On 3 December 2012 a survey by the Dutch newssite Nu.nl reported that within two years from now cyber attacks would be viewed as the greatest business risk to the Netherlands, posing an even greater threat than economic uncertainty.
Almost half of the companies questioned (48%) indicated that they would support additional protections against the online theft of intellectual property. Furthermore, 51% were in support of efforts to negate the effects of serious cyber espionage. What can the various players on the Dutch IT infrastructure scene do to address these issues? What is the best direction for policy to take now to address the rising issue of cybercrime?
Our understanding of the effects of cybercrime has grown rapidly in the past few years as our administrative and legal frameworks have risen to combat the new challenge. Nevertheless, few fully realise the effects cybercrime will come to have during our lifetimes, especially considering how dependant we now are upon the Internet in our daily lives. Cybercrime as a threat has grown so fast that a comprehensive solution to it does not yet exist.
What will happen if the current tendency towards internet based machine-control continues? What will the implications of cybercrime be to cars with IP addresses, for instance? The potential exists for malicious programmers to bring traffic or other infrastructure to a standstill. This threat is more imposing than many of us might think: the first cases have already arisen of centrifuges, airplanes and nuclear power stations being compromised, along with a few rare cases of bridges and other infrastructure.
Can e-security be improved? One should monitor vital points continuously by a security operating center (SOC). It is doubtful that the publication of a bi-annual paper will continue to be of use for much longer with technology moving as quickly as it is. A better model would be more in line with the current mode of practise in aviation. When the FAA inspector comes to visit, he really has the opportunity to see everything. When something out of order is detected, such as in the case of the new Boeing Dreamliner for instance, the whole fleet becomes grounded, providing a powerful economic incentive to keep the business permanently in order.
The Cure: Develop E-Security as a Basic Societal Need
Where can realistic solutions be found? Firstly, we require ICT infrastructure to be included in our list of basic social requirements. Belonging alongside the likes of hydrology, dikes, energy and sewers, information must be allowed to flow freely as an essential need, just as roads, dikes and drains are basic needs. It’s not just about safe access either, but all the essential elements of digital and digital business needs, such as E-ID, the digital signature, registered mail and perhaps even the digital notary.
To my mind, the regulations governing the security of digital infrastructure belong within a Ministry of Infrastructure and Environment, possibly in combination with Security and Justice. They are completely analogous to other social infrastructures. Perhaps in the initial phase the recently established (Dutch) European Network for Cyber Security (ENCS) might fulfill its stated role as regulator. The Dutch National Cyber Security Center (NCSC) or perhaps TNO’s CyberLab’s might be able to add to this by acting as a supervisor. As ‘Rijkswaterstaat’ is responsible for coordinating roads and dikes, it should also form the supervisory body for basic ICT infrastructure.
As a citizen I can assume that I should be able to drive safely over a publicly maintained bridge. While the internet is hardly a bridge, I should be able to assume that it is a safe and well-regulated place. I should be able to perform important tasks, such as sending my tax papers safely to the ‘Apeldoorn tax office’ safely.
In line with the reasoning that e-security and ICT are basic social provisions, there should be a measure of public guardianship of digital space. To put this into practise however, it will be difficult to make a commercial case for the monitoring of internet traffic. Just like the cameras overseeing a mall, which are neither paid for nor monitored directly by tenants, I feel we will need to move towards a system of public funding along the lines of an ‘ICT tax’.
To address DDoS attacks, we should not directly regulate businesses, but we should rather look towards the two Dutch international internet exchanges. At least 90% of DDoS attacks come from abroad. These could be stopped at the border by the use of two large ‘anti-DDoS scrapers’, which in my view would be an efficient solution. I feel ‘Brussels’ would love this solution!.
Positioning ICT as basic social infrastructure does complicate the issue of whether the government should have control over the information to be conveyed. While this is probably another issue entirely, it looms over the entire discussion, and I personally feel that moves in this direction should be opposed wholeheartedly. ICT companies should only have to commit to serving their customers and to offering secure communications as a matter of social responsibility and of reasonable practise suitable to the Netherlands.
Internet companies should also contribute to raising awareness of the risks to cybersecurity by drawing attention to the fact that smartphones are also computers and likewise require e-security measures, for example by informing customers at the point of purchase. At present, the vast majority of smartphones are operating completely unsecured, which is not really an ideal state of affairs considering the amount of online banking performed through such devices.
The good news for businesses here should be that, should ICT become classified as ‘basic infrastructure’, it should fall under the lower VAT rate. This is a consequence of this argument which should both save the customer money and benefit competitiveness in the market for service delivery. To strengthen this point: a German judge recently ruled that internet access should be perceived as a basic social need.
It is increasingly important that ICT players work together in the future. This could take the form of cooperation in the framework of the ENCS or under the direction of TNO, with other parties and political leaders being engaged to carry out this vision.
ICT as basic social infrastructure is just too important to be left entirely to the market. Internet service providers really should not take the initiative to act as a watchdog but, in line with the preceding argument, one of the Ministries should take on this role.
Software is not currently regulated with regards to product liability. Cars, planes and pharmaceuticals must adjust to meet requirements and must relate to various licenses, so why is this not the case for software? The damage that can be caused by faulty software is certainly large enough.
E-security assessments audits should be included in regular audits, with companies falling below a reasonable security level being forced to improve their standards. This is crucially important in sectors such as banking, in which valuable financial data can be extremely dangerous if stolen. Including cyber security as part of the audit process would introduce a substantial incentive for more awareness in this area in business.
Perhaps an elementary school course on the internet is long overdue, along with a government campaign on cybercrime along the same lines as “safe sex”, designed to increase citizens and businesses’ awareness of cybercrime and its prevention. Ultimately, it is necessary to address this topic at a European level, perhaps even by granting Ms Kroes in Brussels some influence on the Googles and Microsofts of this world.
The strategies I have outlined here should provide a guide for those considering going down this route. It is now more important than ever to take a firm approach to internet security.