Three Theses on Information Security Issues

Good afternoon, dear colleagues, I am deeply grateful to the organizers for inviting me to the seventh Conference. It is of utmost importance that we gather on a regular basis here where the most urgent issues in the cyberspace security are raised and discussed. I am not concerned in the least that I might exaggerate the importance of this Conference, because, firstly, we can see how the problem of information security is escalating on a global scale, and secondly, it is critical today, more than ever, to have the mouthpiece of scientists, experts and professionals capable of working out strategic decisions and recommendations that will scale down the level of tension and danger in the information space in the world and turn it into a civilized, safe and comfortable environment serving the needs of humanity.

I would like to thank both the first and second speakers. Compelling, expertly done and informative. However, I have a feeling that all these presentations have been, in a sense, academic and somehow laid-back. And it has seemed to me that it is necessary to ‘add some spice’, somehow ruffle up things and offer the first point: WE HAVE BEEN LATE OR ARE BEING LATE. The threat is spreading around the world at a fast pace, and while it is at it, our ‘easy-going and blissful’ meeting only is in stark contrast to and in every way indicative of this process.

Excellent NATO and European programs, interesting meetings at various levels of authority like Interpol, Europol, OSCE, plenary sessions, forums, and so on, – they are showcases of efforts that are being undertaken to protect humanity against cyber threats.  However, every year we unanimously state that crime rate has risen — increasingly multiplying its detrimental effect. This can only mean one thing: that the measures that have been undertaken so far has gone wide of the target, i.e. to reduce the cyber threat and, as a result, improve human safety in the cyberspace world. Alas!

At this Conference as well as at other national and international forums today you can get an enormously wide variety of data showing an alarming growth record of cyber threats, in particular, cyber crimes.  The number of viruses, malware applications and affected facilities; the amount of damage and stolen money; the number of infected computers and compromised cards; the size of botnets, the number of DOS attacks, the volume size of the spam flows and so on and so forth.

I will spare you the details – there will be many more. And there will be many percentages showing by how much it has grown! In other words, a terrible picture is revealed to us here and we put up with it.

Here is the main question as to how accurate this data is.  I assure you, they are very rough estimates and normally differ from actual figures to the lower side, except those derived by the random extrapolation method. These falsehoods started to come forth from a large number of researchers, including amateurs who substitute the lack of reliable information for fantasies and speculations often based on self-serving considerations. For example, anti-virus companies normally provide higher statistics on malware and the resultant damage than, say, law enforcement agencies. The first group needs to scare the public and make them buy their products, the second group – to show their work and appease public grudge by downplaying the existing threats. Such motives strongly affect statistics that are further included by experts in their studies, reports, and presentations. Therefore, when using such data, and, moreover, citing statistics somewhere, I recommend you should always make reference to the original source. Even such reference would treat such data with an appropriate degree of trust.

On the other hand, the concept of «cybercrime» is still extremely vague in different countries and with different researchers. As a result, the same wrongdoings in some countries are classified as IT crimes, in other countries –or as economic crimes or criminal offenses, and yet in some countries – are not treated as something liable to criminal prosecution.  Multiply this by or add it to the traditional latency of computer crimes and what you get is a blurred watercolor picture in alarming colors which is the subject of our debates.

So I am putting forward my second point that “SCIENCE STILL OWES US!” Today, there is a more favorable environment to advance science so that it can be applied for the purpose of strengthening global security than it was, say, when we gathered here in the first conference in 2007.

First, we have built up a massive evidential base that is available for review and interpretation from a fair-minded, non-partisan and non-political perspective.

Second, we have gained and can tap into the varied experience (positive and  negative)  of  organizing  the  fight  against  cyber  threats,  cyber  criminals, cyber-terrorists and cyber extremists, and the experience of intergovernmental cooperation. I would like stress that there is a negative experience as well! What does require study on the top priority basis is not ‘best practices’, but specifically, mistakes, errors and faults and it is this kind of study that produces genuinely positive recommendations and solutions.

Third, a multitude of research groups have been set up and operating at various educational and research centers, as well as government and private institutions and in the business community.  The army of professionals specializing in the research of cyber threats and information security has also been formed.

Fourth, thanks, in particular, to international events such as this conference, the world is getting aware of the need for active and straight international cooperation in studying the entire range of problems associated with IIS, i.e. international information security. As an example I can refer to the Consortium established in

2010, that is willing to admit new members in order to organize the international scientific school of thought concerned about the future of mankind in the new realities of the information age.

It’s very positive and correct with the scene set for it for obvious reasons as scientists pursuing their important research in their respective countries in isolation from each other, are ultimately like builders of the Tower of Babel. As you know, people speaking different languages, they have not managed to build one.

So again and again we have to speak of the need to agree on the common terminology, concepts and references to  aid  the  comparison and  analysis  of data on a global scale, and tomorrow – within the present timeframe.  As long as at one end of the planet measurements will be made in inches, and at the other — in meters or kilograms, we will not be able to draw an accurate picture of information threats in the world.

The idea is not a new one and I do not claim to the authorship. This is what we have been talking about in all parts of the world for many years running. But the problem is far from being solved, and scientists in conjunction with practitioners should finally produce the single vocabulary of commonly used and clearly understood terms in the field of information security and all components in the well-known triad of IIS.    There is, I believe, an easy, but illustrative example. In Russian, our local experts find it difficult to interpret the English term ‘computer sabotage’ adopted and broadly used in the west. And in many countries this term became part of their national criminal codes.

What’s the matter here?   Why are we late? Why are we still, despite of the global Internet and almost unlimited possibilities of communication, speaking in different tongues, like Babylonian builders?  In my opinion, humanity has not yet realized the level of hazard that it has released in its electronic space. And the fact that today this space has altogether unique qualities both outstanding and those concealing many threats, identified and yet to be discovered.

And with  the  understanding that  the  mere  existence  of  the  information space – the digital envelope of the planet – there is a new civilization stage of society development. And at this new stage there are emerging elements of new economy, new social relationships, including the legal relations, new strategies, including military ones. Experts and scientists understand and perceive what has not yet dawned upon the rest of humanity. In particular, the fact that the pace of development in this sphere is significantly outrunning that measure building to protect individuals and society from threats emanating from it.

Experts understand and counsel on those things with society and all its parts remaining aloof. Take, for example, business – the most active, advanced and affluent part of society. It is a promising sector. The development of telecommunication systems business develops cyberspace, by introducing e-commerce and seeking to expand its customer range and to maximize its profits. However, with this race going on in its back yard, businesses have yet to become aware of their social responsibility, to heed expert advice and channel its efforts on and capital to security. Fortunately, today there are already examples of the positive attitude from individual representatives of capital owners to the pressing problems of information security. But they are few such examples and, unfortunately, there are far more examples of the opposite kind.

A bank contacts a cyber police department: Help, we have been robbed by cyber fraudster. Skimming, carding, and so on.  A week later they are starting to complain: they failed to take any action, find any criminals and get our money back. Yet they neither know, nor do they care to know that three dozen of such requests are filed with this cyber police department every week. And the staff of police officers is a third of this number. And an investigation of each crime element takes a lot of time, effort and resources.

In turn cyber police officers turn to the bank for information on movements of illegitimate money in the bank accounts. A week later they get lectured on banking and commercial secrecy and protection of personal data. And no statements are given. This work stopped dead in its track without any chances to continue. No one is trying to catch criminals and will never catch anyone. Situations are nearly ‘boiler plate’.

Law enforcement and intelligence agencies insist on user registration in information systems and some regulation, at least, as applicable to the negative content. In response to squeals from human rights advocates, the Internet community represented by bloggers and other activists lashed back with accusations of total control and so on. And what needs to be done is only to enable law enforcement agencies to perform their functions more efficiently, i.e. protect their citizens from criminals and terrorists and protect children from child molesters and perverts.

It is well known how weltered the Internet is, not just with spam, but with criminal content such as terrorist, extremist, pornographic and other similar websites. However, repeated appeals from law enforcement agencies to Internet providers’ administrations have drawn a blank. Clearly, it will cost an arm and a leg to them to filter and clean the content. Then another mechanism is required, i.e. the law that will regulate these relationships and will allow legal fight against both authors and distributors of undesired (criminal) content and also those who pretend not to notice it under their own noses. One should admit that the government has recently started taking some steps to clean up (at least partially) the web space – Roskomnadzor generates lists of websites to be closed and requires providers to follow their instructions.  However, we see what obstacles these decisions have met and are meeting and what resistance is put up to confront them.  And it isn’t Roskomnadzor that set itself on this job, is it? Is not that what has been required by citizens and common sense and voice by civil society resentment?

Agencies and Services are unresponsive to one another.  Instead of picking faults with your partner, it would be sensible to understand what difficulties it is saddled with and try to be of help/ Hence, let me propose the next point or motto – “LISTEN TO EACH OTHER!” It turns out to be a big problem. We do not listen to and cannot hear each other, we give little consideration to the situation, challenges and opportunities of a partner, someone with whom we are destined to be in the same boat and survive.

I will give an example: I am reading a report of the conference on business security and fraud fighting. What do participants say and who are those participants?  Representatives of the banking community, public associations – the banking union and the union of payment systems, as well as running wild and omnipresent MPs …. I am double checking: and where are representatives of the law enforcement system who have to track and expose cyber fraudsters and hand them over to justice? It turns out that they have not been there. Maybe they were invited but failed to come? – No, they were not invited. But all the participants spoke volumes about the cybercrime epidemic hitting the nation and amicably shared the view of the cyber police’s inability to handle its job. And no one asked why it was happening this way?   How can it be helped?   There is no desire to hear a partner, to understand what holds it back or what he needs. And, it looked as if the common goal should have brought them together. But if nothing can be seen at a low level of interaction, there must be an upper level of coordination that can see and control things. Scientists and researchers should facilitate this management team to control the situation and prompt solutions.

The sector of international cooperation on international information security in general and on the fight against cybercrime, in particular, has the same situation, but much more challenging one to tackle.  Cyber police officers of one country turn to their counterparts in other countries: please give us logs, connection protocols as well as details on owners of IP addresses, cell phones and so on. It is plain to anyone that the investigation process of IT crimes, by definition, requires rapid and almost immediate actions. Unless you stop the criminal transaction, millions will go under the digital fog and vanish in thin air. In the cyberspace, events take place at a lightning speed with traces clues and evidence disappearing as fast unless you get a quick fix on them. Apparently interaction between the relevant bodies: between bank security services, operators and Internet providers and between police units investigating cyber crimes. What do we have by way of response? — A recommendation to colleagues to file an international investigative request. Well, you have complex domestic procedures. And we must understand that in Russia international investigative request is filed exclusively through the General Prosecutor’s Office. And many have repeatedly explained that this means a very, very long time. However, there is no response, criminals triumph and no one try to catch them.

Naturally, different countries have different approaches to provision of information, different information storage and retrieval conditions – as applicable to relations between police officers and banks or operators.   However, these conditions are related to the rules that were formed in the XX century, when there was no single generally accessible international information environment without any boundaries. The first people to capitalize on it are international computer criminals. And we have not yet created any legitimate legal procedures for rapid response and interaction matching the pace and actual requirements of the XXI century. And the citizens of the planet simply cannot understand that an attack on their computer and the local network of their firm, factory or hospital can be mounted from anyplace around the globe!

What’s the snag? Departmental interests, group egoism, competition, inter- state conflicts and even contradictions within the domestic legal framework, to speak nothing of international law.

We are trying to do something at the level of national contact points. Let me remind you that national contact points are set up in the late nineties by the decision of the heads of our national governments and are available in more than 40 countries. But actually, this scheme of things works when the staff on both sides is on personal terms with each other and knows who does what. This is profoundly wrong, but it’s a fact. Often, they are guided by what they see reasonable from shift to shift, rather than by the law and a procedure stemming from the law.

Unfortunately, our laws are lagging behind rapid processes ongoing in the information environment and new emerging legal relations involving individuals, entire groups and social communities. It is understood. It is known that law is conservative and inertial. The event should take place, happen again and become a phenomenon. We have to learn to identify it, its impact and contradictions concealed within it then in order to put together governing regulations or laws.

But you and I, being “on the crest of a wave,” are just in the border region where the old laws are outdated, and the new ones have not yet been drafted. And it is down to us to deliver as early as possible what is unknowingly expected of us by our compatriots. Let’s continue our work. This is a ‘sweet’ burden to step ahead, understand more than others do, take on responsibility and find solutions.

To be honest, I would like to attend the next conference in Garmisch-Partenkirchen and, perhaps, to speak for at least 1 minute and to have the opportunity after what I have said ‘hear each other’ to offer the following points –’UNDERSTAND EACH OTHER’ and then — ‘HELP EACH OTHER’!

 

This article is based on a presentation delivered at the 7th Scientific conference of the International Research Consortium on Information Security, as part of the International Forum on «Partnership of state authorities, civil society and business community in ensuring international information security», held on 22-25 April 2013 in Garmisch-Partenkirchen, Germany. It is published on Digital.Report with an explicit permission from the conference organizers.