The danger of cybersecurity 'ghettos'

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/742428/the-danger-of-cybersecurity-ghettos-

Ghettos are not good, whether they are at the local, state or national
level. They tend to breed unrest, dysfunction and crime that can extend
well beyond their borders, undermining the health of an entire society.

And the high-tech version of that should worry the world IT community,
according to Allan Friedman, a fellow and research director at the
Brookings Institution Center for Technology Innovation.

Friedman warns in a research paper for Brookings titled, "Cybersecurity and
Trade: National Policies, Global and Local Consequences," that a lack of
coordination and cooperation regarding cybersecurity among nation states
could create "cyber security ghettos," and undermine the security of the
global cyber environment.

Friedman also issued that warning at a forum last month at Brookings that
he moderated, titled "Implications of cybersecurity regulations and
international trade." While the major focus of the discussion was
"non-tariff barriers to trade" and the impact that a hodge-podge of
security standards could have on the world economy, Friedman also warned of
the potential security risks of nation-state "ghettos."

"As rich countries get better at protecting themselves, the threats and bad
actors will more and more find refuge in the infrastructure and systems of
poor countries that don't have the resources to protect themselves," he
said, adding that, "in a networked world, it's not just enough to defend
yourself. If your neighbor's insecure, that poses a threat to you."

Friedman was on vacation this week and unavailable for comment. But other
security experts said there is merit to his concern. Asked if such "ghetto"
states already exist, Jason Healey, director of the Cyber Statecraft
Initiative of the Atlantic Council, said they do if they are defined as,
"places that harbor criminals, like Eastern Europe, Russia, or Nigeria
today, or ... a place with bad standards that is picked on by others. Both
are bad and yes, we have both today," he said.

"Though as with real ghettos, they can go from bad to really, really ugly
if you're not careful. As I've put it in other contexts, cyberspace is the
Wild West today, but if we keep on with current policies it could become
Somalia tomorrow," he said.

Friedman offered several recommendations to avoid or ameliorate the ghetto
problem. One is that wealthier countries should help poorer countries to
improve their security. "Beyond their own borders, developed countries
should promote global cybersecurity capacity building. Cybersecurity is a
global problem. If developing countries do not have the capacity to defend
their networks, it puts the world's systems at risk," he wrote.

He also called for, "international or harmonized security standards. Shared
standards enable security without erecting barriers to trade," he said,
"(but) at the same time, we should(not expect a single, global standard for
all IT."

It could be politically tricky for the international community to help
poorer countries improve their cybersecurity capacity, for a number of
reasons. One potential problem could be that developing countries, some of
which are hostile to the West in general and to the U.S. in particular,
might simply use that improved expertise to attack their more developed
neighbors.

Healey doesn't see that as a major risk. "I'm sure we'd not aid some of the
nations we least trust," he said, but added that, "many of the technologies
are truly defensive, or the economic gains of development far outweigh any
potential national security risk."

It could be even trickier politically, however, to "harmonize" security
standards around the world, especially given the recent revelations by
former National Security Agency (NSA) contractor Edward Snowden, about the
agency spying on other countries and its own citizens.

Jacob Olcott, principal at Good Harbor Consulting and a former cyber policy
adviser to the U.S. Congress, said he believes those revelations, "will
have a real, damaging economic impact to the U.S. IT industry, and to U.S.
diplomatic efforts in cybersecurity.

"In recent years, the U.S. government and the U.S. IT industry have fought
hard against country-specific security standards, arguing instead for the
adoption of U.S.-led international standards. The Snowden leaks seriously
undermine this argument because it creates distrust in the international
standard," he said.

"International governments that believe there is a special relationship
between the NSA and the U.S. IT industry will be more likely to adopt their
own restrictive standards."

Healey agreed. "Cooperation is built on trust, so any progress will be much
harder now," he said. "If the US is seen as circumventing security, with
things like Flame or encryption, then there may be suspicion of U.S.-backed
standards. Of course, they don't have to be tied together, but any
countries or companies that wanted reasons not to cooperate now have more
than enough reason."

And Paul Rosenzweig, founder of Red Branch Law & Consulting and a former
deputy assistant secretary for policy at the Department of Homeland
Security, said he is, "deeply skeptical that non-Western nations will agree
to harmonization."

He added, "I suspect in the end that the network will fractionate somewhat
into two networks – a 'Free West' one and an 'Unfreeze Everywhere Else' one
– and that is not a good thing."

So far, however, even though the Internet has been a commercial fact of
life for more than 25 years, this kind of dystopian fragmentation is
apparently not established. John Miller, senior counsel and policy
strategist on global public policy for Intel Corp., said at the recent
Brookings forum that the current global digital economy has been "a
successful model."

But he said he is concerned that disjointed security policies and
regulations will impede the evolution and functioning of that market.
"Costly barriers to cross border commerce," he said, would lead to, "a
balkanized system, that threatens continued advancement of both technology
interoperability and innovation."

One possible reason that balkanization has not already occurred is that, as
Healey put it, "most of the undeveloped countries aren't really that
connected. (But) now that Africa is increasingly connected, this may
change."

And experts are somewhat dubious that the political will and cooperation
exists to create the kind of harmonization Friedman advocates.

One problem is that developed countries might fear they would lose control
of their own cybersecurity standards if they are required to abide by a
world standard. Rosenzweig said "of course" countries like the U.S. and
U.K. would lose a measure of control. "Depending on whether that results in
a diminution of standards or a uniformity of standards, it could be good or
bad," he said.

Healey said he suspects any international agreement, "would allow more
strict application by more-advanced nations."

The more intractable problem, however, is that of competing national
interests. "Different nations – China and the U.S. – and different
companies like Facebook are already driving us towards partial
Balkanization," Healey said, "and that was before the scope of NSA
collection became clear. Now even like-minded nations are increasingly wary
of U.S. intentions in cyberspace."

"I'm not sure anything can avoid it (balkanization)," Rosenzweig said. "It
isn't in some nations' interests to avoid, so they probably won't. From a
Chinese perspective, for example, cutting off from the West is the optimal
result."

That, according to Miller, will damage both economic growth and security.
"Having to comply with 40, 50, who knows how many sets of technical
standards, requirements and local certification and testing requirements,
etc. ... [means that] security technologies won't be able to get to the
places that they need to get to and consumers will suffer by having worse
security, and it in fact will mean higher prices in the technology they
buy," he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.