Technological development may have greatly enhanced the security of the information system as a whole. But it has also given potential attackers the chance of far faster penetration into data systems (whether personal, corporate or government) and with wider and deeper effects. What’s more, new technology allows attackers to leave few traces behind, all of which makes the criminal investigators’ task difficult. Meanwhile, the international network enables almost anyone to get hold of the tools they need to attack systems.
Today’s heavier reliance on information systems makes the potential impact of "cyber" attack more significant than ever. And statistics from CERT, a leading centre of Internet security expertise operated by Carnegie Mellon University in the United States, show a rapid increase in reports of incidents affecting security.
Typical examples of 'modern' threats were seen in early 2000, when two kinds of threats to Internet security emerged. In May 2000, the I Love You e-mail virus seriously affected the world network of e-mail communication, wiping out some hard drives in the process. Earlier, in February 2000, there were the Distributed Denial of Service Attacks (DDoS attacks), which were aimed at a number of well-known electronic commerce web sites.
These DDoS attacks underlined the vulnerability of the present network system. The hacker takes control of a number of systems with weak security levels, mainly on sites that contain information requiring low levels of security, such as a server at a remote-sensing weather station. The hackers covertly install self-operating software (called Denial of Service agents), which sends out a huge number of requests at once, saturating the targeted system’s resources.
When systems are interconnected through a network, the weakest systems that are connected to the network are generally the most vulnerable to attack. In effect, these weaker sites determine the overall strength of the network itself. But before jumping to the conclusion that the overall security level of a system has to be improved, a more detailed risk and cost analysis must be undertaken to decide whether such investments are justified. Issues that are related to increasing security in the network layer protocols, such as the proposed next generation of Internet Protocol, IPv6, should also be explored.
The I Love You virus was a lesson for everyone in how far and fast even a simple virus can spread via the Internet. It raised awareness levels at the time, but perhaps more could have been done to educate users in advance. Simple precautions by users (and basic rules set by managers) could have contained the spread of the virus; for example, teaching how to recognise risky file extensions. The I Love You virus was clever, in that recipients were fooled into opening the carrier email because they recognised the name of the sender. This was because it only required one company or organisation employee to open an e-mail for the virus to enter his or her database of e-mail addresses. It was a grand exercise in deception. By the time managers and gatekeepers knew what was going on and alerted their staff, the virus had already spread around the world. How to stop (innocent) early openers of the message is not that easy.
Another lesson from I Love You is how difficult it is for the criminal law system alone to address international cases, especially when the parties involved might include countries with immature legal systems that are not prepared to handle criminal actions related to electronic commerce. And, like the DDoS Attacks, it highlighted how difficult it is to track or trace international transmissions of viruses and agents.
What can governments do?
OECD ministers have woken up to the problem, calling in a communiqué in June 2000 for more "confidence in authentication and privacy protection" to be built and for OECD to "engage with the private sector and other stakeholders to develop effective policy responses to urgent Internet security issues such as hacking and viruses". The OECD had already formulated, in 1997, Guidelines on Cryptography to enable safer data transmission and secure information storage at national and international levels.
Already recent G8 and Council of Europe initiatives on cyber crimes have placed a focus on imposing civil liability and criminal prosecution after security violations. Security in global electronic commerce by its nature highlights the importance of international protocols and procedures. A legal means may have to be found to make those who are responsible for providing security accountable, and to prosecute those who violate security . The international nature of the threat also requires private sector initiatives in applying global solutions in a uniform manner, so that more secure and reliable protocols and authentication systems may be widely used.
But the trouble is that the approaches so far have been reactive and do not help to prevent cyber crimes. Just as in traditional commerce, active prevention is more economical and efficient than reactive measures.
In other words, it is time to think hard about how to go beyond traditional governmental "police" efforts if trust in the security of information systems is to be strengthened. Prevention can be achieved mainly by constructing stronger, tighter systems that are relatively free of security holes. Until now, this has been an issue solely for the private sector, especially businesses which supply and use the systems. Governments cannot, of course, control the activities of business, but they may be able to help co-ordinate initiatives on their behalf, as well as for other stakeholders, such as consumers and international organisations. Even information exchange has a valuable role to play, about cyber attacks (perhaps the stories we know are but the tip of the iceberg), known vulnerabilities and experiences of effective countermeasures.
The basic fact is that so far all approaches to global information security suffer from a sheer lack of interdisciplinary and international co-ordination. Any effort to improve matters would have to involve a range of players, from business people to leaders of international institutions, user groups, and security experts, including "ethical" hackers. The operative word of such coming together would be co-ordination, rather than control. The OECD, along with its outreach programmes to non-members, could act as a catalyst for enhancing discussions and information sharing, via its conferences, workshops and joint meetings.
One possible framework for building international co-operation on security is the 1992 OECD Guidelines for the Security of Information Systems, which were reviewed in 1997. A new review will be completed by 2002, but there is a question about whether this instrument will be sufficient to address today's security issues. That's how fast today's information world has evolved. We have to act fast and with determination. In the meantime, the advice is simple: think more than twice before you open those e-mails.
©OECD Observer No 224, January 2001