EU study highlights weaknesses in regulatory approach to solving cyber crime

Security news hound John Leyden has identified a new EU study that is supposed to be about the economics of cyber crime. The 114 page report sponsored by ENISA (European Network and Information Security Agency) is mostly about finding new regulations that could improve security by requiring ISPs to police traffic and hosts as well as create new data disclosure requirements.

ENISA is soliciting comments on the report here . My own submitted comments I have reproduced below.

1. RECOMMENDATION: Security Breach Notification [p. 22-26]

Does the EU need a security-breach notification law?

Yes. California 1386 has proven very effective in raising awareness of data protection issues for any organizations handling personally identifiable information (PII) of California residents.

A EU law should very specifically target data breaches that are malicious. In other words try to exclude lost or inadvertent theft from notification requirements. Forcing notification when a lap top is stolen or a backup tape is mis-placed is a waste of resources and muddies the issues.

What policy instrument would be most appropriate: legislation, (public/private) co-regulation, self-regulation etc.?

A specific law would be the most effective. Other types of regulation tend to get over-interpreted which is a boon for security consultants and vendors but does not help resolve the primary issue of lax security practices and lack of disclosure.

Should the scope of security breach notification go beyond the telecom and ISP sectors? Should all e-communication service providers and/or all service providers in general be included?

Security breach notification should not be put on the shoulders of e-communication providers at all. It is the responsibility of those organizations that obtain and store personally identifiable information (PII) to protect it and if tit is stolen they must report it to the individuals concerned. Hospitals, banks, credit agencies, retailers, and governments should be the target of any legislation.

Are there lessons to be learned from experiences in some US states? What are good practice examples?

Of the twenty plus states that have passed data breach disclosure laws the most valuable components are the exception for encrypted data. In other words disclosure is not required if it can be shown that the stolen data was encrypted. As data encryption for backup media and databases is the best protection measure this legislation serves to encourage best practices in data security.

2. RECOMMENDATION: Electronic Crime Statistics [p. 44-45]

Should the EU introduce new regulation in order to ensure the publication of loss statistics for electronic crime?

No. Why spend tax payer’s hard earned money to track what may be impossible to track? Not only would this type of regulation create yet another bureaucracy within EU government but it would place a reporting burden on ISPs and industry. Concerning all regulation: first evaluate its total economic impact; does the cost exceed the damage of the problem? Data theft for instance may lead to actual losses of one billion Euros. Would it be wise to legislate reporting and statistics infrastructure that cost more than that? Better to spend money on technology and law enforcement resources to battle cyber crime.

Should the EU Expert Group set up by the European Commission following the Communication “Developing a comprehensive and coherent EU strategy to measure crime and criminal justice: An EU Action Plan 2006-2010” include electronic crime statistics in the planned framework?

Only in so far as that data is available from existing sources.

Should reporting on particular indicators be made mandatory?

No.

Should EU Member States, national regulators, industry associations and ISPs be encouraged to make such statistics available?

No. Every mandate for reporting from a government body cascades into mountains of paper work that often cost more than the initial problem (cyber crime) to comply with.

3. RECOMMENDATION: Bad Traffic Statistics [p. 45-46]

Should quantitative data on ISPs’ security performance be made available to the public?

No. There would be no way to rationalize the multiple ways that ISP’s collect such data. So every ISP would be reporting data that could not be compared depending on the technology they used, the interpretation of what constituted a threat and thus was reported, time intervals, and measurement units.

Should ENISA collect and publish data about the quantity of spam and other bad traffic emitted through European ISPs?

Only if ENISA collects that data directly by deploying its own honey pots, traps, and network monitoring sensors. In this way the data could be rationalized and it would not create a burden for ISPs.

What would be useful metrics to measure bad traffic?

Ah, bad traffic, what art thou? Is HTTP traffic from child pornography sites “bad”? Is email traffic on the construction of pipe bombs “bad”? Is sharing of copywrited material via Bit-Torrent “bad”? Is viewing Nazi videos on Youtube “bad”?

4. RECOMMENDATION: Removal of Compromised Machines [p. 49-54]

Should the EU introduce a statutory scale of damages against providers that do not respond promptly to requests for the removal of compromised machines?

No. There are over 65 million web servers alone. At any one time there are thousands of compromised machines. Let the Internet community and the owners of those machines sort it out. Enforcement of such a statute would always be after the fact and would not serve to protect these devices.

Should such a scale be coupled with a right for users to have disconnected machines reconnected if they assume full liability?

This is crazy. The amount of oversight to enforce this would easily cost more than the entire cyber crime industry earns every year.

What would be alternative means for dealing with compromised machines which remain connected to the network?

ISP’s can identify and filter traffic from compromised machines today. They do so in the case of spam bots. Phishing sites are policed by the bank targets and the security community. There is no need for legislated requirements or measures.

5. RECOMMENDATION: Secure Equipment by Default [p. 59-61]

Should the EU re-allocate slices of liability in response to specific market failures?

Can the EU really do that? If so, no, the EU should not re-allocate slices of liability for anything. (But if they do, I’ll just have a wee sliver please.)

Should the EU develop and enforce standards for network-connected equipment to be secure by default?

No. Let the industry handle this. We’ve survived for twenty years and have slowly adjusted our “secure by default” stance as the threats warrant. Security settings will adjust as needed thanks to true market forces. No need for artificial constraints here.

Should vendors be required to (self-)certify that their products are secure by default?

I know we are all thinking about Microsoft, Oracle, and SAP here; all great friends of the bureaucrats in Brussels. But there are hundreds of thousands of vendors. Many of whom are not based in the EU. Do you really want to make it more difficult for them to participate in the EU economy? Besides how can anything be “secure by default”? Oh, I see. A computer vendor could self certify that “this computer is secure by default. Powering it on is not its default mode.”

6. RECOMMENDATION: Responsible Disclosure and Fast Patching [p. 61-64]

Should the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software?

Once again this sounds like you are thinking of the three or four top vendors. Of the tens of thousands of vulnerabilities discovered every year only a few belong to Microsoft. Do you really want get involved in enforcing this type of regulation on the little vendor in Uraguay who provides the software that controls an espresso dispenser that is not even connected to the network?

Would responsible vulnerability disclosure be more efficient in the long-run as it creates a constructive relationship among stakeholders?

Yes and no. Responsible vulnerability disclosure usually improves the relationship between a vendor and its customers and the public. But creating a regulatory environment around responsible vulnerability disclosure would create an adversarial relationship between all the stake holders.

What would speed up the process and hence make information systems more secure?

Information systems *have* become much more secure over the last four years. The single most important driver has been the increase in threats. There is no legislation or regulatory reporting requirement that could have a greater impact than the threat of financial loss from cyber criminals and attacks arising from nation states.

7. RECOMMENDATION: Security Patches [p. 64-65]

Should security patches be offered for free? Yes.

Should they be kept separate from feature updates? If practical.

Should end-users be made liable for infections if they turn off automated patches or otherwise undermine the secure defaults provided by vendors?

End users are liable for infections. They pay with slower machines, loss of personal data, and theft from their bank accounts.

8. RECOMMENDATION: Electronic Payment Dispute Resolution [p. 65-66]

Should the EU harmonise procedures for the resolution of disputes between customers and payment service providers over electronic transactions?

The EU should create an environment conducive to competition thus allowing payment service providers to compete for customers based on the quality of their service. Harmonizing would eliminate innovation in services and allow payment service providers to provide a minimum level of service instead of striving to differentiate their service based on quality and responsiveness.

Should the Payment Services Directive be amended by tackling the issue of varying fraud liability and dispute resolution procedures among EU Member States? No.

Would any other legal instrument be more appropriate to address this problem? If yes, which form of legal instrument (e.g. public-private co-regulation, self-regulation) do you consider more beneficial?

Market forces. Let consumers choose.

9. RECOMMENDATION: Sanction Abusive Online Marketers [p. 67-68]

Should the European Commission take action by preparing a proposal for a directive establishing a coherent regime of proportionate and effective sanctions against abusive online marketers?

“Preparing a proposal for a directive establishing a regime” is not what most people think of as “action”.

There are only a couple of dozen spammers responsible for 95% of all spam. Track them down, arrest them, put them in jail. That is action.

Should the existing Directive on Privacy and Electronic Communications (2002/58/EC) be revised in the light of abandoning the business exemption for spam? Not familiar with this Directive.

Would any other legal instrument be more appropriate to address the problem concerned? If yes, which form of legal instrument (e.g. public-private co-regulation, self-regulation) do you consider more beneficial?

How about a law?

10. RECOMMENDATION: Consumer Protection Law [p. 68-70]

Should the European Commission / ENISA conduct research to study what changes are needed to consumer protection law as commerce moves online?

Not if the results of EC/ENISA research is always to recommend more regulation.

Should ENISA consider becoming involved in the wider European Commission policy process, considering security aspects of policy along with consumer protection questions?

No.

Should the European Commission address the issue of right to Internet connectivity?

Big no. You can’t make up new “rights” based on technology. If you have a good system of laws guaranteeing rights such as property, voting franchise, equal employment, you can kick back and let the rest sort itself out.

11. RECOMMENDATION: Logical Market Diversity [p. 71-73]

Should ENISA seek to advice Competition Authorities whenever diversity has security implications?

The markets (which are not controlled by the EU since it only participate in about 30% of the World’s market) have created today’s situation which is not diverse. Individual entities can take advantage of that situation by choosing to use products that are not part of an existing monoculture to be less exposed to attacks. ENISA is not qualified to advice Competition Authorities.

Should ENISA take an active role in providing expertise to decision-makers with regard to security threats that follow from a lack of diversity?

No. ENISA is not in a position to evaluate those threats.

Should ENISA liaise with the European Commission’s Interoperable Delivery of European e-Government Services to Public Administration, Businesses and Citizens (IDABC) in order not only to ensure interoperability and competition but also security?

No. This would be counter to the idea of diversity.

12. RECOMMENDATION: Study IXP Failures [p. 73-77]

Should ENISA engage in research to better understand the effects of Internet exchange point (IXP) failures?

No. The purpose of such research and the benefits of any results and recommendations have not been defined.

Should telecom regulators be involved to insist on good practice in IXP peering resilience?

No. Invariably telecom regulators would be insisting on outmoded technology and practices.

Would you agree with the report’s observation that the Access and Interconnection Directive (2002/19/EC) has had limited impact on Internet transit provision?

Yes.

As regards peering arrangements, would you agree with the report’s observation that distortion of competition is taking place as smaller ISPs/ IXPs encounter disadvantages compared to large ISPs?

No, not distortion. This *is* competition. If established players erect barriers to entry for newer, smaller players they will innovate around those barriers. Distortions are occurring because large players are better able to deal with regulations.

13. RECOMMENDATION: Ratification of Council of Europe Cybercrime Convention [p. 78-79]

Should the European Commission continue to put pressure on the EU Member States that have yet to ratify the Council of Europe Convention of Europe?

Yes.

In following up on the European Commission Communication on Cyber Crime, would you envisage new regulation including mandatory blocking of website with particular content and controls on search engines?

No. There are 65 million websites and billions and billions of pages. Regulating content is not going to be easy. In other words it will be very expensive. Controlling search engines is just crazy. Don’t even go there.

Would you envisage new EU regulation on any other issue?

Sure. I can envisage an EU regulation forbidding the taxation of online commerce. Also, legislation that made it impossible for an individual country to regulate content or search engines.

14. RECOMMENDATION: EU-wide Co-operation on Cyber Crime [p. 79-81]

Should an EU-wide body be charged with facilitating international co-operation on cyber crime, using e.g. Europol and/or NATO as a model?

Yes, but pick an existing body. Don’t create a brand new agency.

Would you envisage any other good practice example of cross-jurisdictional co-operation in the international framework?

Incentives have to be created for prosecuting cross-jurisdictional crimes. Today, someone in law enforcement is rewarded through career advancement based on how quickly they close cases. Dealing with issues of jurisdiction only extends the time it takes to successfully prosecute a case. Anything that can be done to remove those cross-jurisdictional barriers would help. Create incentives for successful prosecutions.

15. Open Question: Incentives for Lifting Barriers

In which other areas do you see barriers for NIS in the Internal Market?

Which incentives (regulatory, non-regulatory, technical, educational, etc.) would you suggest for lifting barriers identified to cause distortion of the smooth functioning of the Internal Market for e-communication?

The EU has erected many barriers to smooth functioning of the Internal Market for e-communication. No state should be allowed to make particular software such as so-called hacking tools, illegal. Censoring particular informational sites because of their content is another barrier. Putting the onus on ISPs to enforce EU regulations is another barrier that should be brought down.