• The Budapest Convention is probably the best convention out there allowing a wide adoption of a harmonized legislation to fight Cybercrime internationally.
• A lot of countries outside the Council adopted or are in the process adopting the convention
• It balances the fight against criminals with the protection of Privacy and Human Rights.
• The willingness and the activities to collaborate internationally increase
• The idea of the Cybersecurity Agenda as a mechanism to land and integrate Cybercrime and Cyberscurity resonated extremely well

A lot of good signs. There are some caveats however:

• There are countries rejecting adoption mainly because Council of Europe does not have a global mandate or because it is called Budapest Convention. I guess the criminals like this approach
• The economical challenges esp. in Europe decreases the amount of money available for this. The call then was, that the private sector has to do more. We are committed continuing supporting these activities but typically if governments are financially challenged- well they are our customers as well
• Where is the private sector? I just meet a few companies at these events: Some security vendors, some credit cad companies and us. Where are the others? Where is Google? Where is Apple? What about IBM? Amazon? The big Telcos? Why do they not participate in addressing crime and helping governments to get better and carry the burden? Do they not care?

Roger

• Governments
• Legislative Bodies
• The Armed Forces
• Law Enforcement
• Judges and Prosecutors
• The End User
• The Private Sector
• The IT Sector
• Banks and Financial Services
• Critical National Infrastructure
• WikiLeaks

The interesting one is the last one – a whole chapter on WikiLeaks.

The paper is very well structured and gives always a structured view on the different challenges. If I would have to pick a few of them, those would be my highlights:

From a strategic challenge perspective:

• The threats to cyber security are the greatest national and economic security threats states face. Cyber security will evolve into a key challenge, economically, politically, socially, and militarily. Yet it remains the least understood and most underestimated threat.
• The very complexity of the threat deters a full understanding of its implications and hinders a comprehensive debate on the strategic responses needed.

I recently had a discussion with a government and everybody was talking about “Cyber” and “Cybersecurity”. Have you ever dared to ask what Cyber means to them? It is the number one theme and the number one theme people do not understand. Especially for politicians it is far away from their world as the theme we are talking of is even hard to grasp for specialists.

Challenges for governments:

Of particular concern, are the often meagre resources available in developing countries, least developed countries and failed states to establish and implement an effective cyber-security regime. Without the participation of all countries, the overall system remains vulnerable to attack. International cooperation is hampered by these large discrepancies between national cyber capabilities.

[…]

With few exceptions, governmental responses to the threats and risks of cyberspace have taken two tracks: legal and organisational. Neither has been very well unified or coherent, rather, they have been more organic in their development and, consequently, less cohesive than one would wish. A lack of leadership, organisational stability and expertise are the main factors limiting the capacity to respond.

It sometimes really makes me feel sad, seeing different organizations within governments fighting each other for the leadership in Cyber. Even worse: We see this within international bodies as well. Guess who wins: The Criminals.

We simply do not have the resources nor the energies available to afford this. Microsoft wants to collaborate and support organizations which drive a cybersecurity agenda but we cannot afford (we simply do not have the people) to help a lot of organizations, which fight each other.

If you are out there from a government or an international organization, you should definitely think about this! This is your responsibility. Ours is to provide our help.

Challenges for legislative bodies:

• The technical complexity of the issue, which surpasses the professional experience of most members of parliament and requires highly specialized staffers that few parliaments can afford.
• The fact that cyber security is a cross-cutting issue, which cannot easily be fitted into existing committee structures. To put it simply: Who is in charge—the armed forces committee or the security committee? Justice, police, or the committee for homeland security? Telecommunications? Or all of them? And what role is there for Foreign Affairs?

Governments, have you read the point above? We need to fix this and we need to fix this now as…

• Cyber security is addressed, fully or partially, by many countries through their military and/or intelligence structures—i.e. through agencies that are, by their very nature, more exclusive and nontransparent.

Another challenge, which goes in the same direction: A lot of governments fear the collaboration with the private sector. Sometimes I hear statements like “we cannot work with you too closely because it would be politically incorrect if Microsoft helps us too far with our Cybersecurity strategy” – these are statements from people who listened to us and understood the value we can bring to the table (not selling products, fixing problems). Still, this fear blocks creative solutions between the public and the private sector.

There are good examples where this works but unfortunately there are not too many because of this fear. Interestingly enough it often works better in developing countries rather than developed – and again there are exceptions to the rule.

Challenges for the armed forces:

That’s a hard one as Cyberwar completely changes the world of the armed forces. One is:

• The military has become completely dependent on cyberspace for its activities. Any threat in the cyber domain is of fundamental consequence for the armed forces.

They have to rely on the critical infrastructure but are often not part of the government’s CIP program.

• The traditional conservatism of the military is a hindrance (historical examples include the difficulties that militaries have had with the introduction of the machine gun, the dreadnought, the tank, or aircraft carrier). There is some truth in the saying that the military always tends to prepare for the last war.

I am seeing some where good initiatives from people who understand that they are challenged. This then comes back to the collaboration between private and public sector. Us from the private sector, let’s help these people to move forward in their defensive capabilities. At least we will not engage in offense.

and finally:

• Cyberspace presents the military with questions for which there are not only no answers, but for which we might not even have understood the questions yet.

Well and we did not touch on the Cloud yet as it is worse there…

Challenges for law enforcement:

This is kind of a pet theme for me especially when it come to international collaboration and international harmonization of laws. The paper raises similar challenges:

• While Internet criminality is international in nature, cyber crime legislation varies from country to country.

[…]

• A country is, under international law, not responsible for the cyber activities of its citizens, even if those activities constitute de facto the equivalent of an act of war against another country. The situation invites cyber ambitious countries to hide their own cyber activities behind the cover of allegedly anonymous hackers or hacktivists.

This is actually an interesting approach and could solve the attestation problem. If a country can be held accountable internationally for not reacting on an attack which originates from within their boarders, this might significantly change the way governments treat such attacks as nobody can hide behind an activity, which is then concealed as a private activist group exercising the activity.

Challenges for judges and prosecutors:

In my experience, we have a significant knowledge problem with judges and prosecutors. Having digital evidence in court is in a lot of countries a real challenge as it always comes down to experts testifying.

Judges, prosecutors and law enforcement agencies often lack sufficient knowledge to effectively bring cyber criminals to justice. More must be done in training and education to ensure that these officials have the knowledge, skills, and capacity to properly fight cyber crime and to make their charges stick.

Private Sector:

The private sector is not much better, though:

If the government response to cyber security can be characterized as ad hoc, the private sector response to cyber security can best be characterised as unstructured.

And I do not think that they are wrong.

The IT Sector

The quality of software also needs to improve. Much attention has been on operating system security, but the target has now moved to the application layer, which has had insufficient security focus. Beyond the application layer, lower level software such as firmware is poised to be the next target of attack. There has been little to no attention aimed at reducing the vulnerabilities in this space, which must change.

There are different things we are working on but basically our Security Development Lifecycle is a sound, proven and I would even say auditable basis to go forward. The challenge here will be that you find much more application providers than Operating System Manufacturers.

Banks and Financial Services

What is interesting is that they are separating banks, the IT sector from the Critical Infrastructure, which you cannot in my opinion. They/we are a key part of it – and especially the banks showed it during the crisis.

• Due to the massive amount of money being transferred electronically around the globe every second, financially motivated cyber criminality is on the rise.
• The situation is rendered even more attractive for criminals by the fact that banks, more often than not, do not report successful attacks.

The last point is a call I make often to the banks but at the end of the day to everybody: We have to start to report attacks to the police. Otherwise, it is the Wild West out there. The problem currently is that we have a legal system, which works, we have Law Enforcement in a lot of countries doing a great job fighting cybercrime – often focused on child porn, which is great – but attacks on our infrastructures are not followed through as they are not reported. A fairly safe bet for the criminals.

Critical National Infrastructure

That’s a really complex thing and a lot of governments struggle with this. In my opinion for different reasons:

• Constantly changing governments makes it hard to build trust between the private and the public sector
• Often the focus of governments is providing the key infrastructure like roads, power, internet but protection comes, once it is here
• Partly this is a cultural thing as well as it depends to a certain point on the way the government and the society is structured. How trustworthy is the government from a citizen perspective? How far is the government willing to work with the private sector in a trusted way or how far is the government in the position to invest a lot of money to build the competency on its own? Even in Western Europe, where such initiatives grew already fairly far, there are a lot of different models in place already and you see that societies with similar cultures (e.g. Switzerland and The Netherlands) come up with fairly similar approaches, whereas different cultures (Switzerland and Germany) come up with fundamentally different way of tackling the challenge.

What does the paper see as the big challenges? Here you go:

• The protection of CNI, has been recognized by most countries, as a priority. This basic awareness alone does, however, not translate into effective mechanisms for actual protection.

[…]

• To create a genuine private public partnership in protection of CNI, the private sector would have to perceive a clear-cut, measurable advantage in reporting to law enforcement agencies, and to subsequently develop together with them a coherent defensive system. Currently, it does not.

[…]

• The problem is exacerbated by the fact that, as examples prove, cyber malware has already been planted into some of the world’s critical infrastructure systems. The corresponding need to develop intelligent systems able to check automatically and regularly for the presence of highly sophisticated malware, is only about to be understood. It will be a costly enterprise in the best of circumstances and likely to be unevenly applied, thus reducing the eventual positive effects of select countermeasures for the overall system of interlinked critical infrastructures.
• Comprehensively coherent and harmonized national approaches are indispensable in this domain; without international coordination no progress will be possible.

It is so obvious but so hard to achieve: International cooperation is key (and this means e.g. outside the EU as well) and one cannot address CIP without the private sector (which kind of runs the critical infrastructure…)

WikiLeaks

The final chapter, which comes back to ethics and freedom of speech. My position is clear here: “Freedom of speech” does not mean you can say everything!

Finally, what I really like with this paper is, that is comes down to the point to state, what they think the response could be:

Not surprising, the start with the Public Private Partnership. Now, I stopped to use this term, simply because it is often loaded with formal contracts and MoUs etc. What I think we need is a collaboration/cooperation between the sectors, where the public sector has to learn as well that collaboration with governments should not be to the disadvantage of the companies doing it. E.g. if we spend a lot of time and money working with the governments to pave the way for the industry, is this very good but we have the investment and the competition the benefit. At least the public acknowledgment of such a collaboration happens sometimes helps.

Where is the challenge we need to overcome? Well….

• The private sector is understandably reluctant to share sensitive proprietary information about intrusions, actual damage, theft and crime, as well as prevention practices, with either government agencies or competitors because information sharing is a risky proposition with less than clear benefits. No company wants information to surface that they have given in confidence, since such an event could jeopardize their market position, customer base or capital investments.
• Nor would private companies risk voluntarily opening themselves up to costly and time-consuming litigation. Industry fears that breaches on innocent customers might inadvertently occur during investigations. Negative publicity or exposure as a result of reports of information infrastructure violations could lead to threats to investor and consumer confidence in a company’s products. Moreover, companies fear revealing trade secrets to competitors, and hence are reluctant to share proprietary information. They also fear that sharing this information with government may lead to increased regulation of the industry or of e-commerce in general.

[…]

• On the other hand, many private sector mechanisms for information sharing already exist without the need for government intervention. For example, both the “white-hat hacker” and the security researcher community provide a valuable private sector service. They are active information sharers which head off a vast number of attacks and identify vulnerabilities before harm occurs. Particularly on the technical level, information sharing about vulnerabilities and remediation happens routinely in the private sector. This is not because of a mandate from government. Rather the impulse to share is based on a well-grounded exchange of network-protective information done by engineers of, for example, the major telecom companies. And if the government wants to join in the sharing, they would be welcome—that is, if they bring added value to the arrangement.
• There is an urgent need for active, robust, and credible liaison of government with the private sector. Government agencies have to respect the confidentiality as well as the value of the information and secrets that the private sector may give them to do their job. In order to do the job on both sides, real-time feedback on information sharing is essential. All partners engaged in ensuring IT security will not share information unless they have a high degree of confidence that this information will be protected from disclosure. Hence, all partners must take steps to protect sensitive data as a precursor to information sharing. Only then will it be possible to form trusted relationships and begin data sharing. Similar principles apply to information sharing between governments and international organisations.

I think that governments have to learn in the cyberspace that a partnership is not unilateral only. It should work both ways. I often see governments talking about partnerships but mean us sharing information. I want intelligence back – not about single cases but trends and maybe real-time intelligence as well, where our technology is concerned. However, more often than not it is a one-way street and the reason is trust again.

And the second way to approach the challenge is naturally International Cooperation. This comes natural if you read the statement above but is absolutely key. There are a lot of intergovernmental organizations trying to address the issue but unfortunately I see them often competing rather than collaborating. We need solutions and we need them fast – not in 2020 but in 2012.

All in all, a very good read, which in my opinion lays out the problems extremely well and gives a few natural approaches to possible solutions.

Roger

Exploiting the willingness of people to help, is terrible. We should be able to get this persons and then send them to jail for a loooooooooooooong time

Roger

Isn’t that great? Well, not really as there is a second aspect to this: I was recently talking to Michel van Eeten from the Delft University of Technology in the Netherlands. He did with some other academics a study for the OECD called The Role of Internet Service Providers in Botnet Mitigation (based on spam data), which came to the conclusion that there are ISPs which do a good job and others which do not. If you look at this graph you will see that if we could reduce the spam from the top 50 ISPs (the worst ones) we would get rid of almost 50% of the spam worldwide:

Additionally they found out that over the years (2006-2009) at least half of the ISPs (when it comes to the number of infected machines per subscriber) remained the same in the Top 50.

So, it seems that the ISPs stick to their practices – good or bad.

Which leads me back to my initial question: What do we want? If an ISP would encrypt the traffic to protect our privacy completely, it would not be possible to find the bots and help the consumer to clean. If we want them to completely address the problem, they would most probably have to do at least a certain level of traffic inspection. So, what to we want? How far are we willing to give up a certain level of privacy to allow law enforcement to go after the bad guys?

I think we should come to the point, where we get a more balanced view on such issues. The biggest challenge, however, will be that the answer to the question will be different from culture to culture but the problem is global. So, we kind of need a culture-agnostic answer/solution, which will be very hard to achieve.

Oh, I think I owe you one thing. Based on the study there were a few simple things, which the best ISPs do. I quote the findings of the study:

That ISPs (as opposed to other types of players, such as hosting providers or corporations operating a network with its ASN) play a central role in botnet activity was already discussed, as was the great variability among ISPs. In addition to these findings, our data indicate the following (see Asghari 2010 for a more detailed discussion):

• There is a widely held belief that larger ISPs show worse security performance, as they face much less peer pressure. For instance, Moore, Clayton, and Anderson (2009) state that “…very large ISPs are effectively exempt from peer pressure as others cannot afford to cut them off. Much of the world’s bad traffic comes from the networks of these ‘too big to block’ providers.” In contrast to this belief, our dataset indicates that, while larger ISPs emit more spam in absolute numbers, relative to size their performance is on average slightly better than that of smaller ISPs.
• Another claim is that lower average revenue per user (ARPU) is a sign of higher financial pressure that might result in less attention to security. Our data suggests that ARPU and relative security performance are unrelated.
• Given differences in networking technology and user base, one might hypothesise that cable service providers can enhance their security performance easier than DSL providers. Our data indicates an 8 % lower incidence of unique sources for cable companies. The volume of spam, however, is similar for both types of providers. This might reflect that cable subscriptions have higher average bandwidths than DSL subscriptions, that cable providers use more Network Address Translation technology, or that they more often block port 25.
• Bivariate analysis indicates that ISPs in countries that have joined the London Action Plan (LAP) have, on average, fewer bot infections. Likewise, operating in a country that has signed the Council of Europe’s Convention on Cybercrime is negatively correlated with botnet infections. Neither of these initiatives targets botnets directly. However, one could argue that membership of LAP is a proxy for the activity of a country’s regulatory entities in the area of cybersecurity, whereas membership of the Convention on Cybercrime is a proxy for the activity of law enforcement institutions in a country. These memberships, we assume, are associated with a broader set of measures undertaken by the governments in those countries. Earlier research by Wang and Kim (2009) provided some evidence in support of this effect, though they presume a somewhat tenuous direct causal link between the Convention and cybercrime incidents, rather than interpreting membership of the Convention as a proxy variable. However, factors correlated with a country’s willingness to sign these agreements could also be at work both for the Convention as well as the LAP.

Roger

It was not the first UN meeting I attended and – depending on the audience – the discussion can easily result an long political debates, which hardly lead to direct results. I guess that these debates are important and necessary to get people on board but I am neither a diplomat nor a politician .

The participants came from all across the different UN countries, academia, a few inter-governmental organizations like Council of Europe, OSCE, EU and the private sector – which leads me to the first real complaint: I know that UNODC invited an extensive list of private sector companies but it seems that the interest to work with governments and the UN on constructive solutions is not really existing if not direct business is involved. The private sector was represented only by Microsoft.

My key and high-level conclusions listening to the debates are:

• There was a great willingness expressed by the delegations to cooperate combating cybercrime
• This collaboration is needed and is probably one of the most important and most pressing issue
• The collaboration has to be not only between countries but between the public and the private sector as well
• Legislation has to be harmonized at least on a level which allows this collaboration
• Cybercrime has to be criminalized all across the whole chain

And now my conclusion: We need pragmatic solutions as if there is really the intent to either redesign the Budapest Convention by the Council of Europe or even develop a new convention, this will simply take way too long (some people were talking of 2020). We cannot wait that long! It will only serve the criminals and the private sector needs a certain level of stability and safety how the law will be applied and that laws in different countries are not contradicting

Roger

BBC just posted a similar article: Cyber-sabotage and espionage top 2011 security fears

I think that this is a real issue and very hard to fight!

Roger