Do we need a single cyber-security organisation to secure the internet?

A poll by Infosecurity Europe has found that 60% of organisations think that the internet needs a cyber-security organisation to oversee it. Here industry experts have their say

A poll by Infosecurity Europe has found that 60% of organisations think that the internet needs a cyber-security organisation to oversee it. But which organisations would be most appropriate to undertake the role of security for the internet?

Howard Schmidt, former president of the Information Security Forum appointed cyber security co-ordinator by US president Barack Obama

While it is understandable that people like the idea of a single global organisation or agency with overall responsibility for overseeing and securing the internet and all IP-based communications, the concept is simply unrealistic.

What is more important is that all of us as individuals and as organisations and companies need to take responsibility for securing our own part of cyberspace.

Let's take a transport analogy. We travel by road, air, rail and sea but we do not expect one organisation to oversee all these different channels to get us safely from A to B. And while we can put all the safety measures in place to prevent accidents or malicious disruption, we will never stop individuals walking out in front of a bus.

The security of the internet is no different. While education and awareness are vital, it is impossible to control human behaviour.

That said, we are seeing some important steps forward. Technologies such as the DNS Security Extensions DNSSEC, SSL and PGP encryption along with standards such as PCI DSS are making it safer for us all to use the internet.

Governments also have a major responsibility for protecting national security and their citizens. Recent declarations from the UK and US governments about setting up new cyber security organisations and the appointment of cyber czars reflects a global recognition that the internet is part of the national critical infrastructure and needs to be protected.

And while the history of public-private partnerships is a chequered one, we have to do more to encourage better coordination and cooperation. ISPs as well as internet software and hardware vendors all have a vital role to play; and as an information security industry we all need to build on lessons learned and look to the future.

That is why organisations such the ISF are important to harness and share the knowledge and practical experiences of information security professionals to build a safer internet without a new uber-organisation.

Information Security Forum>>



Dani Briscoe, research manager, Corporate IT Forum

Policing a largely free and organically expanding entity seems a never-ending battle; can such a behemoth be overseen by a "cyber-security organisation"? This topic started a passionate debate among members of The Corporate IT Forum's Information Security Service, with strong advocacy on both sides but no quick or obvious answer. "Who guards the guards?" was an issue raised by some. Others were concerned that agreeing on jurisdiction and legislation across global borders would stall any discussions.

In contrast to the Infosecurity Europe poll, the forum found that 75% felt that the internet either should not or, maybe more importantly, could not be policed. The internet stretches around the globe and does not recognise any legal or geographical boundary. So a pertinent question raised in the forum is, "Which legislation should be used?"

The standards would need to be global and agreed on by all; the time taken for EU legislation to be ratified gives an indication of the delays likely to hamper such a process - the devil is in the detail.

Steps have been taken at a local level, with many countries voting in legislation to cover cybercrime, but tracking and enforcing such laws across different jurisdictions can be challenging and, at times, can seem impossible. A global organisation to monitor and enforce standards across the internet could quickly be viewed as controlling or affecting the freedoms currently enjoyed.

On the other side of the argument are the corporates who have applications, business processes and communication tools reliant on the internet; it has almost become part of the UK's critical infrastructure. As more vendors provide cloud sservices to the enterprise, this reliance will only propagate further. Restriction is not the answer as corporates move to more cloud-based architectures.

Ultimately though, is a monitoring organisation needed to police and protect the innocent (ignorant?) user from malicious attacks via e-crime? The government has recently launched an initiative to help younger users of the internet browse safely with the "zip it, block it, flag it" campaign. Are we at a turning point in user education similar to the "stop, look, listen" success of the 1970s?

Educating people about the risks is a key step; then when the internet is a trusted resource by default rather than the opposite, monitoring may well be another step.

Corporate IT Forum >>



Peter Wenham, committee member of the BCS Security Forum strategic panel and director of information security consultancy Trusted Management

Overseeing security for the whole internet would be tough for any organisation and I am torn between government/inter-government and private sector/academia.

It is a role that I could see the UN undertaking but the down side is that not every nation is a UN member, so perhaps it should be something coming out of a consortium of professional bodies and here I am thinking of the IEEE from the US, BCS and MIET here in the UK and similar from other nations supported by the likes of ISC², ISSA, IISP and similar.

Such a consortium would, I feel, have the best chance of doing something positive.

BCS Security Forum >>



John Colley, managing director EMEA, (ISC)2

This is an issue has been the subject of debate for just about as a long as the internet has existed as a publically accessible entity. At the crux of the debate is the fact that there is too much governance in the hands of one country, with the majority of organisations handling the governance of domain names and servers based in the United States. This has made it more of a political concern rather than an argument about practicalities.

It is valid to consider whether all of this matters as long as the internet is working. And before one can consider who; we must outline what needs to be governed. Are we talking about accountability of those responsible for the distribution and management of domains; the technical companies providing the infrastructure or at the usage level.

The higher you travel up this stack the more likely it is that cultural differences and political concerns will become a factor. What is considered pornographic in one culture may not be considered so in another; someone who is considered a political extremist or potential terrorist in one country may be considered a freedom fighter in another; history has taught us that political extremists today are often tomorrow's leaders.

Addressing practicalities, it is these issues at the usage level that are likely to be where attempts at governance will have the greatest affect on how we move forward with the internet. However, attempts to regulate these areas risks being lost in the challenge to gain agreement across great divides, making such an approach slow and ineffective. It is also likely to have a very limiting result, with regulations often strangling opportunity and becoming outdated before they are updated.

If internet governance became a mandate of the UN, for example, which has been strongly suggested by many, I fear the result would be a rules-based approach that cannot keep up what society requires. Perhaps governance is too strong a mandate to put in the hands of a defined body. Co-operation and dialogue is certainly required amongst the many stakeholders.

The place to start is with the definition of governing principles; that the stakeholders could live by and work to implement themselves. The actual governance could then happen at a more local level. The Unicef Convention on the Rights of the Child provides a good model of such an approach. The work is far reaching, born of extreme dedication, and effective, even if it hasn't eradicated all the ills that are targeted.

(ISC)2 >>



Raj Samani, vice-president for communications, ISSA UK

The 2004 film, Team America: World Police represented a comedy view of a team of specialists designed to keep the world safe from terrorists. Although the film targets liberal Hollywood actors, it also satirises American foreign policy that is described by critics as "policing the world". Although such a taskforce may be deemed worthy of a film by Trey Parker and Matt Stone, the prospect of a cyber world police is something that is being championed by security professionals.

Much like the uproar caused when John Postel contacted the operators of the root nameservers in 1998, the creation of a cyber world police will be an equally divisive action. In particular, the challenge will be to determine a set of rules by which all users must adhere to.

Imagine a scenario whereby a foreign court imposes sanctions on a citizen that has never set foot in their country, or worst is within the laws of their country of residence.

There is some precedence in this area, Yahoo was instructed by a French court to prevent French citizens from being able to gain access to sales of Nazi memorabilia. All this despite the fact that Yahoo is a US company. The managing director for Yahoo France later commented, "We hope that a US judge will confirm that a non-US court does not have the authority to tell a US company how to operate." However, because the company had assets in France it eventually adhered to the French court's decision.

The question arises that if the company did not have assets in France would it have complied? Without leverage, would a world cyber police actually be effective, it would require approval of a set of laws agreed by all nations. With failure to get worldwide ratification to the Kyoto protocol, one has to question whether getting ratification on global internet laws is merely a step too far.




John Walker, ISACA member and professor at the School of Computing and Informatics at Nottingham Trent University

There is no doubt that cybercrime and internet fraud are embedded in the everyday internet operation for users and businesses alike. Manifesting into a criminal financial turnover that may only be guessed at.

In fact, such are the losses, and knock on to global GDP, accounting for millions, if not billions of pounds, if they were front of desk conventional robbery, there would be an outcry - but it is not, it is in the acceptable guise of subliminal, and to some expected, tolerated cybercrime.

The problem is that it continues to grow and has become much more sophisticated and complex. The element which is missing, of course, is some form of real-time responsible agency, who will act on input, and track the offenders to the conclusion of justice - but who would take on such a task?

Taking into account the recent Home Office announcement that it is seeking £540m in cost savings though policing efficiencies by 2014, the likelihood of any serious investment in a capable all-encompassing police-led national cybercrime operation may be fast disappearing into the fiscal pot of savings.

In the opinion of many professionals, there is already one particular agency that possesses national focus, and powers, and is involved in dealing with large scale criminal operations (not just regional, or metropolis focused). Here I refer to a successful organisation that has had more unsung successes than have been published. An agency which has recovered massive amounts in goods and finances under the Proceeds of Crime Act - an agency which has wide-reaching powers, in some ways comparable with that of the FBI. The conclusion, where should such an activity be placed for complete ownership. In many professionals' opinion there is only one such agency - SOCA.


Read more from the Computer Weekly Security Think Tank >>

Read more on IT risk management