Despite testy relations among countries, international cyber security standards offer the promise of cooperation, Alan Earls reports.
Efforts to develop standards for cyber protection that are internationally applicable, if not actually internationally mandated, have been underway for years. Some, for example, focus on helping compare security practices among organization. Others are sponsored by particular industries. However, with nation-states snarling at each other over spying charges, at least some of the enthusiasm for cooperation has grown muted. It's as if a family feud erupted in the middle of a home invasion.
Still, there is a widespread recognition of common interests and many opportunities to strengthen cooperation and build on what's been accomplished – with existing standards as a useful underpinning. So, today, standards serve as a vital touch point in an unsettled and troubling environment.
According to Michel Kabay, professor of computer information systems at Norwich University, a military college located in Northfield, Vt., an overarching challenge is the lack of a coherent framework of consistent cyber law. “Because of international requirements for ‘dual criminality,' extradition for computer crimes is impossible unless both the country where the damage was done and the country where the criminal currently resides have defined the infraction with equal severity,” he explains. Thus, if the United States defines computer trespass as a felony under the Computer Fraud and Abuse Act, a country which defines the same behavior as a misdemeanor will never agree to extradition, he notes.
The second problem, for which standards offer no direct answer is the radical differences in the degree to which countries exercise effective rule of law. “In many jurisdictions, ‘law' is merely a veneer of propaganda covering the otherwise untrammeled exercise of political and physical power,” Kabay says. For example, in the case of China, authorities barely bother to pretend to have impartial justice and intellectual property law doesn't exist – much to the detriment of their native software industries, he says. Similarly, he adds, computer criminals are often employees of the state employed in systematic industrial espionage for the benefit of an increasingly rich and powerful political and economic elite in the country.
Until we solve the problem of the inherent vulnerability of both people and software, we can't really have universal standards for cyber security, says John Pescatore, research director for network security at the SANS Institute. “What you do have are some accepted norms, which are sometimes called frameworks. Broadly, what we are trying to do internationally is to get everyone to the same common level of security hygiene.”
Still, even granting that cyber crime has safe harbor in many jurisdictions, there has been gradual progress. Standards comprise some pieces of the puzzle, according to Gene Fredriksen (left), global information security officer at PSCU, a financial institution based in Tampa/St. Petersburg, Fla. serving the credit union industry. “Standards are similar to a recipe. They prescribe the ingredients that the meal needs. But, like any recipe, the experience of the chef and how the ingredients are blended and presented to the consumer makes the difference between a masterpiece and just another meal,” he says. “How we tie [standards] to the business risks and needs is truly the secret sauce.”
Kabay agrees. Standards, he says, are important – including a wide range that relate to certification of individuals. In aggregate, standards promote consistent security end-to-end, as well as across different public and private domains and computing environments.
Still, warns Richard Stiennon, founder and chief research analyst at industry analyst firm IT-Harvest, a critical component of internationalism – cooperation – has come under threat over the last year.
Prior to the revelation of what he terms the massive U.S. surveillance state, the international community was focused on cyber crime. In general, cooperation seemed to be increasing, says Stiennon.
However, there has been an elephant in the room since June 2012, when U.S. complicity in creating the Stuxnet virus was revealed. “That was a sovereign nation doing physical damage to another nation's nuclear capability,” he says.
Given that the U.S. believe it has an edge in this tool for projecting power, it has shown no interest in participating in any dialogue that would lead to limits on this kind of activity, he explains. And, while most nations engage in spying and surveillance, the scale and scope of these activities revealed by former NSA contractor Edward Snowden – and the wide publicity the information has received – have further eroded interest in global cooperation.
Still, notes Stiennon, most of those concerned about cyber crime know there is ultimately no alternative to cooperation and, once some of the sturm und drang has dissipated regarding the NSA and other American cyber activities, business as usual should return.
Anup Ghosh (left), CEO and founder of Invincea, a Fairfax, Va.-based developer of secure virtual containers for malware detection and cyber threat forensic intelligence, agrees. Beyond the political level there are a lot of reasons for cooperation, he says.
“In too many areas of international interactions, we are talking an impressive line and walking a ragged line,” Kabay says. “To achieve long-term results will require reducing the power of entrenched elites who interfere with long-term planning that can benefit all of humanity.” But, in the meantime, short-term thinking interferes with effective long-term planning, he says.
Those long-term challenges are everywhere. Steve Santorelli, manager of outreach at Team Cymru, a security research company based in Lake Mary, Fla., and a former Scotland Yard detective sergeant, says a major challenge is that 18th century methods of police work are proving inadequate to deal with 21st century crime. That's particularly true when it comes to working across borders. Traditionally, he says, about the only time a police department might have to talk to the police in another country was when there was a murder involving a foreign national.
Unfortunately, even though a great many crimes now involve international connections, he says he can't just pick up the phone and call someone in another jurisdiction. For example, at Scotland Yard, a request to connect with the FBI would typically have to go up the chain of command and then to the U.K.'s Home Office, the Foreign & Commonwealth Office and eventually through diplomatic channels to the U.S. State Department – and from there to the FBI and a particular branch or agent. “It takes six months, even when you push hard,” says Santorelli.
Further, he says work needs to be done to align standards of evidence so that it becomes realistic to prosecute across national boundaries. “Right now, evidence gathered in many countries simply won't stand up in a U.S. court of law,” he says.
In short, standards aren't going to emerge to cure cyber crime, but standards – current and future – will need to be part of the solution.