Home / Blogs

Cyber Security: A Duty to Care?

Wout de Natris

Yesterday, in my post on three new threats in one day (click here), I posed the question whether it was necessary to develop regulations that would set a minimum standard on cyber security for devices that connect to the Internet. I'm having second thoughts here, which I'll explain below, but also try to look at a way forward and ask you to engage.

IGF 2012, Workshop 87

In this workshop on international cooperation and critical (Internet) infrastructure the debate also was on standards. There was a very clear call not to regulate on security standards. For two reasons. The minimum standards will be what everyone adheres to, while at present we try to better ourselves each and every day. As the panellist from Google said:

"If you have a treaty or regulation that sets a bar, typically what businesses will do will think as long as I hit that regulation, I'm fine. Whereas right now, you have people constantly striving to be better and have higher and higher bars..."

It seemed like all in the panel, from very different backgrounds, agreed on this quote.

This may be true for companies like Google, SIDN, Anti-Virus, for CERTs, etc. On the other hand it's quite clear that for companies that are more on the fringes of the Internet, cyber security does not seem to be a priority. At least where the product for the end user is concerned. Whether this has a financial background, stems from ignorance or a naiveté towards the Internet, I do not know. Probably a combination. It doesn't really matter, what does matter is that this behaviour has to alter. How to go about this?

(There is a transcription of workshop 87 on the IGF website on this page (although it is not complete) and the report is on the NLIGF website here.)

First I look at an example of minimum regulation and the effect on the Dutch National Railways (NS) which made me doubt regulation.

Minimum standards. A good thing?

The inspiration for this post I found last night while reading NRC Handelsblad. The National Security Board released a report on a train accident which caused 1 death, 24 severely injured people and an overall 165 injuries. The story is quite telling on two accounts, which, I think, are directly juxtaposable to Internet security, as you will see.

Before giving the facts around this story I have to explain the following. Since the liberalisation of the railways the national company has been split into several companies among whom transport (NS) and rail system (ProRail). This complicates this story a little, but let's pretend it's still one as it does not change the insight I've gained. The report delivers the following facts on the NS:

- new trains meet only the bare minimum of technical standards;
- the decorations in the train were not checked for security;
- chairs are made to clean easily but are dangerous for passengers;
- tables are to thin and caused the death and serious injuries;
- the security system is mainly still based on 1950′s technology;
- during construction work the network is over-used;
- 150x a year a red light is ignored with no emergency brake in place in many cases;

In short NS has cut on the budget of securing its network optimally for years, backed by budgets determined at government level I suppose. Perhaps the discussion whether one major accident a year is allowable is at work here. The other part of the examples is about the interior of the trains. Cleanness over security. Decorations that may not have been tested properly, endangering the passengers/costumers. The NS has not adhered to a duty to care for its customers, one conclusion reads.

The main question however is would the NS have performed better without regulation, without the minimum standard for technical security? At present it seems to stick to the minimum requirements, with the present results on in-car security for the passengers. A point for Google in this discussion it looks like.

Let's go back to the Internet world.

How to engage industry?

More and more devices will connect to the Internet over the next years, "The Internet of things". From coffee machines, to refrigerators, TVs, aircos, perhaps even the dog's leash. Who knows? Every single device will need to have a built in security, securing the end user from harm. Let me give some examples of threats I can think up here.

Expensive TV programs ordered through hacks at high cost to the unsuspecting end user? Fridges that order new stock to other addresses? Garage doors opened through hacks? Cars that could do ...? Game consoles that spy on the use of other devices in the home? Just guessing here from the past examples of sms scams, autodialers, spying webcams, etc.

Often I suspect that the ability to do something technically leads to implementation, while cyber security is only thought of after implementation. Money was saved, processes automated, remote access granted, etc. Leading to high costs to mend things. Again we are on this road, towards the Internet of things. How can we prevent making the same mistakes again? How can high-tech device and appliance companies be engaged in discussions on security before the product is unleashed at the totally unaware public?

What about engaging these companies through an organisation like MAAWG? Awareness raising, trainings, the exchange of useful knowledge that is already available in the Internet industry to prevent further harm? Determine the current best practices together and implement them? It sounds like a plan. But who makes himself available to do the reach out, invitations, program building? Still these are steps that need to be taken to secure the Internet of the future.

Is it an idea to impose a duty to care for the customer where (all) Internet related products are concerned? Not a regulation of minimum standards, but a duty to deliver secure products at ever bettering, competitive standards? And who regulates negligent companies? Consumer Authorities, judges?

What is the way forward?

This is just an idea. There may be other ways. What are your ideas? Let's try and put them together and discuss. Something needs to happen soon and every day lost is a day wasted where cyber security is concerned. I'm looking forward to hear your ideas.

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. More blog posts from Wout de Natris can also be read here.

Related topics: Cybercrime, Internet Governance, Law, Malware, Policy & Regulation, Privacy, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Promoted Post

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Sponsored Topics