.
Any device connected to a network of any sort, in any way, might be compromised by an external party.
There are no provably secure systems, only systems whose faults have not yet been discovered.
Any device connected to a network of any sort, in any way, might be compromised by an external party.
There are no provably secure systems, only systems whose faults have not yet been discovered.
These two axioms for the cyber age are proposed in the World Economic Forum's Global Risks 2012 report, published recently.
.
Experts who were asked to nominate the risks the world’s leaders should be addressing over the next decade focused heavily on the possibility that the dark side of connectivity could become increasingly apparent.
.
Just as over the last decade the Internet’s power for good has been amply demonstrated in realms from business and personal relationships to popular protest.
.
Just as over the last decade the Internet’s power for good has been amply demonstrated in realms from business and personal relationships to popular protest.
.
Viruses such as Stuxnet hint at what may become possible given a 10-year time horizon.
.
Stuxnet is a malicious code, which in 2010 attacked a specific piece of IT equipment — the Siemens controllers used in nuclear facilities in Iran.
.
Its impacts are disputed, but it shows how a virus could conceivably trigger a meltdown in a functioning nuclear power plant, turn off oil and gas pipelines or change the chemical composition of tap water..
As more and more of our daily lives come to depend on interconnected systems, the axioms for the cyber age become ever more relevant.
.
Consider the growing trend for “smart” electricity meters to be installed in homes, allowing energy use to be managed more efficiently at the network level.
.
The benefits are obvious.
.
But, might a hacker be able to gain access to the electricity network via a domestic meter?
.
Such things are impossible to rule out with certainty, but it is also easy to be alarmist.
.
Experts point out that viruses as sophisticated as Stuxnet require a team of software developers and intimate knowledge of the target’s security measures.
.
For skilled individuals bearing a grudge, the havoc that can be wreaked online is currently limited to the embarrassing rather than the life-threatening.
.
Nonetheless, the barriers to entry in cybercrime and cyberterrorism are falling all the time.
How do we minimize the risks from the dark side of connectivity?
.
There are four main challenges.
.
First, online security is a public good: costs are borne privately, but benefits are shared.
.
When an individual weighs the cost of investing in antivirus software, he or she does not account for the benefits of protecting other users from spam and APT attacks if his or her computer is infected with malware.
.
Firms have an incentive to invest in cybersecurity measures that protect their own interests, rather than contributing to the health of the critical information infrastructure that constitutes the systemic whole.
.
In addressing this challenge, we need to find new ways to support collaboration.
.
Second, we do not yet fully understand how social norms are shaped in the virtual world.
.
Why is it that many people who would be ashamed to admit stealing a DVD from a shop will happily discuss illegally downloading a movie?
.
What are the rules of acceptable engagement for corporate and industrial espionage, especially where the line between private and public enterprise is blurred?
.
To what extent can “hacktivist” movements be accommodated as a virtual expression of legitimate civil disobedience?
.
There are four main challenges.
.
First, online security is a public good: costs are borne privately, but benefits are shared.
.
When an individual weighs the cost of investing in antivirus software, he or she does not account for the benefits of protecting other users from spam and APT attacks if his or her computer is infected with malware.
.
Firms have an incentive to invest in cybersecurity measures that protect their own interests, rather than contributing to the health of the critical information infrastructure that constitutes the systemic whole.
.
In addressing this challenge, we need to find new ways to support collaboration.
.
Second, we do not yet fully understand how social norms are shaped in the virtual world.
.
Why is it that many people who would be ashamed to admit stealing a DVD from a shop will happily discuss illegally downloading a movie?
.
What are the rules of acceptable engagement for corporate and industrial espionage, especially where the line between private and public enterprise is blurred?
.
To what extent can “hacktivist” movements be accommodated as a virtual expression of legitimate civil disobedience?
Only by understanding and working with human motives can challenges be defined and solutions explored.
.
The key to meeting this second challenge is more research and a greater willingness to engage in frank discussions.
.
The key to meeting this second challenge is more research and a greater willingness to engage in frank discussions.
Third, the information we have is sometimes skewed.
.
Vendors of online security products have an interest in talking up the threats of cybercrime, while victims of cybercrime often have an interest in remaining silent.
.
It is therefore very difficult for firms and organizations to get a clear picture of the true levels of the risk and needs for investment.
.
We need better access to information to form policies which will improve global cybersecurity and create efficient markets.
.
Finally, incentives are misaligned.
.
Lacking legitimate outlets for their talents that are comparably lucrative, hackers are drawn to the thriving black market in “zero-day exploits”, where pieces of code that take advantage of vulnerabilities in software applications can sell for hundreds of thousands of US dollars.
.
The axioms for the cyber age remind us that there will always be holes in new software.
.
We need to develop better mechanisms to incentivize the well-intentioned to find them first.
.
Lee Howell is Managing Director at the World Economic Forum.
.
Vendors of online security products have an interest in talking up the threats of cybercrime, while victims of cybercrime often have an interest in remaining silent.
.
It is therefore very difficult for firms and organizations to get a clear picture of the true levels of the risk and needs for investment.
.
We need better access to information to form policies which will improve global cybersecurity and create efficient markets.
.
Finally, incentives are misaligned.
.
Lacking legitimate outlets for their talents that are comparably lucrative, hackers are drawn to the thriving black market in “zero-day exploits”, where pieces of code that take advantage of vulnerabilities in software applications can sell for hundreds of thousands of US dollars.
.
The axioms for the cyber age remind us that there will always be holes in new software.
.
We need to develop better mechanisms to incentivize the well-intentioned to find them first.
.
Lee Howell is Managing Director at the World Economic Forum.
.
He is responsible for the Global Risks 2012 publication.
He is responsible for the Global Risks 2012 publication.
No comments:
Post a Comment