Security at the IGF: Just Give Me the Money

Day two at the IGF. Day two focuses on cybersecurity, meaning the main sessions are devoted to it.
After the first session, I heard a participant say: “I know nothing about Internet security, but I didn’t hear anything new.”
That about sums it up.
It was depressing, frankly. All presentations, from people related to different CSIRTs, ITU and Cisco, were rehashed arguments that we have been hearing for years. Their slides could have been made in 2005 and no one would have noticed.
The storyline is all too familiar: cybercrime is exploding and therefore we need more collaboration, more CSRITs, more education, more international cooperation among law enforcement, more sharing of information, et cetera.
I’m sure you’ve heard it all before.
This type of story marries an alarmist diagnosis to a set of answers that do nothing to remedy the alarmist diagnosis. There is nothing wrong with the answers per se, but they have been pursued for years now and at the same time the problem has gotten much worse. The most positive evaluation one could give would be to say that they have been only partially effective.
The only reason people present such ineffective proposals is because they themselves have a vested interest in it. Solutions hunting for problems, policy analysts call this.
The only reason people get away with presenting such ineffective proposals is that nobody is against them. The proposals don’t harm anyone, at least not in an obvious way, and some else is picking up the tab.
So where does this leave us?
It seems to me that this can mean one of two things: Either the presenters accept that we don’t have better answers currently, no new ideas worth pursuing. That is entirely plausible. Many of the proposals out there are controversial and it is unclear if they would do more harm than good. It does mean, however, that for now we have to live with the status quo, which is: rising crime. We would then have to address the question of who is going to bear the costs of this.
The alternative is that there are better answers that the session presenters did not talk about – or any other presenter at the IGF, for that matter. There are. In the past years, research has moved to concepts like assigning (intermediate) liabilities and re-aligning market incentives (see for example this report [PDF] recently produced for the EU). In short: Innovations have occurred where we have started treating security issues as economic problems.
The people in this field are nowhere on the program of the security sessions at the IGF. Those security experts that are present, have no reason to go beyond their self-serving answers that offend no one, but solve little. You see a lot of that here at the IGF. They call it multistakeholderism.

7 comments

  1. Anonymous

    “There is nothing wrong with the answers per se, but they have been pursued for years now and at the same time the problem has gotten much worse.”
    Would the author please elaborate on what has gotten much worse?

  2. Anonymous

    “What has gotten much worse?”
    First of all, the presenters were the ones who couched their proposals in an alarmist story about how things have gotten much worse.
    I’m a bit more skeptical, but there are indeed signs that we need to take seriously.
    First of all, in a technical sense, the number and sophistication of attacks has increased. That doesn’t tell you much about impacts, but it still is an indicator.
    See for example the Symantec Internet Threat Report vol. XIII
    One of the key threats is the rise of botnets over the last few years. While attackers have seemingly moved away from huge botnets to smaller and smarter ones, probably to attract less attention and to make it harder to fight them, this does not mean that the threat has subsided. It is unclear as to how many infected machines there currently are connected to the Internet, but the numbers are significant. Some estimates that I have encountered range from 5-20% of all connected machines. The reliability of these figures is unclear, however. Different statistics come from the Microsoft Security Intelligence Report, which reports on the number of infections encountered by their Malicious Software Removal Tool:
    http://www.microsoft.com/security/portal/sir.aspx
    Some more information on botnets here:
    http://www.secureworks.com/research/threats/topbotnets/?threat=topbotnets
    http://voices.washingtonpost.com/securityfix/2008/09/number_of_bot-infected_pcs_sky.html
    Then there are indicators that the amount of online fraud is going up.
    http://voices.washingtonpost.com/securityfix/2008/02/banks_losses_from_computer_int.html
    There is more, but this gives you an idea.
    That said, none of this is straightforward.
    The yearly CSI survey, one of the best available surveys, though still suffering from major shortcomings, has reported that the damage to companies and other organizations has fallen since 2001, with only a modest upswing last year.
    http://www.gocsi.com/forms/csi_survey.jhtml
    The BERR survey also found decreasing losses:
    http://www.pwc.co.uk/pdf/BERR_ISBS_2008(sml).pdf
    Another example: phishing. APACS, the UK payments associations, publishes numbers based on actual banking data, not estimates based on samples and extrapolation. Over the past years the number of phishing attacks has increased significantly: from 2 369 attacks in 2006 Q1 to 10 235 in 2008 Q1. As one would expect, direct losses from phishing fraud in the United Kingdom have risen, though with a recent fall: from GBP 12.2 million in 2004 to GBP 33.5 million in 2006 to GBP 22.6 million in 2007 (APACS 2008). The broader fraud category of card-not-present-fraud – which includes phone, Internet and mail order fraud – has risen from GBP 150.8 million in 2004 to GBP 290.5 million in 2007.
    Obviously there is a lot more where this came from, but I hope you found this information useful.

  3. Anonymous

    i think they should re consider the things to get aware from the situation

  4. Anonymous

    Very well summed up “I didn't know anything about internet security when I came here, and now I know the same” it sounds like a disarming waste of time, when you could have been at the cpa programs or any other informational conference instead.