New Action Needed to Boost Cybersecurity in Changing Times

That the open Internet that was designed without security in mind is the major reason why cybercriminals feel so comfortable online, said CEO Eugene Kaspersky of Kaspersky Lab. The global Internet is fundamental to the global economy, though botnets can cause “serious, serious problems,” he said. He was so concerned when he heard that a botnet master would send new instructions to the 10 million computers under its control on April 1, he made sure he wasn’t flying.

Evidence points to rising financial losses and e- commerce breaches costing hundreds of billions of dollars, said Carlos Solari, vice president of central quality, security and reliability at Alcatel-Lucent. A security breach also costs in lost trust and confidence, Solari said. “Our dependence” on information and communications technology “continues to grow.”

The marketplace for security has to change, Solari said. Technology vendors have to bear the initial responsibility for spurring cybersecurity, he said, referring to “security by design,” or the problem will get worse with Web 2.0 and cloud computing. Cloud computing now has the same security as Windows OS in 1999, said Chihiro Sawada, vice president at NEC Corp.

Estonia’s e-services were rolled out before cybersecurity was seriously taken into account, said Juhan Parts, that country’s minister of economic affairs and communications, referring to the 2007 cyberattacks there. Governments have to do their part in cybersecurity, Parts said, though the Internet isn’t government-owned or run. Citizens also have responsibility to navigate safely, just as pedestrians and drivers do, he said, though the Internet is much more complicated. Government involvement could be compared to management of traffic in the airspace, he added.

Governments need to start considering certification rules and international treaties to allow various government and commercial networks to talk to each other, Wisekey’s Moreira said. Countries can’t overreact on security and defense, Parts said. The Internet will be the driving economic force in the coming decades, Parts said. “Adequate international cooperation” is needed, he said.

Governments have done a poor job trying to legislate cybersecurity, said Moreira, who stressed the punitive nature of dealing with cybercrime. Government and industry need to adopt the same security standards and apply them based on risk models, Solari said. Security should be embedded in network build outs, Sawada said. Authentication is needed for network and component elements across the board, Moreira said. The next generation network has authentication and controls for security functions at the network level, Sawada said.

Negligence is rapidly becoming an important driver, Moreira said. If money is lost because a bank hasn’t used proper security procedures, customers are resorting to legal action, Moreira said. Similar evolution occurred in the automotive and other industries where consumers accepted a higher rate of loss at first, he said. Developing countries keep “paying and paying and paying” to deal with viruses, with no end in sight, a Ugandan regulator said. “Security costs money,” Kaspersky said. But OS security is too expensive, he said. “Security should be for free,” Moreira said. The cost of information security can fall over time, Sawada said.

Kaspersky’s dream is to keep the huge global network in working order. An “Internet government” is needed, Kaspersky said, elaborating on the idea of designing the Internet from scratch. The “international organization” would have “control over all their Internet infrastructure,” he said. Everyone would also have an Internet ID like in Estonia, he said. Internet service providers would have to keep data for police investigations, Kaspersky said. His hope is for an Internet government that “has control and regulates all the Internet infrastructure.” Kaspersky is on the advisory board of the International Multilateral Partnership Against Cyber- Threats (WID May 27 p2).

“We should stop this paternalism model,” Moreira said. Innovation is now coming from developing countries, he said. Moreira was referring to the 2 billion people with mobile phones who have no bank account but who use mobile devices to transfer money. Europe and the U.S. are behind on mobile money, he said. -- Scott Billquist

ITU Telecom Notebook

The first commercial chips using global positioning to improve cellular network performance will be available in early 2010, inventor Yuri Gromakov, director general of Russia’s Intellect Telecom, told us. The combination allows locating the cellular customer to within 3 cm., he said, and aids cell network handoffs. Maybe most importantly, knowing exactly where the customer is allows automatically configuring the cellsite antenna to maximize efficiency, Gromakov said through a translator. The technology has already been successfully tested in Moscow and St. Petersburg, he said, and Qualcomm is making the chips. System development work is being done by ZTE, and Intellect has a memorandum of understanding with Nokia Siemens for additional work on it, he said.

----

Better disclosure and analysis are needed to measure the rising cost of cybersecurity, executives said at a ITU Telecom World forum. Many people don’t think cybercrime affects them, but someone must bear the costs, said Pirkka Palomaki, F-Secure’s CTO. Lack of disclosure gets in the way of understanding the costs, he said, and they snowball. Malware is a primary tool for cybercrime, Palomaki said, and it’s easy to write, inexpensive and low risk. The arrival of open smartphones could threaten 3G and 4G networks, he said. Effects on human rights, democracy and the rule of law must be included in cybersecurity costs, said Alexander Seger, the head of the Council of Europe’s economic crime unit. Cybersecurity may also adversely affect rights, he said. Government money must be committed to security, said CEO Raj Puri of Yaana Technologies, and not just to buy security features with whatever funds are left over. The real cost of vulnerability is that some people lose trust in the Internet for business or personal use, said Cristine Hoepers, general manager of Brazil’s CERT. Cybercriminals are exploiting software weaknesses and some users’ lack of skills, she said. Software now is as vulnerable as it was 20 years ago, Hoepers said. A smart botnet master will install virus protection on a computer so he doesn’t lose the machine to a competitor, said Prof. Ross Anderson of Cambridge University. Users and networks need to be secure by design, Hoepers said. Universities should try to change their programs to promote built-in security, she said. - SB

----

The Internet Society (ISOC) launched a next generation leaders program for the Internet, the society’s Bill Graham said. The aim is to spur involvement in an academic program, introduce technical people to policy issues and vice versa, he said. Non-profit DiploFoundation is helping build an e- learning component, he said. ISOC is funding fellowships to the Internet Engineering Task Force and Internet Governance Forum meetings, Graham said. The society also wants to bring future leaders into Organization for Economic Co-operation and Development and World Bank meetings. ISOC is also working with partners “to try and make sure there’s a succession plan for the Internet organizations,” Graham said. - SB

----

The World Bank will back a $215 million project for an Internet backbone, the organization said at ITU Telecom World. The aim is to boost availability of high-speed Internet access, lower prices and harmonize laws and regulations to spur private sector investment and competition. About $26 million will initially be invested in Cameroon, Chad and the Central African Republic, the World Bank said. The project will extend 1,000 kilometers of dark fiber with another 2,000 kilometers of new fiber in neighboring countries, said Yann Burtin, the program’s project manager. The remaining funds will be invested over 10 years, possibly in Congo, Equatorial Guinea, the Democratic Republic of Congo, Gabon, Niger, Nigeria, Sao Tome and Principe, and Sudan. The program aims to get another $98 million from the private sector, the World Bank said. The International Development Bank may provide another $200 million, Burtin said. - SB

----

National digital identity cards could be used to boost international cybersecurity, but the practice could spark heated opposition, speakers said at an ITU Telecom World forum. The same rules for passports could be applied internationally to the Internet, CEO Carlos Moreira of Wisekey said. The concept could apply to digital identification, he said. Regional interoperability” programs in EU and North American Free Trade Agreement countries are starting, Moreira said. Estonia has a national ID card now valid for other countries, Moreira said. An international user ID card with a special unique code “is something very important,” said Juhan Parts, Estonia’s minister of economic affairs and communications. The national ID card is a “very good trend” toward avoiding repeating the same cybersecurity problems, Moreira said. There is “no greater lightning rod” in the U.S. than an internationally compatible ID card, said Carlos Solari, vice president of central quality, security and reliability at Alcatel-Lucent. - SB

----

Correction: Participants in an ITU-T study group, not the HomeGrid Forum, will consider a home networking recommendation called G.hn for final approval Friday (CD Oct 6 p16).