Est. 12min 21-03-2002 (updated: 29-01-2010 ) Euractiv is part of the Trust Project >>> Languages: Français | DeutschPrint Email Facebook X LinkedIn WhatsApp Telegram The fight against Cybercrime Steve Ballmer, CEO of Microsoft and Jos Dumortier, Professor of Law and Information Technology, Director of the Interdisciplinary Centre of Law and Information Technology, University of Leuven addressed a European Policy Centre lunchtime briefing on the battle against cybercrime. The event was attended by representatives from the public and private sectors, and a question and answer session followed. This is not an official record of the proceedings and specific remarks are not necessarily attributable. John Palmer, Director of the EPC, opened the session by pointing out that this was the first time an EPC session was addressing cybercrime, a subject of increasing importance to everyone. The world of the Internet had opened up new areas of policy issues, of which few of us have an adequate grasp. Increasingly, cybercrime and security are on the agenda of EU policymakers, and indeed would be discussed at this weekend’s EU summit in Barcelona. The relation between these issues and privacy has become even more pronounced in the wake of the 11 September terrorist attacks on the US. In his presentation, Steve Ballmer, CEO of Microsoft, agreed that today’s topic was of “unbelievable importance.” He noted that most people underestimate, rather than overestimate, the potential damage cybercrime can cause companies, economies, etc. Revolutionary Industry Since joining Microsoft more than two decades ago, Mr Ballmer described some of the most influential technological revolutions he had experienced: The development of the PC in 1985 (which was at the time regarded as something almost superfluous and is now taken for granted) and the arrival of the Internet in 1995. Today when we talk about the industry we have to talk not just about revolutions past but revolutions present, Mr Ballmer emphasised. He said that we are currently experiencing a fourth revolution, the development of XML. This has been seized upon by companies as a new lingua franca of the Internet, said Mr Ballmer, predicting that the world of XML will usher in a new wave of investments as companies seek to protect their data. Biggest Challenges Mr Ballmer contended that just when industry thought it had the technology for protecting itself against cybercrime, the technology would change again. He went on to list what he considered the biggest challenges in this campaign: As technology develops, so does cybercrime: The biggest threat today does not come from hackers, but rather people who try to pry into computer systems; Global networks crossing jurisdictions: Jurisdictions are not always obvious in the cyberworld. Single attack strikes many: Cyber criminals can attack in multiple places with a single action. Different legal regimes and different rules in different parts of the world: Mr Ballmer called for greater harmonisation of rules and law enforcement efforts. Global Issue Cybercrime is a global issue, which affects all geographic regions and all kinds of operating systems, including Windows UpnP, AOL AIM and CDE/Solaris. At Microsoft, there had been 20 to 25 incidents against half a dozen different systems in 2001. Although in some ways these numbers may appear small, Mr Ballmer said they were “unacceptable” – for either high-volume or low-volume products. No Common Forum Mr Ballmer lamented the fact that there was no common framework within the computer industry for discussing security breaches and how to handle them. At almost all companies no one is sure what to do if there has been a violation, as for example whether or not to go public with the fact that an incident has occurred. In one sense doing so almost invites hackers to do more damage. Mr Ballmer suggested that government and industry join forces and form a mutual forum to handle these sorts of issues. Partnerships between government and industry are critical if we are to thwart cybercrime, Mr Ballmer said, calling for clear and firm policies in this area. Trustworthy Computing The fact that there are a number of different kinds of attacks on computer systems necessitates a multi-pronged battle against cybercrime. These attacks include actions in the following areas: Availability: One example is when banking or financial systems are entirely shut down even if no data is erased. Self-management and architectural support are the best defences against such crimes. Denial of service: This happens when the perpetrator prevents anyone else from accessing a particular system or website, by for example bombarding a site so that no one else can get in. Privacy: Perpetrators violate privacy when they gain access to privileged data. Mr Ballmer pointed out that this provoked a different kind of damage to the other types of violation. Eradicating cybercrime was not as simple as getting rid of a few bugs in a piece of software, Mr Ballmer said. Instead, it is a question of developing software, which can prevent a number of different attacks. He also called on governments to create more security than the platforms provided by industry. Nonetheless, “security in this game will never be 100 percent,” Mr Ballmer said, adding that this was an area which requires a daily effort. Commitment to Cyber-Security Microsoft is very committed to cyber-security. This is manifested in the design and architecture of its software; a security response centre; a Strategic Technology Protection Programme; and a regular dialogue with various public-private policy groups around the globe such as EWIS, IT-ISAC and PCIS. Public-Private Partnerships Mr Ballmer repeatedly said that partnerships between government and industry were essential to combating cybercrime. Governments rely on the private sector to build and maintain software and networks that deliver essential information and services, that drive economic growth and provide safe and private experience for governments. The private sector, however, needs government to fund law enforcement efforts; strengthen criminal penalties against computer crimes; work to harmonise laws against cybercrime internationally; and improve coordination among law enforcement authorities in different jurisdictions. Mr Ballmer also called for a strengthening of criminal authorities throughout the world. The most effective research and development investment in this area can be leveraged globally, he said. For its part, Microsoft has been working closely with the US Department of Justice to get more funding for the FBI to target cybercrime. The company has also lent its expertise to the effort, but Mr Ballmer said it was important for government to have its own experts. Mr Ballmer warned that the cycle of technology development and threats to security had no end. As a result, constant improvement from product design to product updates was needed: “We really need to have a cycle of continuous improvement.” The Future There was already plenty of spending on research and development into tools for fighting cybercrime. Still, Mr Ballmer said, we must look for ways to simplify these tools so that they could be used and understood by everybody. He called for increased research, especially by universities, into making security more convenient. Improvements in both software and hardware were needed. Optimistic In conclusion, Mr Ballmer said he was “quite optimistic” that with a stepped up focus on cybercrime, industry and government would be able to make great strides in exposing risk and dealing w ith the problem. Professor Jos Dumortier agreed that cybercrime was a very serious threat which had to be taken seriously. Long term we would need the same security for our computer systems as for water and electricity supply. “Security must be our first priority,” said Professor Dumortier, calling for a strong cross-border effort to deal with cybercrime. He agreed with Mr Ballmer on the need for a public private partnership, saying that neither industry nor governments would be able to do it alone. While security is of utmost importance, there are a few issues, which must not be forgotten: the end user, de-polarisation of the computer world and personal privacy. End User As default security features on computers are almost always switched off; computing in a secure way requires a serious effort most are unwilling to make. In the future, Professor Dumortier would like to see security settings switched on as default. Ultimately, computing without security should become impossible, the professor said. De-Polarisation Microsoft’s market dominance means that its products are more often under attack than others. Professor Dumortier explained that there were strong antagonisms in the computer world, and that any company under permanent attack such as Microsoft would never feel completely secure. The solution, he said, was a greater emphasis on openness and consensus. Privacy Insecurity about computer networks usually resulted in greater surveillance, but Professor Dumortier warned that we had to strike the proper balance between protecting against attacks and preserving individual privacy. “We have to be very careful,” he said. In Europe, laws have been designed to protect the citizen against excessive control by the state. Professor Dumortier said that privacy and freedom were essential for independent thinking; even Microsoft would not have been possible without such freedom, he said. “It is not worthwhile to seek security if we lose our freedom,” he warned. Questions and Answers Microsoft Meetings Mr Ballmer was asked whether he was planning to meet any policymakers during his visit to Brussels to discuss ways to combat cybercrime. He said that he was delivering his main message via this EPC briefing, adding that the dialogue was still in its very early stages. How will Europe narrow the information technology skills gap? “Capitalism is well at work,” Mr Ballmer said, noting that the increasing emphasis on security had created a market for security skills. However, he lamented the fact that it was still very difficult to get an appropriate level of expertise in security. He said that even at Microsoft, the most skilled people, who develop software, do not always know how to design a product, which was completely secure. He urged governments to set the tone and speak loudly about their own systems and how they would be managed. Government, too, could create a demand in the market for people with security skills. Cyber criminals Mr Ballmer explained that there were different motivations for those who commit cybercrimes and the biggest problem was terrorist activity as this behaviour was completely unpredictable. Hackers, on the other hand, were not antagonistic but merely desired fame, especially in the hacker world; they measure their success in how much damage was done. Then there are the criminals who commit espionage and steal information; in these cases it is impossible to tell exactly what has been broken into and what damage has been done. Internet Money Transfers Although it is technically possible for people to transfer large sums of money over the Internet, this practice is still very limited. On a personal note, Mr B allmer said that he did make purchases online but did not transfer large amounts of money this way. Military versus Civilian Security Professor Dumortier said that computer security was already a top priority in the U.S. military environment, especially following the 11 September. But he stressed that this should also become the case in the general computing environment as well. In many ways, the first step is simply acknowledging the importance of security: “Security is a state of mind.” Risk Management and Harmonisation of Laws One of the problems of dealing with cybercrime was the sheer difficulty of assessing potential negative outcomes, Mr Ballmer said. “Nobody knows how much risk they have” he said. He repeated his plea for a harmonisation of laws around the world, and urged countries to work together. Governments’ Efforts Professor Dumortier said that governments had already taken steps to work together in the fight against cybercrime, as for example with a convention signed by the Council of Europe and co-signed by the US. The European Policy Centre For more analyses see The European Policy Centre’s website.
