Elon University

Security concerns range from ID theft to out-and-out cyberterror and possible cyberwar

November 14, 2007
By Janna Quitney Anderson, Director of Imagining the Internet and Assistant Professor of Communications, Elon University

Rio Survey Taker IGF 2007Rio de Janeiro, Brazil – It can be a personal disaster. A virus can wipe your hard-drive clean, destroying years of work; spyware can steal your personal information and put you, your family or your finances in danger. We fight back with anti-virus software and e-mail filters to block the bugs and spam, but they just keep coming.

Even more of a threat is the likelihood that entire portions of the communications network – a network that handles the world’s finances, air-traffic control and many other vital operations – or the power grid that supports it can be taken down, halting activities and even threatening lives.

Some Internet problems are created by hackers, some by criminals and some are even created by robot programs running out of control.

PC World recently estimated that 80 percent of consumer PCs are infected with spyware. As many as two-thirds of computer users may have been hit by a virus at least once. A recent study by CIO magazine projected that by the year 2010, computer programmers will discover about 100,000 software vulnerabilities for hackers to exploit during the calendar year – that’s one new opportunity every five minutes … of every hour … of every day.

The stakes get higher when you consider such things as cyber terrorism and even the threat of cyber warfare.

These are some of the challenges being discussed by delegates here at the second annual Internet Governance Forum in Rio de Janeiro, Brazil. It is a forum facilitated by the United Nations and born out of the processes surrounding a couple of other previous events called the World Summit on the Information Society. These meetings bring stakeholders from all walks of life together to discuss the future of the Internet along with their expectations and concerns about this developing technology. For many of these people, one of the most urgent issues is security.

Can we respond effectively to security threats while we protect people’s rights to privacy and free expression? And how do you come up with rules and responses that cross national boundaries?

The challenges are immense.

It is estimated the cyber crime costs hundreds of billions of dollars annually worldwide. This includes acts of fraud, counterfeiting, intellectual-property theft and the exploitation of stolen passwords, credit card numbers and other private information. With the Internet’s global environment, criminals have found they can easily ply their trade while law-enforcement agencies in each country struggle through the red tape of tangled international laws and jurisdictions.

Some are calling it the Golden Age of Crime. The threat becomes scarier when the damages go beyond economic and move into the realm of cyberterrorism and cyberwarfare.

But it is difficult to stop the negatives without influencing the positives.

“If you start criminalizing hacking tools that a lot of system administrators need for testing the security of their networks,” explained political scientist and privacy researcher Ralf Bendrath during the main-room Security session at IGF, “then you might actually try to do something for security, but the unintended consequence is that you’re less secure in the end… We need to talk about protection against fraud, protection against things like cybercrimes and so on, but also about the protection of privacy. And we had a couple of very interesting discussions over the last few days on how with the latest technologies you can actually have better privacy and at the same time better security.”

In April 2007, the government of Estonia claimed Russia launched a three-week-long cyber warfare attack aimed at shutting down Estonian government offices, banks and newspapers – all of this a retaliation over Estonia’s decision to relocate a Russian war memorial statue. Estonia, which prides itself as having a “paperless” e-government, said at least six foreign and justice ministry Web sites were swamped by the attacks, and an Estonian defense ministry spokesman compared the attacks to those launched against the United States on 9-11.

The attack was started when overwhelmingly massive waves of data requests were sent into Estonia from Russia and from computers that had been co-opted by robots around the world. Estonia had no option but to cut its data ties to the outside world, halting commerce and damaging the country’s economy for several days.

Future wars will be fought in network attacks that can cripple a country’s infrastructure, shutting down power and water plants, disrupting communications and transportation systems, and even affecting military or defense systems.

The people attending IGF say the world must consider the implications of cyberterrorism and cyberwarfare. Bendrath mentioned what he called “arms control in cyberspace.”

“That could be one potential global public-policy issue that could be addressed in the future at the IGF or elsewhere,” he said. “As more nations are entering the virtual arms race and are setting up cyberattack units in their armies and so on there’s a need for arms control.”

A big problem with crime on the Internet stems from the fact that different countries have different laws. For instance, if a person wants to run an online gambling operation he can’t base it in the U.S. – that’s illegal – but there are plenty of other places he can take that business and still make it work.

Another borders concern is the issue of how to coordinate the effectiveness of various countries’ police forces and judicial systems. Because countries and cultures are so different, no one is willing to agree on a world Internet police force or judicial body, so savvy criminals can find ways to work the system.

“The difficulty we are facing is the fact that law enforcement agencies to need to cooperate and that is something that is lacking at the moment,” said Marco Gercke, a cybercrime researcher. “It does not help you if you have sufficient [criminal law] instruments in place if you cannot cooperate with other law-enforcement agencies quickly. We are still using traditional instruments that take weeks and months.” He urged that more governments agree to the Convention on Cybercrime, which was developed by the Council of Europe – it has been signed by leaders of 43 countries, most of them (including the U.S.) in the developed world.

It’s a real challenge to respond to security threats and provide intellectual property protection without dismantling freedom of expression and universal access, the very things that make the Internet so powerful. There’s danger in having too many laws, too much hard-set policy.

Alun Michael, a member of the UK parliament active in telecommunications issues, made an excellent point at the IGF’s main security session. “Whenever there’s a problem,” he said, “the public demand more laws, more regulation. And the problem is that laws rarely prevent what they forbid. So we must agree, mustn’t we, that we need a cleverer approach. Too often, security is an add-on, and that’s useless. Security and enterprise development must be developed together, but they have to do it in a partnership with civil society and government.”

Cristine Hoepers, a security analyst for the Computer Emergency Response Team, urged technology people to build security concerns into the development of software and hardware from the most basic level upward. “We need to prepare the next-generation professionals … think about security in the whole process,” she urged. “There will be someone interested in attacking. Ask, ‘Am I using good practice to implement [security]?’ If they are, since the beginning, being taught to be security-minded and about the security problems we may have, we can mitigate … we will have less problems and maybe we can deal with and manage better the problems we have.”

Can we have a more secure Internet and still protect the freedoms – the civil liberties that allow us to speak our minds as we choose, voice objections to our governments, be as creative as we want to be, write computer programs, do our business and conduct 21st century life? Or are we headed to a new world in which we must register to use the Internet, sign in with our government or on an international Internet personal identification system when we go online and have every online move we make tracked – all in the name of increased security?

When people at the Internet Governance Forum discuss security, they are also talking about:

  • Coming to an agreement on the definitions of security threats, cybercrime, cyberterrorism and cyberwarfare.
  • Cooperation across national borders, taking different legal policies into account.
  • Keeping primary internet resources secure.
  • The best way to assure authentication and ID online while maintaining people’s privacy.
  • The challenges to privacy in a security environment.
  • The best ways to assure security in the future for the wireless, mobile internet.

There is no expectation that governments or organizations around the world can magically come up with security solutions that lessen the threats of viruses, scams, cyberterrorism or cyberwarfare. But we can share our own solutions with others and we can come to an agreement on how to work together whenever possible. The way each nation executes its plan to provide some level of security can provide a model for people in other nations.

(Eryn Gradwell and Dan Anderson were contributing reporters for this article.)