Home / Blogs

Cyber Security: A Duty to Care?

Wout de Natris

Yesterday, in my post on three new threats in one day (click here), I posed the question whether it was necessary to develop regulations that would set a minimum standard on cyber security for devices that connect to the Internet. I'm having second thoughts here, which I'll explain below, but also try to look at a way forward and ask you to engage.

IGF 2012, Workshop 87

In this workshop on international cooperation and critical (Internet) infrastructure the debate also was on standards. There was a very clear call not to regulate on security standards. For two reasons. The minimum standards will be what everyone adheres to, while at present we try to better ourselves each and every day. As the panellist from Google said:

"If you have a treaty or regulation that sets a bar, typically what businesses will do will think as long as I hit that regulation, I'm fine. Whereas right now, you have people constantly striving to be better and have higher and higher bars..."

It seemed like all in the panel, from very different backgrounds, agreed on this quote.

This may be true for companies like Google, SIDN, Anti-Virus, for CERTs, etc. On the other hand it's quite clear that for companies that are more on the fringes of the Internet, cyber security does not seem to be a priority. At least where the product for the end user is concerned. Whether this has a financial background, stems from ignorance or a naiveté towards the Internet, I do not know. Probably a combination. It doesn't really matter, what does matter is that this behaviour has to alter. How to go about this?

(There is a transcription of workshop 87 on the IGF website on this page (although it is not complete) and the report is on the NLIGF website here.)

First I look at an example of minimum regulation and the effect on the Dutch National Railways (NS) which made me doubt regulation.

Minimum standards. A good thing?

The inspiration for this post I found last night while reading NRC Handelsblad. The National Security Board released a report on a train accident which caused 1 death, 24 severely injured people and an overall 165 injuries. The story is quite telling on two accounts, which, I think, are directly juxtaposable to Internet security, as you will see.

Before giving the facts around this story I have to explain the following. Since the liberalisation of the railways the national company has been split into several companies among whom transport (NS) and rail system (ProRail). This complicates this story a little, but let's pretend it's still one as it does not change the insight I've gained. The report delivers the following facts on the NS:

- new trains meet only the bare minimum of technical standards;
- the decorations in the train were not checked for security;
- chairs are made to clean easily but are dangerous for passengers;
- tables are to thin and caused the death and serious injuries;
- the security system is mainly still based on 1950′s technology;
- during construction work the network is over-used;
- 150x a year a red light is ignored with no emergency brake in place in many cases;

In short NS has cut on the budget of securing its network optimally for years, backed by budgets determined at government level I suppose. Perhaps the discussion whether one major accident a year is allowable is at work here. The other part of the examples is about the interior of the trains. Cleanness over security. Decorations that may not have been tested properly, endangering the passengers/costumers. The NS has not adhered to a duty to care for its customers, one conclusion reads.

The main question however is would the NS have performed better without regulation, without the minimum standard for technical security? At present it seems to stick to the minimum requirements, with the present results on in-car security for the passengers. A point for Google in this discussion it looks like.

Let's go back to the Internet world.

How to engage industry?

More and more devices will connect to the Internet over the next years, "The Internet of things". From coffee machines, to refrigerators, TVs, aircos, perhaps even the dog's leash. Who knows? Every single device will need to have a built in security, securing the end user from harm. Let me give some examples of threats I can think up here.

Expensive TV programs ordered through hacks at high cost to the unsuspecting end user? Fridges that order new stock to other addresses? Garage doors opened through hacks? Cars that could do ...? Game consoles that spy on the use of other devices in the home? Just guessing here from the past examples of sms scams, autodialers, spying webcams, etc.

Often I suspect that the ability to do something technically leads to implementation, while cyber security is only thought of after implementation. Money was saved, processes automated, remote access granted, etc. Leading to high costs to mend things. Again we are on this road, towards the Internet of things. How can we prevent making the same mistakes again? How can high-tech device and appliance companies be engaged in discussions on security before the product is unleashed at the totally unaware public?

What about engaging these companies through an organisation like MAAWG? Awareness raising, trainings, the exchange of useful knowledge that is already available in the Internet industry to prevent further harm? Determine the current best practices together and implement them? It sounds like a plan. But who makes himself available to do the reach out, invitations, program building? Still these are steps that need to be taken to secure the Internet of the future.

Is it an idea to impose a duty to care for the customer where (all) Internet related products are concerned? Not a regulation of minimum standards, but a duty to deliver secure products at ever bettering, competitive standards? And who regulates negligent companies? Consumer Authorities, judges?

What is the way forward?

This is just an idea. There may be other ways. What are your ideas? Let's try and put them together and discuss. Something needs to happen soon and every day lost is a day wasted where cyber security is concerned. I'm looking forward to hear your ideas.

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. More blog posts from Wout de Natris can also be read here.

Related topics: Cybercrime, Cybersecurity, Internet Governance, Law, Malware, Policy & Regulation, Privacy


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Join Neustar's Town Hall Meeting and Help Shape the Future Of .US

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals