Cyber-security. The vexed question of global rules

Cyber-security. The vexed question of global rules

This report is made up of a survey of some 250 leading authorities worldwide and of interviews carried out in late 2011 and early 2012 with over 80 cyber security experts in government, companies, international organisations and academia.
It offers a global snapshot of current thinking about the cyber-threat and the measures that should be taken to defend against it, and assesses the way ahead. It is aimed at the influential layperson, and deliberately avoids specialised language.

The first part of this two-part report concentrates on the main issues that are slowing progress, starting with the absence of agreement on what we mean by terms like cyber-war or cyber-attack. It reflects sharp divisions over the rights of individuals and states in cyber-space. Most Western countries believe that freedom of access to the internet is a basic human right, and that he or she also has a right to privacy and security that should be protected by laws. UNESCO argues that the right to assemble in cyberspace comes under Article 19 of the Declaration of Human Rights.
At the other end of the spectrum are those countries, like Russia and China, that favour a global treaty but nevertheless believe that access to the internet should be limited if it threatens regime stability, and that information can also be seen as a cyber-threat. For these countries, any state has the right to control content within its sovereign internet space.
Linked to the rights and responsibilities of states is the thorny issue of attribution. There are those countries that say that attribution to a specific attacker is impossible, and that the focus has to be defence from attacks. Others argue that attribution is possible, but requires international cooperation, sharing of information and assistance from local authorities.
Some states believe that cooperation is a threat to their sovereignty; others say they can’t be held responsible for the activities of individuals or private companies. And a number apparently fear openness because they don’t want to see restrictions on their political or military objectives.
Some clear themes emerge from the report, and they are issues that need fairly urgent resolution. Among these is how and to what degree should a more proactive, some would say more bellicose, stance be developed both in the military and private arenas; the need for much greater international cooperation; introducing a more solid security architecture to the internet; and establishing cyber-confidence building measures as an easier alternative to any global treaty, or at least as a gapfiller until a treaty is agreed.

The second part of this report are 21 country stress tests, complemented by findings from the global survey the SDA conducted in the autumn of 2011 among 250 top cyber-security specialists in 35 countries. They included government ministers, staff at international organisations, leading academics, think-tankers and IT specialists, and their views diverged widely on how to improve international cooperation in cyberspace, which over half of them now consider a global common like the sea or space.
Everyone agrees that cyber-security presents a global rather than a national challenge. But how global should our attempts at a solution be? It would be my hope and that of the SDA that this report will help show where global thinking on cyber-security currently stands, and how to improve it.

The following recommendations are a step in that direction. They are not directed at specific bodies or institutions, but are intended as a checklist for achieving international solutions to global regulatory questions:
1. Build trust between industry and government stakeholders by setting up bodies to share information and best practices, like the Common Assurance Maturity Model (CAMM) and the Cloud Security Alliance (CSA).
2. Increase public awareness of how individuals can protect their own internet data, and promote cyber-security education and training.
3. New problems and opportunities created by smart phones and cloud computing must be examined. Cloud computing needs an appropriate architecture to achieve optimum security levels.
4. Prioritise information protection, knowing that no one size fits all. The three key goals that need to be achieved are confidentiality, integration and availability in different doses according to the situation.
5. Consider establishing cyber-confidence building measures as an alternative to a global treaty, or at least as a stopgap measure, knowing that many countries view a treaty as unverifiable, unenforceable and impractical.
6. Improve communication between the various communities, from policy-makers to technological experts to business leaders both at national and international levels.
7. Enhance attribution capabilities by investing in new technologies, and establishing rules and standards.
8. Follow the Dutch model of a third party cyber-exchange for improved private-public partnership on internet security.
9. Despite the many practical hurdles in the way of transparency, both for private companies and for governments, find ways of establishing assurance – or trust – through the use of security mechanisms and processes.
10. Move the ball forward and encourage integration of cyber into existing processes and structures. Make sure cyber considerations and investment are present at every level.

Read all the 108 pages of this really interesting document here:

martedì 31 gennaio 2012

Sei iscritto alla members area? Fai il login, oppure iscriviti.

Misura antispam: Quanto fa più 9?