[Infowarrior] - Batten down the cyber-hatches

Richard Forno rforno at infowarrior.org
Sat May 2 00:58:16 UTC 2009 

Batten down the cyber-hatches
Articles in English 01 May 2009 EE Online
Trüki Trüki   E-post E-post
Securing vulnerable networks across Europe

http://www.eesti.ca/?op=article&articleid=23611

Edward Lucas

Over the past ten years the European Union has failed to protect the  
continent's energy security. Will it do any better when it comes to  
cyber-security?

At an EU conference on that subject in Tallinn on April 27th,  
participants wrestled with the need to act and the difficulty of  
deciding what exactly to do. The location was a suitable one: Estonia  
is the only EU member state to have suffered a full-scale cyber- 
attack, in April 2007. Amid a furious row with Russia about the  
relocation of a Soviet-era war memorial, a flood of bogus internet  
traffic disabled the country's main websites, briefly shutting down  
vital public services and crippling businesses such as online banking.

Yet two years later, the EU and its member states are still wrestling  
with the issue. Knowing whether such attacks come from pranksters,  
hooligans, terrorists, criminals or an unfriendly government is  
difficult—sometimes impossible. But the potential damage is clear:  
everything from water and electric power to financial industries and  
retail distribution depends on the internet. The right combination of  
malicious code, stolen or hacked passwords and a badly designed system  
could mean catastrophe.

One temptation is to put lots of faith in expensive and gimmicky  
technical fixes. But as Scott Borg, an American expert attending the  
conference, pointed out, the starting point should be economics:  
without knowing the cost of, say, a 24-hour power shutdown as opposed  
to a six-hour one, it is hard to know what priority to give the means  
necessary to prevent it.

A simple form of defence is sharing information. But that requires  
trust. If news of a cyberstrike on a business leaks out, it can scare  
customers and send share prices plummeting. The last thing that  
business will want to do is announce that it has been attacked. Yet  
pooling knowledge strengthens everyone's defences. Similarly, getting  
businesses and bureaucrats to share information runs into cultural  
barriers, as well as worries about confidentiality and legal liability.

So it is no surprise that countries with a high level of social trust  
are way ahead of the rest. Sweden, for example, will be staging its  
third bi-annual cyber-warfare exercise on May 6th and 7th, in which  
officials and businesses will practise coping with simulated attacks,  
some using live "ammunition", and work out how they would keep the  
economy and public services going most effectively. Most EU member  
states are nowhere near that level. Some have yet to set up a national  
body, usually known as a computer emergency readiness team or CERT, to  
coordinate cyber-defences.

That makes a provisional plan to hold EU-wide cyberwar exercises by  
2010 look ambitious. So is placing great hopes on a common regulatory  
framework to deal with cyber-security, for example setting clearer  
rules about identity on the internet. It is hard to imagine the "black  
hats" (the generic term for the bad guys) quaking at the thought of  
yet another fat document emerging from the Brussels bureaucracy.

One contentious idea discussed at the conference was whether to make  
internet service providers (ISPs) legally liable, at least to some  
extent, for the damage caused by the data they transmit. That might  
encourage them to police and protect their customers better. But given  
the scale of the potential risk, it is hard to see how any ISP could  
cope.

The best hope is that countries with the best cyber-defences keep  
innovating and coordinating their efforts, and that over time more  
states will join them. By most counts, they number roughly seven  
European countries, including non-EU Norway. For everyone else, some  
prudent supplies of bottled water, canned food and candles sounds  
sensible.

(Europe.view column, April 30, 2009, Economist.com. Also posted on the  
author’s blog)

More information about the Infowarrior mailing list