Friday, December 12, 2008

Cybercrime report bonanza

Lilian Edwards and I spent the summer months researching McAfee's annual Virtual Criminology Report. It was published earlier this week, with some nice media coverage. Cyberscams are multiplying; we made a number of recommendations for reversing this trend:
  1. Significantly more training and resourcing for cybercops, prosecutors and judges, alongside the mainstreaming of cyberevidence gathering and prosecution.
  2. Legal or co-regulatory incentives for Internet Service Providers to follow best practice in network design and operation — incentivising ISPs in turn to work both with other service providers and their customers to improve levels of security. ISPs should also be encouraged to work more closely with police as the gatekeepers of the Internet.
  3. Security breach disclosure requirements — we cannot expect a market in secure products and services to develop without the information needed to allow customers to quantify security levels. The new EU rules are a start but need widening beyond the telecoms sector and scrutinised to make sure they are not implemented in a token way, and to avoid customer ‘security fatigue.’
  4. In the US, there are stopgap measures on a state level for data breach notification. Dozens of states have passed different laws. A simple, straightforward data breach notification standard is needed to help companies respond uniformly and seamlessly, and to ensure citizens get the widest level of protection, regardless of which state they are from. In addition, enterprises that hold sensitive personal information should meet a common security standard so the possibility of a breach is reduced.
  5. Legal responsibility for both businesses and government agencies when customers suffer Internet-related security losses, except in cases of gross negligence by customers. Banks in particular must be given strong legal and commercial incentives to introduce more secure technology and better fraud detection systems, or they will inevitably cut margins on security as they struggle to ride out the credit crunch and economic downturn. Clear bank liability would reward banks that are taking security seriously, greatly reduce the problems customers have faced, and correspondingly increase online trust and convenience — vital for e-commerce and e-government to flourish in future.
  6. Continued consumer education through focused programmes. However, systems must be designed to make it difficult for users to make security mistakes — we cannot expect the average Internet user to become a security expert. Media literacy programmes for informed consumer choice are not enough to ensure users prioritise security over convenience or short term goals.
  7. Limited liability for software vendors when they are not following best security practice in their system design and operation. We cannot stop the flood of malware until operating systems and key applications, especially browsers and email clients, are significantly more secure.
  8. The use of government procurement power to demand significantly higher standards of security in software and services – incentivising security enhancements that will spill over to private users. Government information security agencies should follow the example of the US National Security Agency in working with software companies to significantly increase software security levels.

Thanks again to all of our colleagues that shared their ideas and comments with us for this research.

A number of interesting related studies have been published this year (thanks, Gohsuke!):

Securing Cyberspace for the 44th Presidency — the Center for Strategic and International Studies argues that President Obama should create a comprehensive national security strategy for cyberspace, echoing many of our own recommendations.

Financial Aspects of Network Security: Malware and Spam — the International Telecommunications Union develops a framework for assessing the financial impact of malware.

The OECD calls for a global partnership against malware, and a move from reactive responses to proactive threat reduction and mitigation.

No comments: