Home Global-ICTGlobal-ICT 2012 The need for transparency in the cyber world

The need for transparency in the cyber world

by david.nunes
Rob CottonIssue:Global 2012
Article no.:8
Topic:The need for transparency in the cyber world
Author:Rob Cotton
Title:CEO
Organisation:NCC Group
PDF size:260KB

About author

Rob Cotton is Chief Executive of NCC Group.

Mr Cotton is a qualified chartered accountant.

Article abstract

There is a pressing need to increase standards in cyber defences. But the implementation of stringent digital policies and infrastructures will only happen if organisations are publicly held to account for security breaches. Transparency and openness should be the foundations from which to shore up defences and prepare our infrastructures in the fight against cyber crime.

Full Article

If we were able to view the last millennium on a timeline, the period from the introduction of computer systems until now would only take up a very small space. But the changes and advances we’ve witnessed over the past generation have been nothing short of phenomenal.

Less than a century has passed since the first computer was created, and yet there is already a global reliance on the digital realm. We communicate, connect and work through digital means every day. But the cyber domain is moving incredibly fast, leaving governments, businesses and consumers struggling to keep up with the constant innovation and technological developments that are presented on a daily basis.

A consequence of this is that legislation hasn’t caught up either. The rapid changing nature of the digital world has made it difficult to control and regulate cyber practices within the laws of a country, as the Internet itself is not divided up into nations. This has made it easier for cyber criminals to operate without the inevitability of prosecution. However, as dependence grows, the need for frameworks and regulations becomes crucial.

The development of the online sphere has shamefully been coupled with an increase in its misuse. The internet wasn’t designed with cyber criminals in mind, so security has been on the back foot since day one. The sheer scale of the web wasn’t envisioned either, hence the need for IPv6 to create more IP addresses. But as threats to the cyber landscape increase in number and develop in complexity, the need for solid defence on local, corporate and national levels increases.

National security threats used to typically be of a physical nature, whereas now we’re seeing the start of global cyber warfare. In 2010 the Stuxnet worm targeted Iran’s nuclear infrastructure, and more recently Flame malware infiltrated the computers of high-level officials across the Middle East.

Standards

It’s clear that there’s a pressing need to increase standards in cyber defences, and this involves the complete spectrum of users – from large corporations to governments and consumers. Not enough is being done at present – it seems the world is waiting for a trigger. However, it’s essential that this trigger be caused by a proactive drive for change, and not a devastating cyber attack, or war.

Standards need to be driven up across the board, and one way to prompt this is by increasing transparency. Transparency in the way businesses view, act and respond to cyber security issues. Transparency in the reporting of corporate breaches, and the consequences for those affected. Transparency in the rules and regulations that govern how incidents should be dealt with. Until organisations are publicly held to account for security breaches, there will be a lack of incentive for them to implement stringent digital policies and infrastructures.

The connotations of a data breach are overwhelmingly negative. Admitting that a corporate security system failed can only serve to damage reputation and weaken customer trust. This should be motivation enough for companies to ensure their IT infrastructure is as secure as their building’s physical security.

However, it’s not currently a legal requirement for businesses that operate within the EU to inform authorities or their customers if they have been hacked. There are no regulatory time restrictions on how long businesses have until they must divulge information about the breach, and no governing body that must be informed. If it is customer data that has been compromised, there is no legal obligation to inform those affected. And in the defence of hacked businesses, if they don’t have to divulge, why would they risk their reputation?

Publicly traded companies have to regularly disclose detailed financial information. This is in the interest of shareholders and potential investors, so they can be sure of what they are getting from their investment. They can make informed decisions regarding company actions and how it may affect their stock. This sort of transparency promotes good practice of working within the business, and ensures that companies are held to account for mismanagement.

EU directive

This is the type of openness that is needed to help drive up the standards of cyber security. Until recently, legislation that promoted business transparency simply didn’t exist in regards to digital breaches, although an EU directive that will be enforced in the next two years is pushing things in the right direction.

The directive will pressure companies into informing national information commissioners of data breaches that affect consumers and citizens within 24 hours. Non-compliance will result in heavy fines of up to 2 per cent of annual turnover, so it should force a major increase in risk awareness.

The arrival of the EU cookie law, again introduced by the EU and enforced in the UK by the Information Commissioners Office (ICO), has been another attempt to promote transparency through legislative efforts. This law forces websites to gain informed consent from visitors before saving cookies onto users’ machines, protecting user privacy. Although not something that will strictly improve cyber security standards, it’s a law that promotes openness between businesses and consumers, and will help foster a culture of transparency and honesty – something that will help drive up standards in the long term.

However, the compliance rate in the first few months has been alarming. Ahead of the ICO’s deadline in May 2012, the government admitted that its own websites would not be compliant in time, while by the beginning of June, less than one in five sites had obeyed the legislation. This was in part down to the law itself, which has been heavily criticised from an implementation standpoint, mostly due to the lack of guidance and advice provided by the ICO.

These appalling uptake levels go some way to summing up the current apathetic mind set amongst policy makers and businesses when it comes to the importance and seriousness of cyber security. It’s not being given the attention that it deserves and requires.

A cursory glance at recent cyber breaches shows that consumers are affected too. Six million password hashes from the social networking website LinkedIn were leaked in June 2012. In the following days, 60 per cent of these hacked passwords were cracked, giving the criminals not only access to their LinkedIn accounts, but potentially any other accounts that shared the same passwords.

It’s since come to light that LinkedIn wasn’t taking strict enough security measures, such as salting user credentials to strengthen password protection. It’s a problem caused by a lax attitude, and could have been avoided if there was a bigger incentive to implement tighter security measures. But users of the social network have also been criticised due to the weakness of many of the passwords, making the cyber criminals’ jobs all too easy.

In order to drive up standards across the board, it’s imperative that businesses, governments and consumers are held to account when it comes to digital security. There needs to be greater effort and collaboration on a national, continental and global scale. Transparency and openness should be the foundations from which to shore up defences and prepare our infrastructures in the fight against cyber crime.

 

Related Articles

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More