In lieu of tolerating a certain degree of cyber insecurity, bold policymakers might adopt ambitious goals to substantively eliminate cyber-insecurity in their countries.
Six years ago, after the 2007 cyber attacks against Estonia, our government decided to tell the world about the risks arising from cyber attacks. Estonia’s 2008 cyber security strategy aimed to “raise global awareness of cyber security”. Today, that goal has been satisfied many times over. Cyber security is no longer a niche issue consigned by policymakers to the nerds’ corner. Since 2007, there have been dozens of national cyber security strategies; governments have hired thousands of specialists and now complain of a lack of skilled experts as their main concern; a large industry has burgeoned to meet these needs. And the industry is global: The UK alone claimed over £800m in cyber security exports last year.
Despite this activity, much of the public discussion on cyber vulnerabilities and conflict continues to take on an air of pessimism and inevitability. The prevailing attitude was best summarized by an IT security officer at a utility in California: “I know somebody’s coming. At some point in time, somebody’s coming at me. It’s going to happen”1. Estimates for the annual economic cost from cyber attacks range between a conservative 100 billion Dollars to more than 1 trillion, equivalent to 1,5% of global GDP2.
Old “new threats”
Cyber threats are wearing thin their usual label as a “new and emerging threat”. The Internet, and hacking are several decades old, even Estonia’s landmark cyber attacks are more than half a decade behind us. In the midst of these sensationalist concerns, we would benefit from analyzing what approaches have reduced cyber-vulnerability and prevented cyber attacks. What we find is plenty of failure, but also a distinct list of success cases. Some anecdotal notes:
1. It has become difficult to be a malicious non-state cyber actor in Europe and America. Hacktivists and cyber criminals are consistently arrested and tried. Of note, many of the organizers behind the organizations Anonymous and Lulzsec are now awaiting trial. In 2011, the FBI and Estonian Police jointly carried out one of the largest arrests to date anywhere of cyber criminals, apprehending the actors behind the malware company Rove Digital.
2. Botnet mitigation and anti-malware campaigns work. There have been many high-profile takedowns of botnets, the farms of infected computers used by organized crime and malicious actors to carry out various forms of attack (including the types of denial of service attacks used against Estonia in 2007). Most recently, Microsoft and the FBI successfully took down a network of botnets responsible for over $500 million3 in bank fraud.
We also see that some countries have been quite successful at keeping their cyberspace clean in the first place. A recent study found that the Finland, the least-infected country in the EU, has only 0,8 malware-infected PCs per 1000, an entire order of magnitude below the most-infected, Romania (at 12,4 infected PCs per 1000)4.
3. Basic IT security standards prevent attacks. Some of the most effective tools to prevent infection and many attacks, both low-level and sophisticated, are simple and cheap. Sophisticated systems can be kept safe with straightforward security standards5. Even the most basic measures, updating antivirus and downloading software updates, eliminate over 80% of vulnerabilities6.
These examples show that smart policy, pragmatic cooperation and sensible organization can reduce insecurity. Diplomaatia has featured many parts of the toolkit necessary to reduce cyber threats – legal, strategic and doctrinal, organizational, economic, and so on.
The cyber security policy debate leaves the impression that our modern society is inherently vulnerable. We are told that these problems are an inherent facet of technology, that cyber-vulnerability is one of the inevitable costs that accompanies the benefits we reap from IT, that we should look for coping strategies.
Such fatalism ignores that we can make cyberspace more defensible by better employing existing techniques and technologies. Basic technologies and implementations can (and do) serve to eliminate much of the underlying insecurity and vulnerability in the services and products we rely on for our information societies to work.
Encryption
Properly implemented strong encryption remains one of the best guarantees of security for your data. Encryption is a basic infrastructural component of any IT system. Were it not for robust encryption, many of the most extreme hypothetical cyber attacks – downed airliners, exploding power plants, manipulated financial data – would be commonplace occurrences.
Freely available, standards-based open-source encryption algorithms are sufficiently robust that they cannot be cracked using computers available today. Thus far, encryption algorithms and technology have managed to stay ahead of attempts to break them by mathematical and computational brute force. Where we find vulnerabilities, encryption has been poorly implemented or, all too frequently, not implemented at all. Tellingly, the NSA’s attempts to circumvent encryption appear to have relied more on inserting backdoors, compromising software or obtaining encryption keys than on breaking encryption algorithms themselves.7
Encryption and other components of secure IT infrastructure8 remain underutilized despite their being technologically sound and mostly costless. Many critical IT-systems have not been designed with security in mind, foremost among them the Internet itself. Technological fixes were developed 15-20 years ago to address basic flaws in the IP and DNS protocols9. These changes, if adopted, would render many DDoS attacks and online fraud moot while better protecting critical infrastructure against intrusion, yet their use remains partial and patchy.
Secure electronic identity
Modern folk wisdom informs us that, “On the internet, nobody knows you’re a dog”. Identity theft and fraud are among the most pervasive scourges of online life. They are also easy to eliminate.
The standards and technology for electronic smart cards and public key infrastructure were developed in the 1970s and 80s. Together, they can provide for cryptographic proof of identity. They are widely used to authenticate devices (i.e. mobile phone SIM cards) and financial transactions (bank cards), and can also prove the identity of people. Yet the uptake of this technology has been agonizingly slow.
The first use of smart cards for electronic identity was in 198710, but it was not until 2002 that Estonia became the first country to successfully deploy a nation-wide electronic identity. Estonia’s national electronic identity has allowed 1,2 million Estonians to give over 130 million digital signatures, saving millions of hours at the notary, post office and copy machine while practically eliminating electronic identity theft in Estonia. Only now are similar e-IDs becoming widespread in large organizations and in a growing number of countries.
Cyber-insecurity is not an intractable problem. We have the technology to eradicate many common cyber security problems. We have success cases that show that these methods are organizationally and economically feasible. But politicians and bureaucrats, companies and citizens-consumers have not made the choices that would terminate many cyber vulnerabilities. This problem resembles that faced by the World Health Organization in eradicating Smallpox. The technology – vaccination – is known and accessible. But the implementation difficulties are legion.
Where to start? To offer a solution here would easily fill an entire issue of Diplomaatia. I will limit myself to two humble suggestions:
First, by including secure infrastructure as a core measure of cyber security strategies. Most national strategies are reactive, building up the organizational and technological capability to respond to cyber attacks and detect intrusions. Any successful cyber security strategy must first and foremost offer steps to make networks, processes, data inherently more secure and defensible.
Second, by raising our level of ambition. We should be setting our sights higher, not lower. We have the technology and the know-how now to solve many of our tricky cyber issues. We have plenty of cases of success to emulate and expand upon. In lieu of tolerating a certain degree of cyber insecurity, bold policymakers might adopt ambitious goals to substantively eliminate cyber-insecurity in their countries.
Estonia has an important role to play in this global process. Thanks to the foresight and ingenuity of a relatively small number of people, Estonia’s approach to e-government and cyber security have helped create useful and feasible secure IT infrastructures. Estonian companies have made important technological contributions to building secure IT infrastructure. Estonia is currently developing a new national cyber security strategy and e-government development plan. By sharing our e-government and governance experience and technology, and continuing to secure its own cyberspace, Estonia can continue its role as a strong net contributor to world cyber security.
______
1 http://fuelfix.com/blog/2013/08/06/utility-executives-major-cyberattack-on-power-grid-is-inevitable/
2 McAFFEE study
3 http://www.informationweek.com/security/attacks/microsoft-fbi-trumpet-citadel-botnet-tak/240156171
4 http://blogs.technet.com/b/security/archive/2013/06/05/european-union-check-up-locations-with-lowest-infection-rates-in-the-eu-and-what-we-can-learn-from-them-2.aspx Estonia’s rate is, at 2,3 per 1000, a respectable 1/3 of the global average, but leaves room for improvement.
5 Estonia, for instance, applies a baseline set of IT security standards called ISKE to all public information systems. ISKE is based on the German BSI’s IT Security Standards.
6 http://www.secunia.com/vulnerability-review/time_to_patch.html
7 Instead, the NSA appears to have relied on compromising technology vendors to circument encryption. http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all&_r=0 8 The list commonly includes authentication, integrity, confidentiality, encryption and nonrepudiation.
9 IPSec and DNSSEC respectively
10 In Turkey, for drivers’ licenses.
This article was published in ICDS Diplomaatia magazine.