A call to arms for infosec professionals

An old saying says “nature abhors a vacuum,” meaning that in the absence of something nature will find a way of filling that gap. We are currently witnessing the same phenomenon in the information security field.

Information security has grown from being a small subset of IT to now being something of critical importance, not just to organizations but also to industries, economies and nations. As we become more and more dependent on the Internet, and computers control more and more of our daily lives, they also become a bigger risk to the stability of our businesses, economies, and our critical network infrastructure.

These risks have been recognized by governments around the world. US President Barack Obama has stated that “the cyber threat to our nation is one of the most serious economic and national security challenges we face.” Jonathan Evans, head of the UK’s secret service MI5, highlighted in July 2012 that the online threat to the United Kingdom was comparable to that posed by terrorists and said there were “industrial-scale processes involving many thousands of people lying behind both state sponsored cyber espionage and organized cybercrime”.

Yet despite all this rhetoric about computer security, there is still a lack of clear leadership on how to deal with the problem. Various countries have published their cyber security strategies, yet many have not shown any evidence of implementing those strategies in any demonstrable manner. We have seen individuals appointed as cyber security advisor (or tsar) positions in a number of countries, who then quickly resign and cite the lack of resources and support as obstacles to fulfilling their roles effectively.

The Convention on Cybercrime was one of the first treaties developed to enable an international legal framework to deal with online criminal acts. However, since its adoption by the Committee of Ministers of the Council of Europe in 2001, only thirty of the forty seven countries who have signed the agreement have actually ratified it and made it law.

Many businesses are also failing to tackle this important issue. Not a day goes by that we don’t hear about another company suffering a security breach. Many of these breaches are avoidable, as shown by Verizon’s Data Breach Investigations Report, which highlights that of the breaches investigated in 2012 nearly 97% of them were avoidable using simple controls.

While many countries and organizations are failing to deal with computer security, others are seeing this failure as an opportunity. Criminals are quickly expanding their operations into the online arena, and they see the Internet as a fertile environment for making large amounts of money. Activists are using the Internet, and in particular social media, to publicize their causes and promote their messages. Hostile nation states, industrial espionage groups, and dissident groups are also looking to exploit our inability to work together to secure our systems.

Another group taking advantage of the confusion and lack of understanding in this arena are large lobby groups working on behalf of the defense and weapons industries. It is in the interest of these lobby groups to highlight the threat from online based attacks and look for governments to invest money and resources in this area.

All of the above operators are creating what I see as a perfect storm of confusion and mistrust, which I believe will cause great damage to all computer and Internet users. Overhyped threats and a lack of understanding of the problem will lead to overreaction by governments as they respond to the threat de jour as presented to them by the lobby groups. In the effort to appear to be dealing with these perceived threats, governments may introduce new laws that may not only fail to solve the problem, but will also negatively impact our privacy and online freedoms. We can already see this happening with lobby groups representing media organizations. They are successfully pushing laws dealing with copyright changes in order to protect their industries while legislation such as the Convention on Cybercrime – which could help address a lot of the issues we face – is ignored.

To counter this, the information security community needs to step up and provide the leadership required to ensure we maintain the security of the Internet while preserving our freedoms and rights. We can no longer afford to let others such as vendors, lobby groups, or politicians drive the agenda.

So I ask each of you to use whatever influence you have to ensure that those making policy decisions, whether in business or otherwise, are properly informed of what the real issues and preferred solutions are. Engage in a positive way with others, especially those outside our community, using blogs, social media or commenting on news stories so they are better informed on what the real issues are. In addition to all this, we also need to speak up when vendors and other interest groups overhype an issue for their own gain, and challenge their assertions. Finally, contact politicians to point out the threats that we face from criminals, badly thought out legislation and lobby groups forcing attention away from the real issues.

The Internet is a fantastic place, let’s take make the effort to ensure it remains that way.

Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland’s first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for a number of innovative information security companies. He has addressed a number of major conferences, he wrote the book ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules. He regularly contributes to a number of industry recognized publications and serves as the European Editor for the SANS Institute’s weekly SANS NewsBites.