Protecting People from Information Risks and Threats

Viktor A. Sadovnichy
Member of the Russian Academy of Sciences,
Rector of Lomonosov Moscow State University

Positive and negative trends of large-scale cyberspace development

An increasingly growing importance of global information and communication technologies and networks, especially the Internet, presents one of the persistent trends of modern economic and social development. Today, the global information network brings together as many as two billion people worldwide (which is almost a third of the world’s population), offering us unprecedented capabilities to communicate and cooperate. The Internet has become an essential part of society and economy, securing economic growth and social development. It is now one of the main drivers of the global economy, an incentive of growth and innovation. A wide range of application-oriented information services offer an effective functional element in almost every domain of life, including manufacturing, governance, education, science, culture, etc. These services take our civilization to a new dimension of evolution through the concepts of the post-industrial information society and the knowledge-based economy.

At the same time, a manifold system of information infrastructures (in other words, cyberspace) that has been established in the course of the past decade, gives rise to new sophisticated threats to personal, social and national interests, and these threats are gradually becoming multidimensional and transnational. Every single day, we hear reports of various cyber attacks, cases of computer fraud, cyber crime and even upcoming (or already fairly real?) cyber wars. Sources of such threats may be represented by individuals, organized criminal or terrorist groups, and in some cases even government institutions. Annual damages caused by computer crime alone are already estimated in trillions.

Special emphasis should be placed on the uniformity of global information security agendas, which implies that hackers, cyber fraudsters, “hacktivists,” virtual terrorists and combatants operate in a single information space and use such tools and resources that are cognate in their intended purpose, largely having an identical design philosophy, targeted against the same critical infrastructure assets and designed to hit common weak points in such assets.

In the course of the past decade, global information space has become more of an arena for state-on-state antagonism and struggle for strategic and tactical political goals. A number of world powers, including the USA, Great Britain, Germany, etc., published their cyber security strategies in 2011, proclaiming their commitment to build cyber forces. The US Department of Defense officially announced cyberspace as the fifth theater of operations (along with the land, air, sea and space).

The above facts present the conclusion made by the UN Secretary General in his 2010 report: “Existing and potential threats in the sphere of information security are among the most serious challenges of the twenty-first century.”

Recognizing the standards of secure cyberspace operations is imperative in the modern world

This is why the most serious challenge for our entire cyber corporation, which includes the scientific community, information and electronic businesses, and specialized governmental structures, is how to preserve the best opportunities offered by cyberspace and neutralize the adverse and destructive trends of its application.

In my opinion, one of the first priority steps to building an atmosphere of trust in cyberspace is the development and adoption by the United Nations of a document that would set forth the fundamental principles of activity in cyberspace and guarantee security of such activity. These principles are as follows:

1. Cyberspace is a common heritage of mankind that has a tremendous potential for sustainable development of our civilization.

2. Activity in cyberspace should promote overall economic and social development and offer equal opportunities for free access to resources in cyberspace. This activity should be limited only to such formats and actions that meet the generally recognized and approved principles and standards of global cybersecurity.

3. National efforts focused on protecting critical cyberspace infrastructures should fall in line with broader international cooperation in the field of designing and deploying fundamental principles of activity in cyberspace and securing cyberspace activity.

4. The principles and standards of global cybersecurity should be consistent with the objectives of global peace and security and meet the generally recognized principles and standards of international law, including peaceful settlement of disputes and conflicts, non-use of force, non-interference in internal affairs, and respect of basic human rights and freedoms.

5. The principles and standards of global cybersecurity should be consistent with the right of everyone to search, receive and distribute information and ideas, as stipulated by corresponding United Nations documents, in recognition of the fact that such right may be restricted by law as a way to protect the interests of national and public security of each state and to prevent unauthorized tempering with information resources.

6. Trust and security in the use of information and communication technologies make the foundation of the information society, which is why we must encourage, model, develop and aggressively deploy sustainable global cyberspace culture.

7. Large-scale secure development of cyberspace should rely on appropriate breakthrough achievements in science and technology and deployment of ambitious educational projects in this sphere.

8. Information and electronic business must adhere to social commitments and be motivated by the fundamental principles of activity in cyberspace and securing such activity.

Challenges of building the international information security system

All members of the international community recognize the existence and significance of information security issues, which is manifested in a series of annual resolutions of the United Nations General Assembly known as “Achievements in the Sphere of Information Tasks and Telecommunications in the Context of International Security” (1999-2010) and a number of resolutions on global cybersecurity culture matters (2007-2009).

Information security issues are in the focus of attention of political leaders of major world powers. During the G8 Summit in France in 2011, leaders of the states discussed these issues among other critical matters, which is reflected in the Deauville declaration. A special permanent sub-group for high-tech crime matters was established within the G8, officially known as the Roma-Lyon Group.

The de-facto international community started building regional systems of internationalinformationsecurity. Thefirststepinthiscontextwastheagreementamong the governments of SCO member-states on cooperation in the field of international information security signed in Yekaterinburg (Russia) in June 2009. Collective Security Treaty Organization also has set the lines of cooperation among CSTO members in the field of combating cyber crime and cyber terrorism. Another rapidly growing system is the regional system for securing the information space of NATO member-states from hostile use of information and communication technologies.

Countries that are not members of any regional systems of international information security, or those participating in certain regional systems, are also developing approaches for practical cooperation.

At the same time, events of 2011 showed that we still have a long way to go before we adopt any universally recognized rules of conduct and confidence- building measures, not to mention legally binding norms. It is significant that this situation is caused, among other things, by the fact that there are still some outstanding technical, legal and philosophical issues that essentially constitute the domain of “scientific background for the negotiation process.”

There is no harmony in the conceptual framework used in different countries, which significantly obstructs understanding at international meetings and consultations. The parties to negotiations do not have a unified interpretation even for such fundamental notions as “information space” and “cyberspace,” “information security” and “cybersecurity”.

There are no effective procedures to identify (let alone confirm) sources of cyber attacks on the global network. This is why the actual culprits of noted international high-profile cyber incidents remain behind the scenes and are in fact named through political appointment in the course of bustling propaganda campaigns.

By a similar token, there are no mathematical models or indicators in place that would help distinguish the signs of coordinated cyber attacks on critical facilities among the ocean of multidirectional and seemingly chaotic cyber attacks. Such models and indicators would allow engaging the military-political and diplomatic arrangements for de-escalation of cyber conflicts and prevention of cyber wars at early stages.

In addition, there has been no benchmarking of different views on practicability and feasibility of introducing into the international legal language of concepts like “Internet boundaries of the state,” “network sovereignty,” or “intervention into the information space of a foreign nation.”

The efforts aimed at developing effective international legal mechanisms for investigation of cybercrimes whose different stages are committed in different jurisdictions have been unsuccessful. Meanwhile, the number of such criminal cross-border activities involving numerous intermediaries, proxy computers and botnets, is continuously increasing. There are no scientifically proven mechanisms for inducement of social responsibility of the information and network businesses.

The number of philosophic, cultural and psychological surveys in cyber ethics that are supposed to validate the recommendations for the development of global information security culture is fairly small. At the same time, if we could reduce the number of wide-scale violations of basic rules of conduct in cyberspace, many instances of cyber crime would be prevented.

The goal of research and educational corporation is to design and deploy a system of knowledge, skills and standards of a global information security culture.

Fight against illiteracy in the information security domain is a serious global challenge that cannot be addressed only by special government agencies. It requires uniting the efforts of scientific and educational communities, mass media, private businesses and communities of Internet users. The leading role will be assigned to the scientific and educational communities that are expected to provide a toolkit for handling the problems that exist, such as scientifically founded recommendations, a wide range of special educational programs, teaching techniques, study materials and popular scientific literature.

 

 

This article is based on a presentation delivered at the 7th Scientific conference of the International Research Consortium on Information Security, as part of the International Forum on «Partnership of state authorities, civil society and business community in ensuring international information security», held on 22-25 April 2013 in Garmisch-Partenkirchen, Germany. It is published on Digital.Report with an explicit permission from the conference organizers.