Countries, Internet Industry Must Play Nicer Together to Stop Cyberattacks, Speakers Say
Governments and industry must stop talking about protecting critical infrastructure and information and do more about it, speakers said at an April 15 telecom ministerial conference hosted by the EU Hungarian Presidency in Balatonfured, Hungary. Recent steps such as the launch of an EU-U.S. working group offer some hope of finding ways to deter and resolve cyberattacks, said Estonian Economic Affairs and Communications Minister Juhan Parts. But “we must learn from the bad guys,” with their well-established teamwork and structure and rapid take-up of innovations, he said.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
There hasn’t been enough progress on critical infrastructure and information protection (CIIP), said EU Digital Agenda Commissioner Neelie Kroes. “If we don’t take action now, we will be keeping a brake on the economy and exposing governments and citizens to avoidable risk,” she said. The EC wants EU countries and industry to have functioning computer emergency response teams in place and develop Europe’s first cyberincident contingency plan by next year; continue pan-European cyberincident exercises; promote global adoption of Internet stability and resilience principles; and establish or deepen partnerships with allies.
The U.S. Department of Homeland Security backs the move to a more aggressive action time line, said DHS Deputy Assistant Secretary Roberta Stampfley. Without it, there will just be more talk about how hard it is to solve the problem of cyberthreats, she said. One major thrust of the trans-Atlantic strategy is public-private partnerships on risk management policies, identifying best practices and developing network resiliency models, Stampfley said. Another key area is making users aware of security risks, she said.
Technological, economic, demographic and geopolitical disruptions are sparking a “market transition” in the information and communication technology sector, said Cisco Senior Vice President Don Proctor. The exploding number of devices that connect to a network means the days when a Microsoft patch was enough to fix security problems are over, he said. The emergence of cloud computing as a basic operating paradigm for ICT means that for the first time, the incremental cost of providing services for each new user is “rapidly approaching zero,” he said.
There’s a new generation entering the workforce, Proctor said. The “millennials” have a different relationship with technology and different expectations for the workplace, he said. On the political side, the 2007 Estonian cyberattack likely wasn’t the first such assault but it got the world’s attention, he said. Because we live in a single economic ecosystem, the operation of government and critical infrastructure is more dependent on a globally connected environment, he said.
The situation presents opportunities for collaboration between industry and government on such things as working together to eliminate barriers to information-sharing on cyberthreats and developing global standards, Proctor said. Industry invests hundreds of millions of dollars in research and development every year, he said. In CIIP the goals of governments and businesses are aligned, but officials must avoid adding new layers of certification or regulation that will hamper innovation, he said.
Policies on CIIP and botnets have “reached the end of their life cycle,” said Delft University of Technology Professor Michel van Eeten. A study he did for the Organization for Economic Cooperation and Development said educating end-users won’t prevent botnets and make computers more secure. The next logical step is to look at Internet access and service providers, van Eeten said, where public/private partnerships are making a measurable difference.
The study said legitimate ISPs are overwhelmingly the ones that harbor infected computers, so they can strongly influence solutions to cyberattacks, van Eeten said. Across the world, 10 ISPs control about 30 percent of all infected machines, and 50 control half of all computers with botnets, he said. That’s good news because it means this area is probably more amenable to public-private cooperation than previously thought, he said.
The study mapped ISPs according to size, saying that of the top 50 most infected networks over four years, 30 ISPs were present during the entire period, 10 of those in the EU, van Eeten said. This is also good, because it means ISPs have room for improvement, he said. European ISPs are at the top and bottom of the spectrum, he said. The one “bit of bad news” is that in most markets even the best-performing ISPs tackle only a small fraction of the botnets on their networks, he said. That’s partly because they don’t widely collect data on infected machines and partly because they don’t want to know about the problem, he said.
ISPs don’t cause cybersecurity problems but they're the access control point, van Eeten said. There’s no need for regulation, but telecom authorities should nudge ISPs to improve, he said. More public-private collaboration could also improve detection of cyberthreats, make mitigation more economically feasible for ISPs and provide better openness and oversight, he said.
Going after a small number of bad guys can significantly improve the situation, said Magyar Telekom CEO Christopher Mattheisen. But the key is proportionality, he said. Operators are caught between policymakers and customers and subjected to conflicting policies, such as data retention and protection, which impose high costs, he said.
The economics of better cybersecurity is a major concern, Kroes said, but “the price of failure is high.” It’s not just a matter of waiting for a repeat of the Estonian attacks, she said. Private sector jobs may lag because there’s a lack of trust in the digital economy, she said.