[Infowarrior] - Batten down the cyber-hatches
Richard Forno
rforno at infowarrior.org
Sat May 2 00:58:16 UTC 2009
Batten down the cyber-hatches
Articles in English 01 May 2009 EE Online
Trüki Trüki E-post E-post
Securing vulnerable networks across Europe
http://www.eesti.ca/?op=article&articleid=23611
Edward Lucas
Over the past ten years the European Union has failed to protect the
continent's energy security. Will it do any better when it comes to
cyber-security?
At an EU conference on that subject in Tallinn on April 27th,
participants wrestled with the need to act and the difficulty of
deciding what exactly to do. The location was a suitable one: Estonia
is the only EU member state to have suffered a full-scale cyber-
attack, in April 2007. Amid a furious row with Russia about the
relocation of a Soviet-era war memorial, a flood of bogus internet
traffic disabled the country's main websites, briefly shutting down
vital public services and crippling businesses such as online banking.
Yet two years later, the EU and its member states are still wrestling
with the issue. Knowing whether such attacks come from pranksters,
hooligans, terrorists, criminals or an unfriendly government is
difficult—sometimes impossible. But the potential damage is clear:
everything from water and electric power to financial industries and
retail distribution depends on the internet. The right combination of
malicious code, stolen or hacked passwords and a badly designed system
could mean catastrophe.
One temptation is to put lots of faith in expensive and gimmicky
technical fixes. But as Scott Borg, an American expert attending the
conference, pointed out, the starting point should be economics:
without knowing the cost of, say, a 24-hour power shutdown as opposed
to a six-hour one, it is hard to know what priority to give the means
necessary to prevent it.
A simple form of defence is sharing information. But that requires
trust. If news of a cyberstrike on a business leaks out, it can scare
customers and send share prices plummeting. The last thing that
business will want to do is announce that it has been attacked. Yet
pooling knowledge strengthens everyone's defences. Similarly, getting
businesses and bureaucrats to share information runs into cultural
barriers, as well as worries about confidentiality and legal liability.
So it is no surprise that countries with a high level of social trust
are way ahead of the rest. Sweden, for example, will be staging its
third bi-annual cyber-warfare exercise on May 6th and 7th, in which
officials and businesses will practise coping with simulated attacks,
some using live "ammunition", and work out how they would keep the
economy and public services going most effectively. Most EU member
states are nowhere near that level. Some have yet to set up a national
body, usually known as a computer emergency readiness team or CERT, to
coordinate cyber-defences.
That makes a provisional plan to hold EU-wide cyberwar exercises by
2010 look ambitious. So is placing great hopes on a common regulatory
framework to deal with cyber-security, for example setting clearer
rules about identity on the internet. It is hard to imagine the "black
hats" (the generic term for the bad guys) quaking at the thought of
yet another fat document emerging from the Brussels bureaucracy.
One contentious idea discussed at the conference was whether to make
internet service providers (ISPs) legally liable, at least to some
extent, for the damage caused by the data they transmit. That might
encourage them to police and protect their customers better. But given
the scale of the potential risk, it is hard to see how any ISP could
cope.
The best hope is that countries with the best cyber-defences keep
innovating and coordinating their efforts, and that over time more
states will join them. By most counts, they number roughly seven
European countries, including non-EU Norway. For everyone else, some
prudent supplies of bottled water, canned food and candles sounds
sensible.
(Europe.view column, April 30, 2009, Economist.com. Also posted on the
author’s blog)
More information about the Infowarrior
mailing list