All societies are vulnerable in cyberspace due to the growing interconnection of networks, of people through emails and social media, etc., and increasingly of ‘things’ such as machines, sensors and consumer goods, through the Internet using cables, Ultra Wideband (UWB) and other wireless technologies.
The vulnerabilities exist at all levels. For analysis it is useful to think of three levels: high-level attacks on critical information infrastructure (CII) which can bring parts of a country to a standstill and are likely to come from a terrorist assault or political cyber-warfare; cybercrime which can range from industrial scale espionage of state or commercial secrets, to massive financial theft and fraud, and to so-called ‘white-collar’ crimes such as tax evasion moving online from offline; and third, crimes against persons such as child abuse, cyber-bullying, online defamation, etc.
3.8.1 Security of Critical Information Infrastructure
At the highest level, the first recorded cyber-assault on a country’s entire infrastructure was in Estonia in April 2007 when websites of Parliament, ministries, newspapers, banks and others were brought to a standstill in distributed denial-of-service (DDOS) attacks. Even more insidious is the malicious use of web robots or ‘bots’. They are very useful in search engines for tasks such as web spidering, but they can also be used to take remote control of websites without the owners knowing it, read the files and implant malicious code. Like the rogue computer Hal in the movie ‘2001’ that takes control of the spaceship, this is a very power weapon in the wrong hands. Public utilities such as a telecoms and energy networks could be hijacked, traffic diverted, energy supplies cut off, causing untold economic loss and loss of life.
CERTS and CTBEX
Although it is not possible to assign precise levels of risk to cyber-security in terms of exact times and places, with sufficient data is it possible to assign degrees of risk to different areas of strategic importance and to possible timescales. Using past data on attacks and a strategic view of network vulnerabilities, some planning and preparation is possible, but success is entirely dependent upon good detection work based upon intelligence and information sharing between agencies. It is important, for example, that telecom operators and Internet service providers notify the regulator or cybercrime agencies of suspected or actual cyber-attacks.
It is equally important for these agencies to work in close collaboration and exchange of information, first at the national level, and second at the regional and international levels. To this end, the ITU has been involved in an initiative on cyber-security for telecom networks through the Cybersecurity Information Exchange Framework or CTBEX.* It consists of a set of protocols and standards and a general framework which integrates different security domains, such as measures for protection, detection, remedies and legal as illustrated in the figure 3.13 below.FIGURE 3.13Agreement on a cybersecurity model: information sharing dependencies
Ministries and regulators need to be part of a national cyber strategy planning process. For example, the Ministry of Information and Communications in Mauritius with support from the African Development Bank has developed a holistic approach to cyber-security with a National Strategic Plan that was created for 2007-2011 and has been revised for 2011-2014.* This follows the creation of Police Cybercrime Unit in 2000 and a Computer Emergency Response Team (CERT-mu) in 2008. The Plan transparently identifies areas of cyber-security that need strengthening, which is the first step towards reducing risk. It also outlines the coordinating mechanisms required between agencies.
The creation of CERT-mu is an important step and follows best practice for many countries; for example, US-CERT is the 24x7 operational arm of the Department of Homeland Security.* In East Africa, the Cybersecurity Taskforce of the East African Communications Organizations (EACO) covering Burundi, Kenya, Rwanda, Tanzania and Uganda was formed in 2008. It tasked with setting up national CERTS in each member state. National expertise in cybercrime issues may reside in several different departments and law enforcement agencies and in private IT and telecom companies and it is therefore important that national strategic plans optimize on ways to share information on a timely basis. The following points can be used to assess how successful organizationally the setting up of cyber-crime agencies have been.
- How many staff have been on cyber training
- What outside expertise has been enlisted to grow the capacity of the agency
- Has the agency developed its own training programme for use by other agencies
- Has the agency developed a database coordinating details of known cyber-attacks from all other national sources
- Has the agency developed plans to cover: preparedness and prevention; detection and response; mitigation and recovery; international cooperation; support both from and for the ICT sector
Point 5 is from the EU Action Plan on CIIP.* Other countries have their variants, for example, Morocco’s National Cybersecurity Management System has the following five domains: strategies and policies; implementation and organization; awareness and communication; compliance and coordination; monitoring and evaluation.* Telecom and information ministries and regulators clearly have a major input to make into each of these domains and expertise in cyber-security is something all ICT agencies need to add to their domain capacity.
3.8.2 Cyber Crime
The level of cybercrime is difficult to gauge with any precision, but a study in 2012 for the UK Ministry of Defence by Anderson et al., collates estimates of various cybercrime categories at the global level, collecting global data where it is available and otherwise extrapolating from UK data on the basis that UK GDP is 5% of global GDP. Their findings are summarized in Table 3.2. For the sake of brevity the table presents sub-totals as a compromise with their caveat that “it is entirely misleading to provide totals lest they be quoted out of context, without all the caveats and cautions that we have provided.”*
Cybercrime type Global Estimate ($ millions) Notes
Cost of genuine cybercrime, such as scams, phishing, etc.
$2,457m + $1,000m = $3,457m
For the years 2007, 2008-2010, 2011; mostly considered under-estimates
Cost of transitional cybercrime, such as online credit card fraud
$7,360m + $39,240m = $46,600m
For the years 2009-2011; some considered under-estimates
Cost of cyber infrastructure, such as antivirus costs, etc.
$11,000m + $13,840m + $24,840m
For the years 2010-2012; high degrees of uncertainty
Cost of traditional crimes becoming ‘cyber’, such as tax fraud
$5,200m + $145,000m = $150,200m
For the years 2010-2011; some uncertaintyTABLE 3.2Estimated Global Costs of Cybercrime, 2012
Source: Anderson et al. (2012) ‘Measuring the Costs of Cybercrime’; Notes: figures in boldface based upon available data, figures in non-boldface extrapolated from UK data based upon size of GDP; costs may include data on criminal revenues, direct losses, indirect losses and defence costs.
These figures, as the notes accompanying the original table make clear, under-estimate the real costs to society. What can be said with certainty is that the risks and the costs will increase over time as societies become more connected, and it will pay society to devote more resources to reducing the risks, which include public sector assets, private sector assets and personal assets, from crime on an industrial and global scale.
Since these criminal activities are carried over networks operated for the most part by telecom companies, there needs to be careful surveillance of suspicious traffic. But the reality is today that a lot of this activity is conducted from proxy servers and the origins of the criminals is unknown and could be from any country. The implication seems to be that detection is more likely of the crime than of the criminal, and although highly professional cyber detectives with access to cyber forensic laboratories can make progress these skills and facilities are not widely available in developing economies. This in turn implies that the focus of policy makers and regulators at the national level is best directed at limiting the damage through early detection, fast and efficient information sharing, and a focus on alerts and awareness. It is usually beyond the scope of regulators to track and trace the crimes to their origins, but regulators can play a vitally important role in creating the ecosystem of cyber-security.
Law Enforcement and the Proportionality Principle
When it comes to applying the law, regulators need to be cautious about the boundary between detection and law enforcement. The laws under which regulators work need to specify very clearly the limits of their responsibilities, such as the circumstances under which they can seek a search warrant for activities which are illegal under the telecoms laws. The enforcement of cyber laws is more likely to be the task of the police or customs and excise officials, and regulators need to avoid becoming embroiled in civil liberty issues.
A good guideline for any regulator or law enforcement agency is proportionality, a judgement regarding the seriousness of the infringement, whether, for example, it is a major crime with wide social implications or a minor infraction with little social impact. Because cyberspace is a relatively new area of governance, and because it crosses jurisdictions, countries have often been struggling to make laws that are appropriate. And it must be said that often the law making process is not as well informed as it should be. It is therefore important for law makers, policy makers and regulators to bear in mind some simple principles.
- In general, what is legal offline should be legal online, and what is a civil offence as opposed to a criminal offense offline should be treated similarly online.
- Extra-jurisdictional applications of national laws need to be very carefully vetted. Often what is legal in one country may not be legal in another. For example, an Internet posting may be considered fair comment and free speech in one jurisdiction but regarded as illegal in another, and yet the posting is available globally. Proportionality would suggest that criminalizing behaviour may not be either good justice or a good use of legal resources.
- Codes of practice – Intellectual property rights are becoming the subject of numerous bilateral and multilateral trade negotiations. The length and enforceability of copyright, for example, is often a controversial topic. With Internet hosting companies there is a question of who is liable for a posting that breaches copyright. The US Millennium Digital Copyright Act of 1998 provides one set of useful guidelines. It gives latitude to web hosts who abide by take-down notices in cases where someone unbeknownst to them has posted something that breaches copyright. The system is not perfect because identifying a particular posting on a site the size of Google or Yahoo! or Amazon or Twitter is not so easy, especially where it has gone viral, where others have shared it or added their own comments to it. Laws should be seen to be workable and proportionate and regulators should not be burdened with controversial applications of laws that are not well drafted. The regulator’s job is better to ensure the greatest level of transparency on the part of companies that operate under a licence, and to promote a sensible, that is to say manageable, code of practice which offers incentives, such as immunity from prosecution, for doing the right thing alongside obligations to avoid doing the wrong thing.
At the heart of cyber-security lies the issue of detection, that is detection of the event itself as well, ideally, detection of the offender. That can only come from sharing information, but there exists an asymmetry between private gains and social losses. As Tyler Moore has pointed out, by integrating part or all of their operations with the Internet in order to cut costs companies may substantially increase the risk of cyber-attacks but at the same time they may not choose to devote sufficient resources to the resulting insecurity.*
For policy makers and regulators the recommendations are to be prepared to mandate the sharing of critical cyber information but look for ways to incentivize organizations so it is in their own interests to share. To take an example from the financial services sector, in markets where EMV ‘chip and pin’ credit cards are available, banks and bank customers are offered insurance against card fraud when banks issue and customers use the EMV standard, but that cover is no longer available for traditional magnetic strip cards. Persuading organizations to come clean about cyber-attacks on their systems can be more difficult, but if by sharing information they also gain information and witness risk reduction the incentive is created. There are numerous other ways in which ministries and regulators can encourage organizations to cooperate, including inviting them to be part of the CERT expert groups.
A checklist might include the following:
- Information sharing – many parties to cyber-attack do not wish to publicize the fact which makes detection and identification of vulnerabilities more difficult. There may be a case for mandatory reporting, even if this involves confidentiality issues. A telecoms regulator, for example, should be informed immediately of such breaches in security and be appraised of remedial measures to safeguard the facility.
- Awareness sharing – many private companies, including vendors, have professional expertise in how to manage network security and also how to manage the managers. The weakest link may not be a piece of software coding, it may be the staff who open a malicious email or visit an entrapment website. Regulators may wish to set up their own unit to encourage education campaigns, and create expert groups to advise on new threats and new responses.
- Strategic Coordination – to be successful in anticipating and reducing the risk of cyber-attacks and cybercrimes national security agencies need to work closely on a multi-agency level with each other and with regulators from telecoms, from banking, and even from education ministries, etc., on permanent advisory and working group levels and with expert advice from the private sector.
- Law enforcement – regulators have their own areas of law enforcement under legislation. In many cases they can initiate a legal process, but in the case of cyber-crime the role of the regulator is more likely to coordinate with law enforcement agencies. The best approach of a telecoms regulator is to broker information sharing between licenced companies and cyber security experts.
3.8.4 Securing E-Commerce and a Public Key Infrastructure (PKI)
E-commerce is a vital part of the digital economy, not least for cross-border trade. To make it work, confidence is required that the person or company at the other end of the transaction is genuine, that the delivery of payment and of goods will take place in the way and time agreed, that the transaction cannot be repudiated once the contract is signed, and that the laws of the land will protect and safeguard rightful transactions.
Public Key Infrastructure
To meet this challenge the ITU-T (previously the CCITT) adopted the X.509 protocol proposed by the IEFT (Internet Engineering Task Force). X.509 is an authentication protocol consistent with IP/TCP and complements X.500, an earlier pre-Internet protocol of the ITU-T and the ISO (International Standards Organization) designed to allow access to directories of “distinguished names” meaning access to unique identifiers. The cryptology behind these standards is for an asymmetric exchange of keys (private and public keys) and symmetric opening of documents (the same document received as sent). The private key is used to lock a document and the public key, which is uniquely linked to the user’s private key, is used to unlock the document. In the public version both keys are issued by a trusted third party Certification Authority (CA) which provides certificates of authenticity of the link, of the signature and of the integrity of the document to show it has not been altered or tampered with in any way. The CA itself refers to a Registration Authority (RA) to validate the identity of the user and to a Validation Authority (VA) to validate the digital signature which is applied to the document by a hash key function.
Private keys can be issued to individuals or to corporate bodies or linked to an email address. A root certificate is issued to govern all subsequent certificates issued on behalf of a given user. The certificates will include a unique serial number and other information, for example the range of dates during which the certificate is valid or a ceiling value for a transaction. The recipient of an encrypted document gets the sender’s public key from the CA, and needs to check the certificate and also check a registry of revoked certificates. A list of the root certificates are stored on a user’s computer for easy search using Online Certificate Status Protocol or OCSP by which the browser dynamically checks the CA’s CRL (certificate revocation list) and updates the computer.
The most widely used private versions of PKI are “light” versions that have been developed by Internet companies, some of them based upon peering arrangements by-passing an independent CA. Netscape in the 1990s developed SSL (secure socket layer) protocol indicated by “https” whereby servers and clients exchange certificates for mutual authentication.* Most modern browsers embed copies of root certificates from CAs in their software and are members of the CA Browser Forum (CABForum) along with the independent commercial CAs themselves.
Applications of PKI
There are many industrial applications that use variants of the PKI system, for example, M2M meter-reading systems to ensure authenticity of the reading and of the client. However as the technologies advance, security concerns advance with them and the behind-the-scenes fixes become more complex.* Bogus companies managing to fool RAs and CAs into issuing of certificates is one such problem and it is the responsibility and liability of the user to browse certificates for reputable and genuine trading partners.
At the consumer level, various security devices are available from banks, credit card companies and third party payment platforms to give confidence to making purchases online. None of them are perfect, especially over time as the technology advances which, when in the wrong hands can be used to decrypt encrypted documents, intercept text messages, hack into computers to steal passwords, etc. Despite efforts in some countries to promote PKI among the general public, for example the iGov Philippines project,* consumers in general have shown little interest as the alternatives have fewer overheads for the scale and frequency of the transactions they usually undertake.
A terminological issue is here worthy of note: e-government is an important way to serve the citizens of a country and as citizens people have to pay their taxes and claim their benefits, make appointments and applications, request personal health information, and generally have access to important public information. Citizens as consumers are engaged in strictly private activities and online businesses have developed their own security protocols which may or may not be compatible with PKI. Most governments also tend to follow these more consumer-friendly Internet compatible protocols but often add their own layer of security by requiring citizens to pre-register their identities.
PKI Complexity and Mutually Recognized Electronic Identification
Because public authorities have a responsibility to be transparent and protect taxpayers money they have been the ones to adopt a public key infrastructure. Private corporations often use other means to secure contracts and payments between themselves, but when they deal with public authorities they are often required to use PKI where large contracts are involved. The aims of a PKI system are to ensure at minimum:
- Electronic identification (ID)
- Authenticity of the ID link
- Authenticity of the electronic signature
- Integrity of the document
- Certification of validation of the above
- Legal acceptance of certificates for non-repudiation
To achieve these aims across borders is particularly challenging. For example, private companies and citizens of the EU stand to benefit if cross-border transactions can use the same standards PKI system. This is noted in the preamble to the Regulation of the European Parliament and Council on electronic ID.
For example, giving the opportunity for a student to enroll electronically in a university abroad, to a citizen to submit tax declaration online to another Member State or to a patient to access his or her health data online. If there is no such mutually recognized electronic identification means, a doctor will not be able to access the patient medical data needed to treat him or her and the medical and laboratory tests that the patient has already undertaken will have to be repeated.*
Establishing a strong legal environment through a digital signatures act or e-commerce legislation is therefore of vital important for commercial confidence, especially for foreign trade. One of the biggest challenges is establishing in which jurisdiction authority resides and which sets of laws and arbitration principles will apply in cases of disputes. Other major challenges are to harmonize standards, which is especially difficult when new standards are being adopted at regular intervals, and making sure new standards are backwards compatible with older standards is a further challenge.* PKI is therefore always going to be work-in-progress.