Security in the online world is essential for the internet to realise its economic potential - but experts agree that there is no simple solution to a problem that has multiple dimensions: technological, societal, economic and psychological.
The European Network and Information Security Agency (ENISA), based in Heraklion, Greece, classifies threats on the internet according to when experts think they will materialise, in 'current', 'emerging' and 'future' risks. ENISA describes itself as "a Centre of Excellence for the EU member states and EU institutions in network and information security, giving expert advice and recommendations".
Current risks are relevant within the coming year. As of summer 2007, this concerns:
Spam, botnets, phishing, identity theft, route hijacking, instant messaging, peer-to-peer systems, malware on Cell Phones, hackers in stock markets, software vulnerabilities and lack of protection (e.g. antivirus) in some devices.
A recent survey conducted by Harris Interactive and sponsored by Microsoft revealed that , in the US, almost 20% of adults have already fallen victim to an online scam of some sort.
The OWASP Top Ten Project, an industry-standard awareness document for web application security endorsed by the US Federal Trade Commission and Department of Defense, lists the following as "the most serious web application vulnerabilities in 2007":
Cross-site scripting (XSS), injection flaws, malicious file execution, insecure direct object reference, cross-site request forgery (CSRF), information leakage and improper error handling, broken authentication and session management, insecure cryptographic storage, insecure communications and failure to restrict URL access.
Emerging and future risks, according to ENISA, are likely to arise from the ubiquity of IT systems and unlimited reliance on them. This includes the increased automation of homes and the possibility of controlling home appliances remotely, such as heating or air conditioning over the internet and possiby even the use of vulnerabilities in home appliances to attack public infrastructures (e.g. distributed denial-of-service attacks on electricity networks using internet-controlled heating or air-conditioning).
Major risks may also arise from invisible data collection in public places (e.g. toll collection systems, surveillance cameras and consumer tracking) as well as in private premises (e.g. the retention of telecommunications data and the storage of user data by internet search engine operators), and on portable devices such as mobile phones.
- Trust and consumer confidence
There is general agreement that the damage from internet crime is almost impossible to quanitfy (years ago, estimates said that it was comparable to total revenues from global e-business). Experts agree, however that the lack of consumer trust resulting from the risk of internet transactions being compromised is highly detrimental to e-business and entails considerable material damage. Research done in 2007 suggests that consumers were about one third more likely to make a purchase on a site that is certified as 'hacker safe' than on a site lacking the certification. This does not take into account the boost in e-commerce that could be brought about if the internet were widely regarded as a secure business environment.
In its 6 September 2006 resolution on the Commission Green Paper on the Consumer Acquis, the European Parliament said it "considers that it is appropriate to examine issues relating to the protection of consumers when they conclude contracts providing digital content, software and data".
- Critical infrastructure
The Commission's 2005 Green Paper on a E
uropean Programme for Critical Infrastructure Protection defines ICT systems as 'Critical Information Infrastructure (CII)'. It goes on to explain that such systems are essential for the operation of other critical infrastructures, such as telecommunications, computers/software, Internet, satellites, etc.
According to the Green Paper, Critical Information Infrastructure Protection (CIIP) should "be viewed as a cross-sector phenomenon rather than being limited to specific sectors". The programme aims at keeping the performance of critical information infrastructures in case of failures, attacks or accidents above a defined minimum level of services and at minimising the recovery time and damage. CIIP should be closely coordinated with the protection of non-ICT Critical Infrastructure.
By means of a 2001 Convention, the Council of Europe officially introduced the term "Cybercrime" for a number of offences, some of which merely make use of computers for crimes already punishable in the 'real' world, while others are sui generis computer crimes. These include "offences against the confidentiality, integrity and availability of computer data and systems", such as illegal access and interception, data and system interference and the misuse of devices therefore, as well as computer-related fraud and forgery. The EU itself has since endorsed the terminology and is now using it itself (see related Links Dossier).
The CoE Convention obliges its parties to "adopt such legislative and other measures as may be necessary to ensure that the criminal offences established (...) are punishable by effective, proportionate and dissuasive sanctions, which include deprivation of liberty".
By August 2007, only 13 of the EU's 27 member states had ratified the Cybercrime Convention, though all EU countries have signed it. Within the 'old' EU-15 member states, the Convention has entered into force only in Denmark, France, the Netherlands and Finland.
Information Society Commissioner Viviane Reding said, addressing a conference in Helsinki on 28 September 2006: "On security, in particular, we need to move from talk to action. The Commission is not asleep on the job, but we cannot win the war alone. We need a culture of security in which everybody plays their part. That means national governments have not only to identify but also to implement best practice in policymaking. But, security threats are inherently cross-border. The international coordination of risk monitoring and reaction is a major role of ENISA (European and Network Information and Security Agency).
A second area of need is for authoritative and independent information on security incidents and consumer confidence. That is why we have also asked ENISA to move ahead urgently on developing with member states and stakeholders a data collection framework to collect and analyse EU-wide data. Industry also has a role to play: software producers and Internet service providers must provide adequate and auditable levels of security. I believe I see some signs of movement in the software sector, in this respect. I am watching with interest."
The mission statement of ENISA, the European Network and Information Security Agency, says, under the header "Europe’s Information Society – the future at risk?": "The growing number of security breaches has already generated substantial financial damage and has undermined user confidence. At the same time, the Information Society is becoming indispensable in all areas of life. Individuals, EU institutions, public administrations in the member states and businesses have deployed security technologies, security management procedures and information campaigns and research projects to enhance network and information security. The technical complexity of networks and information systems, the variety of interconnected products and services, and the huge number of private and public players that bear their own responsibility, is risking undermining the smooth functioning of the internal market. The modernised information society of Europe and its business, based upon a digital economy is thus, potentially, jeopardised."
Jean-Philippe Courtois, Microsoft CEO for the Europe, Middle East and Africa Region, said: "As an industry leader, we have a responsibility to ensure that our users benefit from a safe service. And if the real potential of online technology is to be realised, we all have an interest in ensuring that the Internet continues to be a viable tool for consumers, governments and businesses alike."
In an essay entitled "The psychology of security", internet security expert Bruce Schneier says: "Security is both a feeling and a reality. And they're not the same." Schneier goes on to explain: "The feeling and reality of security are different, but they're closely related. We make the best security trade-offs - and by that I mean trade-offs that give us genuine security for a reasonable cost - when our feeling of security matches the reality of security. It's when the two are out of alignment that we get security wrong.
In the past, I've criticised palliative security measures that only make people feel more secure as 'security theatre'. But used correctly, they can be a way of raising our feeling of security to more closely match the reality of security. Of course, security theatre has a cost, just like real security. It can cost money, time, capabilities, freedoms, and so on, and most of the time the costs far outweigh the benefits. And security theatre is no substitute for real security. Furthermore, too much security theatre will raise people's feeling of security to a level greater than the reality, which is also bad. But used in conjunction with real security, a bit of well-placed security theatre might be exactly what we need to both be and feel more secure."
Distinguished information technology economist Hal Varian wrote in an essay for the New York Times: "One reason that computer security is so poor in practice is that the liability is so diffuse. Consider the attacks that took place a few months ago, in which computer vandals took over computers on relatively unprotected university networks and used them to shut down Yahoo and other major Web sites. Although the universities found the takeover of their machines a nuisance, they didn't bear the bulk of the costs of the attack on Yahoo. But if universities bore some liability for the damages to third parties, they would have a stronger incentive to make their networks more secure.
The same problem arises with providing high-speed broadband service to the home. These networks are, by default, always connected to the Internet, leaving them susceptible to being used to mount an attack in cyberspace. If a particular user's computer is taken over, should he have liability for the cost of the attack on someone else? The average user is essentially clueless about how to prevent his computer from being taken over, so assigning liability to him would be pointless. Assigning liability to the network operator would make more sense."
- 18 January 2007: Public forum on the availability and robustness of electronic communication networks
- 7 November 2007: Commission to present its draft for the revision of the e-Communications regulatory framework, which is likely to contain regulation for better network integrity, and in particular requirements on communication providers to notify security breaches
11 November 2007: European Conference on 'Identity fraud/theft: The logistics for organised crime'
- Before end 2008: Commission study 'Survey and Analysis of EU ICT Security Industry and Market for Products and Services'