IT-Security Seminar
Rapporteur
Thursday 4 April 2002

Mr Moderator, Regulators, Ladies and Gentlemen

Firstly, my thanks to the IT- og Telestyrelsen, in particular to Jørgen Abild Andersen and to the Independent Regulators Group (IRG) for the invitation to be one of the two rapporteurs in this event on IT security.

It is always a pleasure to be in Copenhagen.

More so when such interesting topics are being discussed and especially when the sun is shining.

I do not disagree with anything Bill Melody has said. I think we need to concentrate on the economic incentives to build secure and robust IT systems. If we get those right, we can minimise regulation.
 

Introduction

Our Moderator asked three questions at the outset of the day:
  1. is there a role for government?
  2. who will pay?
  3. is there a role for international cooperation?
Let me disagree with his condition on the first question. He identified the role for government as being when there is a market failure. I would say that governments should act in pursuit of the public good. I think there is a long tradition in European philosophy which would back me up. Indeed, I believe that it is the justification being used by the US government in its work on securing critical network infrastructure.

Remedying market failures is only a small subset of the public good. Of course we should also try to avoid market failures wherever we can.

A role for government is not synonymous with a role for an independent regulator, it could fall to some other part of government or more than one. The roles of NRA, of the members of the IRG, are well defined in national and European Union laws. There is a good reason for that independence and it may conflict with security or promotional roles.

Jurisdictional disputes over who gets to do the exciting work are nearly as bad as those over who gets to do the boring work. From a purely bureaucratic perspective the boring work is better, it last longer, is more secure and is less likely to draw your existence to the attention of those who might close you down.

On the subject of independence, I was fascinated by the Moderator's use, twice, of the phrase "When I was in government". It makes me doubt whether the Chairman of the FCC and thus the FCC itself are truly independent and thus in compliance with the WTO commitments made by the USA or at least by the State Department.

As for the question of who might pay, we do seem to have a very real problem.

I am not sure if it is intractable. Certainly, nobody came forward today offering to pay or suggesting any volunteers.

On the basis of what we can see, the market shows no willingness to pay.

The evidence from the market is that individual consumers and SMEs show little inclination to pay anything very much. They seem to be content to use insecure operating systems and software. They download free software for virus checking and firewalls. Even an apparently modest price, more than a few Euros, can be sufficient to put them off. They show no willingness to delve into the software to reconfigure it more securely.

The number of ISPs is vast, though contracting as the industry consolidates. Yet none that I can think of has set out to offer as its primary product or even a superior "club class" (and more expensive) service which excludes junk mail for (fake) viagra, pornographic web sites and get rich quick schemes. Clearly the ISPs do not see a market in this, either in Europe or in the USA.

Indeed, some ISPs seem remarkably reluctant to suppress the origination of Spam on their networks.

There is a market in filtering software for personal computers. But once again, the prices paid are very low. Moreover, such software is being challenged in the US Courts even as I speak and seems to be taking some very severe criticism.

As for the role of international, inter-governmental and inter-regulator collaboration and cooperation then I think there is very little if any dispute. I heard nobody argue against it today. The key problem is to get it to work in Internet time.
 

Harmonisation

Harmonisation is clearly beneficial in the area of security. We have heard nothing to suggest that the problems and threats are any different in any of the countries represented here today.

The problems of IT security have been recognised by the G8, OECD, Council of Europe and the European Union as needing cross-border collaboration if they are to be addressed properly.

There was considerable discussion of e-security at the recent meeting of the Telecommunications Working Group of the Asia-Pacific Economic Cooperation (APEC). It is to hold at least two days of further discussion on this in August when it meets in Moskva. (http://www.apectel25.org.vn/documents_e_sercurity.cfm)

The ITU has a meeting in Seoul next month on Critical Network Infrastructures.
http://www.itu.int/osg/spu/ni/security/index.html

The OECD will complete the revision of its Guidelines for the Security of Information Systems before the end of the year.
http://www.oecd.org/EN/document/0,,EN-document-43-nodirectorate-no-24-10249-13,FF.html

It seems that everyone is holding similar discussions.

We need to ensure that everyone works together on these problems and pulls in the same directions.

It is essential that the solutions we impose on operators, service providers, manufacturers, software houses, users and on consumers are consistent.

There could be nothing worse for multi-national companies and users to have to use fifteen different systems and fifteen different sets of software in each of the member states of the European Union.

It is not just the cost of such measures, it is often the cost of implementing difference sets of measures in each country in which a company operates. That adds a managerial complexity which can make business unprofitable.
 

A contrast

There seems to me to be a very marked contrast between the lack of market response on most areas, where the security threats are to users and the responses to threats to the Intellectual Property Rights (IPR) of suppliers.

While we are sold the least secure configuration of our software, we are sold increasingly secure CDs and DVDs which can no longer be copied. The US Congress, or at least Fritz Hollings, is contemplating making it illegal to sell hardware and software which allows copying. I think this says a lot about market dynamics, political lobbying and the economic incentives on the companies concerned.

The contrast is very clear in the stringent protections against the copying of the software that we have heard is delivered with all the security features disabled. The supplier is secure and the customer is left naked and exposed.
 

Security policy

We have to recognise that policy does not change quickly. Alan Patter from the Sans Institute referred earlier to turning an aircraft carrier. That is the sort of problem we have here.

With the best will in the world our policy changes will not take effect for some time. Look at the unbundling of the local loop, which has been on a "fast track" with considerable political momentum from the highest levels. It will not be complete for many, many months to come.

Given the time scale for security policies and the need to change behaviour of companies and people, we need to consider the shape of network services two, three or more years out into the future.

That means we must include more and different devices:

One South Korean manufacturer is already advertising a fridge-freezer that orders your groceries for you across the Internet, presumably f-commerce.

Can you imagine the "fun" of hacking into someone's deep freeze to switch it off or to order a kilo of caviar and a dozen lobsters? Or, perhaps, ordering a whole sheep for a vegetarian. It will keep adolescent hackers of all ages amused.

We have to consider the full range of market players:

We need to ask whether NRAs have the competence for many of these and whether the others would want to fall under the influence of an NRA.

As Bill Melody said, ISPs have an instinctive distaste for and sometimes it seems a pathological dear of regulation of any kind. They would have found much of today's discussions very hard to stomach.

I agree with Professors Arnbak and Otruba on the need for NRAs to stick to their core skills and activities.

We have to ask whether NRAs can reasonably expect to be given the resources for such tasks. We do not want to see work on security at the expense of a dilution of the traditional regulatory work.

Denmark is, to date, unique in charging Telestyrelsen with such a responsibility.

Other governments are looking to create "converged" regulators or to move telecommunications into a competition authority.

Perhaps on some other occasion we should meet to discuss the ideal scope of an independent regulator.
 

The scope of policies

We seem to have agreement on the value of the activities of general actions for awareness and for research. CERTs are seen as providing a valuable service, though it there is no agreement as to whether they are private or public entities.

There has been a marked absence of statistics today. We clearly need these if we are to assess the problems properly.

The revised OECD Guidelines for the Security of Information Systems will be very useful.
http://www.oecd.org/EN/document/0,,EN-document-43-nodirectorate-no-24-10249-13,FF.html

Robert Verrue has just gone over the complex array of initiatives taken by the European Union and several speakers have referred to the Council of Europe Convention on Cybercrime. We seem to have the right sort of momentum.

The doubt which enters my mind is whether we have too many cooks and risk spoiling the broth.

However, there seems to leave a gap in terms of practical and rather mundane areas of helping people and organisations to buy and to configure systems. Once I know the risks, I need to know what to do about them, without having to take a three-day training course.

An important suggestion was made in the area of procurement. A specification for a more secure configuration of a computer operating systems or a piece of software would seem to be very valuable. The idea of a "safe" variant of popular software seems a simple enough idea and relatively harmless in its distorting effects on the market.
 

Gamesmanship

Robert Verrue referred to actions of some market players as being sportif, which I take to be the French for "gamesmanship". Those things which might be considered to be unsporting but not blatantly illegal.

We have seen this in GPRS, where the mobile telecommunications operators have inserted firewalls to control third party access to "their" customers. It is presented as security, but is really a toll-gate.

Network integrity has a long history of being abused by incumbent operators. They have used it to block potential or current competitors. Bill Melody, sitting beside me, was involved in some of the landmark decisions at the FCC to overpower the arguments of AT&T that any device not supplied by them was likely to cause the whole of Ma Bell to grind to a shuddering halt were it to be connected or even brought into close proximity with the network.

The unbundling of the local loop has seen some of the most imaginative not to say surreal tactics employed by the incumbent operators in order to delay their competitors or to degrade the service they can offer. DG Competition has recently highlighted some of these. For example, the variations in charges for accompanied access to telephone exchanges to install equipment for DSL services. At the higher end of the price range I would expect Arnold Arnold Schwarzenegger in person.

A technical standard for security might be an extremely effective barrier to market entry.

Labeling could be as useful, but less damaging to competition. We can manage it for washing machines and other white goods, why not for IT systems?

I have heard some very worrying comments on network integrity as being part of universal service. This sounds as if it would act against liberalisation. It also appears to move against the spirit of the move to authorisations. We should be seeing the end of licences and of voluminous licence conditions.
 

Bankruptcy

In recent months, customers have woken up to find they have no international dial-tone. Or else they have read in the paper that their operator has filed for bankruptcy.

Not the least problem has been some remarkably creative accountancy amongst operators.

At the moment supplier bankruptcy is seen as a very real daily threat. However, it is something that comes with free markets.
 

Conclusion

Finally, I would like to come back to the overall policy goal.

We have spoken about a more secure Internet. Yet we have not shown that insecurity is a serious factor in reducing adoption or use of the Internet, narrowband or broadband. If it were, then we have seen evidence, especially comparative evidence, by age and by country.

It has been suggested that insecurity is a barrier to use of some e-commerce activities. It would be hard to prove in these dark days after the dot crash. Again, we need solid evidence.

A couple of references have been made to car security. It is worth recalling that regulatory intervention is now being made to try to rebalance the safety of the passengers with the ever diminishing chances of the survival of pedestrians in motor accidents. We have always to strike the right balance. We cannot yet genetically modify human beings to resist the impact of two tonnes of Sports Utility Vehicle!

We have all been clear in seeing the need to remedy the failings of ICT systems which allow direct attack or the capture of control in order to attack a third party. The lack of control which we exert over our IT systems is deeply disturbing. We need far more awareness, more information sharing and tools which can be used by a typical user.

We are all agreed on the need for actions by governments by agencies with appropriate competences and resources.
 
 

Once again my thanks both for myself and on behalf of INTUG for the opportunity to participate today.
 

Time constraints meant this speech had to be curtailed. This text reproduced here is the complete version.
 

copyright © INTUG, 2002. http://www.intug.net/talks/ES_2002_04_copenhagen.html

This page is maintained by the webmaster.

Last updated 4 April 2002.