in cities. This poses major policy challenges, but make no mistake: Africa’s cities and towns are engines of progress that, if harnessed correctly, can fuel the entire continent’s sustainable development.
  • OECD Observer i-Sheet Series: OECD Observer i-Sheets are smart contents pages on major issues and events. Use them to find current or recent articles, video, books and working papers. To browse on paper and read on line, or simply download.
  • How sustainable is the ocean as a source of economic development? The Ocean Economy in 2030 examines the risks and uncertainties surrounding the future development of ocean industries, the innovations required in science and technology to support their progress, their potential contribution to green growth and some of the implications for ocean management.
  • The OECD Gender Initiative examines existing barriers to gender equality in education, employment, and entrepreneurship. The gender portal monitors the progress made by governments to promote gender equality in both OECD and non-OECD countries and provides good practices based on analytical tools and reliable data.
  • They are green and local --It’s a new generation of entrepreneurs in Kenya with big dreams of sustainable energy and the drive to see their innovative technologies throughout Africa.
  • Interested in a career in Paris at the OECD? The OECD is a major international organisation, with a mission to build better policies for better lives. With our hub based in one of the world's global cities and offices across continents, find out more at .

Most Popular Articles

OECD Insights Blog

NOTE: All signed articles in the OECD Observer express the opinions of the authors
and do not necessarily represent the official views of OECD member countries.

All rights reserved. OECD 2017