IT-Security Seminar
Rapporteur Thursday 4 April 2002 |
Mr Moderator, Regulators, Ladies and Gentlemen
Firstly, my thanks to the IT- og Telestyrelsen, in particular to Jørgen Abild Andersen and to the Independent Regulators Group (IRG) for the invitation to be one of the two rapporteurs in this event on IT security.
It is always a pleasure to be in Copenhagen.
More so when such interesting topics are being discussed and especially when the sun is shining.
I do not disagree with anything Bill Melody has said. I think we need
to concentrate on the economic incentives to build secure and robust IT
systems. If we get those right, we can minimise regulation.
Remedying market failures is only a small subset of the public good. Of course we should also try to avoid market failures wherever we can.
A role for government is not synonymous with a role for an independent regulator, it could fall to some other part of government or more than one. The roles of NRA, of the members of the IRG, are well defined in national and European Union laws. There is a good reason for that independence and it may conflict with security or promotional roles.
Jurisdictional disputes over who gets to do the exciting work are nearly as bad as those over who gets to do the boring work. From a purely bureaucratic perspective the boring work is better, it last longer, is more secure and is less likely to draw your existence to the attention of those who might close you down.
On the subject of independence, I was fascinated by the Moderator's use, twice, of the phrase "When I was in government". It makes me doubt whether the Chairman of the FCC and thus the FCC itself are truly independent and thus in compliance with the WTO commitments made by the USA or at least by the State Department.
As for the question of who might pay, we do seem to have a very real problem.
I am not sure if it is intractable. Certainly, nobody came forward today offering to pay or suggesting any volunteers.
On the basis of what we can see, the market shows no willingness to pay.
The evidence from the market is that individual consumers and SMEs show little inclination to pay anything very much. They seem to be content to use insecure operating systems and software. They download free software for virus checking and firewalls. Even an apparently modest price, more than a few Euros, can be sufficient to put them off. They show no willingness to delve into the software to reconfigure it more securely.
The number of ISPs is vast, though contracting as the industry consolidates. Yet none that I can think of has set out to offer as its primary product or even a superior "club class" (and more expensive) service which excludes junk mail for (fake) viagra, pornographic web sites and get rich quick schemes. Clearly the ISPs do not see a market in this, either in Europe or in the USA.
Indeed, some ISPs seem remarkably reluctant to suppress the origination of Spam on their networks.
There is a market in filtering software for personal computers. But once again, the prices paid are very low. Moreover, such software is being challenged in the US Courts even as I speak and seems to be taking some very severe criticism.
As for the role of international, inter-governmental and inter-regulator
collaboration and cooperation then I think there is very little if any
dispute. I heard nobody argue against it today. The key problem is to get
it to work in Internet time.
The problems of IT security have been recognised by the G8, OECD, Council of Europe and the European Union as needing cross-border collaboration if they are to be addressed properly.
There was considerable discussion of e-security at the recent meeting of the Telecommunications Working Group of the Asia-Pacific Economic Cooperation (APEC). It is to hold at least two days of further discussion on this in August when it meets in Moskva. (http://www.apectel25.org.vn/documents_e_sercurity.cfm)
The ITU has a meeting in Seoul next month on Critical Network Infrastructures.
http://www.itu.int/osg/spu/ni/security/index.html
The OECD will complete the revision of its Guidelines for the Security
of Information Systems before the end of the year.
http://www.oecd.org/EN/document/0,,EN-document-43-nodirectorate-no-24-10249-13,FF.html
It seems that everyone is holding similar discussions.
We need to ensure that everyone works together on these problems and pulls in the same directions.
It is essential that the solutions we impose on operators, service providers, manufacturers, software houses, users and on consumers are consistent.
There could be nothing worse for multi-national companies and users to have to use fifteen different systems and fifteen different sets of software in each of the member states of the European Union.
It is not just the cost of such measures, it is often the cost of implementing
difference sets of measures in each country in which a company operates.
That adds a managerial complexity which can make business unprofitable.
While we are sold the least secure configuration of our software, we are sold increasingly secure CDs and DVDs which can no longer be copied. The US Congress, or at least Fritz Hollings, is contemplating making it illegal to sell hardware and software which allows copying. I think this says a lot about market dynamics, political lobbying and the economic incentives on the companies concerned.
The contrast is very clear in the stringent protections against the
copying of the software that we have heard is delivered with all the security
features disabled. The supplier is secure and the customer is left naked
and exposed.
With the best will in the world our policy changes will not take effect for some time. Look at the unbundling of the local loop, which has been on a "fast track" with considerable political momentum from the highest levels. It will not be complete for many, many months to come.
Given the time scale for security policies and the need to change behaviour of companies and people, we need to consider the shape of network services two, three or more years out into the future.
That means we must include more and different devices:
Can you imagine the "fun" of hacking into someone's deep freeze to switch it off or to order a kilo of caviar and a dozen lobsters? Or, perhaps, ordering a whole sheep for a vegetarian. It will keep adolescent hackers of all ages amused.
We have to consider the full range of market players:
As Bill Melody said, ISPs have an instinctive distaste for and sometimes it seems a pathological dear of regulation of any kind. They would have found much of today's discussions very hard to stomach.
I agree with Professors Arnbak and Otruba on the need for NRAs to stick to their core skills and activities.
We have to ask whether NRAs can reasonably expect to be given the resources for such tasks. We do not want to see work on security at the expense of a dilution of the traditional regulatory work.
Denmark is, to date, unique in charging Telestyrelsen with such a responsibility.
Other governments are looking to create "converged" regulators or to move telecommunications into a competition authority.
Perhaps on some other occasion we should meet to discuss the ideal scope
of an independent regulator.
There has been a marked absence of statistics today. We clearly need these if we are to assess the problems properly.
The revised OECD Guidelines for the Security of Information Systems
will be very useful.
http://www.oecd.org/EN/document/0,,EN-document-43-nodirectorate-no-24-10249-13,FF.html
Robert Verrue has just gone over the complex array of initiatives taken by the European Union and several speakers have referred to the Council of Europe Convention on Cybercrime. We seem to have the right sort of momentum.
The doubt which enters my mind is whether we have too many cooks and risk spoiling the broth.
However, there seems to leave a gap in terms of practical and rather mundane areas of helping people and organisations to buy and to configure systems. Once I know the risks, I need to know what to do about them, without having to take a three-day training course.
An important suggestion was made in the area of procurement. A specification
for a more secure configuration of a computer operating systems or a piece
of software would seem to be very valuable. The idea of a "safe" variant
of popular software seems a simple enough idea and relatively harmless
in its distorting effects on the market.
We have seen this in GPRS, where the mobile telecommunications operators have inserted firewalls to control third party access to "their" customers. It is presented as security, but is really a toll-gate.
Network integrity has a long history of being abused by incumbent operators. They have used it to block potential or current competitors. Bill Melody, sitting beside me, was involved in some of the landmark decisions at the FCC to overpower the arguments of AT&T that any device not supplied by them was likely to cause the whole of Ma Bell to grind to a shuddering halt were it to be connected or even brought into close proximity with the network.
The unbundling of the local loop has seen some of the most imaginative not to say surreal tactics employed by the incumbent operators in order to delay their competitors or to degrade the service they can offer. DG Competition has recently highlighted some of these. For example, the variations in charges for accompanied access to telephone exchanges to install equipment for DSL services. At the higher end of the price range I would expect Arnold Arnold Schwarzenegger in person.
A technical standard for security might be an extremely effective barrier to market entry.
Labeling could be as useful, but less damaging to competition. We can manage it for washing machines and other white goods, why not for IT systems?
I have heard some very worrying comments on network integrity as being
part of universal service. This sounds as if it would act against liberalisation.
It also appears to move against the spirit of the move to authorisations.
We should be seeing the end of licences and of voluminous licence conditions.
Not the least problem has been some remarkably creative accountancy amongst operators.
At the moment supplier bankruptcy is seen as a very real daily threat.
However, it is something that comes with free markets.
We have spoken about a more secure Internet. Yet we have not shown that insecurity is a serious factor in reducing adoption or use of the Internet, narrowband or broadband. If it were, then we have seen evidence, especially comparative evidence, by age and by country.
It has been suggested that insecurity is a barrier to use of some e-commerce activities. It would be hard to prove in these dark days after the dot crash. Again, we need solid evidence.
A couple of references have been made to car security. It is worth recalling that regulatory intervention is now being made to try to rebalance the safety of the passengers with the ever diminishing chances of the survival of pedestrians in motor accidents. We have always to strike the right balance. We cannot yet genetically modify human beings to resist the impact of two tonnes of Sports Utility Vehicle!
We have all been clear in seeing the need to remedy the failings of ICT systems which allow direct attack or the capture of control in order to attack a third party. The lack of control which we exert over our IT systems is deeply disturbing. We need far more awareness, more information sharing and tools which can be used by a typical user.
We are all agreed on the need for actions by governments by agencies
with appropriate competences and resources.
Once again my thanks both for myself and on behalf of INTUG for the
opportunity to participate today.
Time constraints meant this speech had to be curtailed. This text reproduced
here is the complete version.
copyright © INTUG, 2002. | http://www.intug.net/talks/ES_2002_04_copenhagen.html |
This page is maintained by the webmaster.
Last updated 4 April 2002.