Occasionally one reads a paper or a book that makes one sit up and take notice. Older readers may remember the excitement in 1991 when the National Research Council issued Computers at Risk: Safe Computing in the Information Age, which influenced the development of public policy for more than a decade after its publication and is still worth reading today. Readers may come to agree with me that we have another exciting policy-related report to read this year.
Occasionally one reads a paper or a book that makes one sit up and take notice.
Older readers may remember the excitement in 1991 when the System Security Study Committee of the National Research Council issued Computers at Risk: Safe Computing in the Information Age, which was published by the National Academy Press. The text is still available for sale and can also be purchased as a PDF download or read for free (chapter by chapter and page by page) at the National Academies Press Web site.
Computers at Risk was exciting because it provided a wealth of information in its 320 pages and included stimulating, practicable recommendations for realistic discussions of public policy. It influenced the development of public policy for more than a decade after its publication and is still worth reading today. It can be an excellent primer for non-technical executives we are just now convincing to think about security.
Readers may come to agree with me that we have another exciting policy-related report to read this year.
At the 2008 Workshop on the Economics of Information Security (WEIS 2008) at Dartmouth College last month (see also my overview), Ross Anderson, Rainer Böhme, Richard Clayton and Tyler Moore presented a valuable paper entitled, “Security Economics and European Policy.” The paper is a summary of a longer report commissioned by the European Network and Information Security Agency, which, by the way, has a wealth of groundbreaking and highly stimulating papers available in English.
The original report, “Security Economics and the Internal Market,” was covered in part by John Leyden in The Register in March. The 114-page report was a study of “Barriers and Incentives for network and information security (NIS) in the Internal Market for e-Communication.” The Executive Summary begins as follows:
"Network and information security are of significant and growing economic importance. The direct cost to Europe of protective measures and electronic fraud is measured in billions of [Euros;] and growing public concerns about information security hinder the development of both markets and public services, giving rise to even greater indirect costs….
"Information security is now a mainstream political issue, and can no longer be considered the sole purview of technologists. Fortunately, information security economics has recently become a live research topic: as well as collecting data on what fails and how, security economists have discovered that systems often fail not for some technical reason, but because the incentives were wrong. An appropriate regulatory framework is just as important for protecting economic and other activity online as it is offline.
"This report sets out to draw, from both economic principles and empirical data, a set of recommendations about what information security issues should be handled at the Member State level and what issues may require harmonisation – or at least coordination…."
The authors provide 15 recommendations, each of which is discussed in detail. The following is the bare-bones list of their recommendations; I suggest that interested readers consult the original report or the paper delivered at WEIS 2008 for details. These proposals will interest readers around the world, not just those in Europe. I have deliberately generalized the proposals beyond Europe, but most of the following is quoted directly from the authors’ own text:
1. Introduce a comprehensive security-breach notification law.
2. Regulate to ensure the publication of robust loss statistics for electronic crime.
3. Collect and publish data about the quantity of spam and other bad traffic emitted by ISPs.
4. Introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of compromised machines, coupled with a right for users to have disconnected machines reconnected if they assume full liability.
5. Develop and enforce standards for network-connected equipment to be secure by default.
6. Adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle.
7. Have security patches be offered for free, and have patches be kept separate from feature updates.
8. Harmonize procedures for the resolution of disputes between customers and payment service providers over electronic transactions.
9. Prepare a proposal for a Directive establishing coherent regime of proportionate and effective sanctions against abusive online marketers.
10. Conduct research, coordinated with other affected stakeholders and [governments], to study what changes are needed to consumer-protection law as commerce moves online.
11. Advise the competition authorities whenever diversity has security implications.
12. Sponsor research to better understand the effects of Internet exchange point (IXP) failures. Work with telecomms regulators to insist on best practice in IXP peering resilience.
13. Put immediate pressure on the 15 EU Member States that have yet to ratify the Council of Europe Convention on Cybercrime.
14. Establish a body charged with facilitating international co-operation on cyber crime, using NATO as a model.
15. Champion the interests of the information security sector within [government] to ensure that regulations introduced for other purposes do not inadvertently harm security researchers and firms.
* * *
Ross Anderson is professor of security engineering in the Computer Laboratory at the University of Cambridge in England and is highly respected around the world for his long history of contributions to security; as a simple example, he has contributed over 60 insightful articles to the Risks Forum Digest since 1999.
Richard Clayton has written extensively on a wide range of security issues including privacy, denial of service, anti-spam measures, and public policy involving computing and the Internet. His 2005 PhD thesis on “Anonymity and traceability in cyberspace” is fascinating reading.
Tyler W. Moore has just completed his doctorate under the supervision of Anderson at Cambridge. From August 2008 he will be a post-doctoral fellow at the Center for Research on Computation and Society at Harvard University. His “research interests include security economics, decentralised network (e.g., peer-to-peer, ad-hoc and sensor network) security, and complex network analysis.”