Despite testy relations among countries, international cyber security standards offer the promise of cooperation, Alan Earls reports.
Efforts to develop standards for cyber protection that are internationally applicable, if not actually internationally mandated, have been underway for years. Some, for example, focus on helping compare security practices among organization. Others are sponsored by particular industries. However, with nation-states snarling at each other over spying charges, at least some of the enthusiasm for cooperation has grown muted. It's as if a family feud erupted in the middle of a home invasion.
Still, there is a widespread recognition of common interests and many opportunities to strengthen cooperation and build on what's been accomplished – with existing standards as a useful underpinning. So, today, standards serve as a vital touch point in an unsettled and troubling environment.
According to Michel Kabay, professor of computer information systems at Norwich University, a military college located in Northfield, Vt., an overarching challenge is the lack of a coherent framework of consistent cyber law. “Because of international requirements for ‘dual criminality,' extradition for computer crimes is impossible unless both the country where the damage was done and the country where the criminal currently resides have defined the infraction with equal severity,” he explains. Thus, if the United States defines computer trespass as a felony under the Computer Fraud and Abuse Act, a country which defines the same behavior as a misdemeanor will never agree to extradition, he notes.
The second problem, for which standards offer no direct answer is the radical differences in the degree to which countries exercise effective rule of law. “In many jurisdictions, ‘law' is merely a veneer of propaganda covering the otherwise untrammeled exercise of political and physical power,” Kabay says. For example, in the case of China, authorities barely bother to pretend to have impartial justice and intellectual property law doesn't exist – much to the detriment of their native software industries, he says. Similarly, he adds, computer criminals are often employees of the state employed in systematic industrial espionage for the benefit of an increasingly rich and powerful political and economic elite in the country.
Until we solve the problem of the inherent vulnerability of both people and software, we can't really have universal standards for cyber security, says John Pescatore, research director for network security at the SANS Institute. “What you do have are some accepted norms, which are sometimes called frameworks. Broadly, what we are trying to do internationally is to get everyone to the same common level of security hygiene.”
Still, even granting that cyber crime has safe harbor in many jurisdictions, there has been gradual progress. Standards comprise some pieces of the puzzle, according to Gene Fredriksen (left), global information security officer at PSCU, a financial institution based in Tampa/St. Petersburg, Fla. serving the credit union industry. “Standards are similar to a recipe. They prescribe the ingredients that the meal needs. But, like any recipe, the experience of the chef and how the ingredients are blended and presented to the consumer makes the difference between a masterpiece and just another meal,” he says. “How we tie [standards] to the business risks and needs is truly the secret sauce.”
Kabay agrees. Standards, he says, are important – including a wide range that relate to certification of individuals. In aggregate, standards promote consistent security end-to-end, as well as across different public and private domains and computing environments.
Still, warns Richard Stiennon, founder and chief research analyst at industry analyst firm IT-Harvest, a critical component of internationalism – cooperation – has come under threat over the last year.