Home / Blogs

Why Private Support of Cyber Security Initiatives May Not Work

A fledgling international cyber security alliance is continuing to gather backing from private business, according to a recent article published on ComputerWeekly.com. The International Cyber Security Protection Alliance (ICSPA) aims to support law enforcement agencies in countries that lack the resources to fight cybercrime. Commercial security organizations such as McAfee and Trend Micro are supporting the alliance.

The National Cyber Security Alliance, funded in part by Symantec, Cisco, Microsoft, and other technology industry leaders, partners with government entities such as the Department of Homeland Security. The mission of the NCSA is to promote cyber security awareness for home users, small and medium size businesses, and primary and secondary education.

These are examples of private technology companies funding and supporting public security initiatives, which are an important factor in securing the Internet. Without the private sector driving the technology to enhance Internet security — often by mitigating security holes in products released by the very same companies providing the funding — the individual Internet consumer would likely find themselves connected to a much less secure World Wide Web than we have today. Although critically important to Internet security, the issue with private funding is that in many cases the funding is provided as a means of furthering the fiscal goals of the contributing company. In the case of cyber security this raises several concerns and potential roadblocks to the deployment of effective security measures.

When funding or support is contributed by private businesses such as Cisco, Microsoft, McAfee, or similar players in the realm of Internet security, the motivation behind the contribution is often to further propagate their own proprietary technologies and solutions in a move to gain market share or offset the gains of competitors. While there is likely a genuine concern for global Internet security on the part of these companies, each would prefer that security issues be mitigated with their technologies as opposed to those of a competitor. This undercurrent of competition becomes a roadblock to pervasive and reliable Internet security for several reasons.

Service, protocol, and API incompatibilities are a leading concern in a multi-vendor security design. Securing the Internet is a highly complex task requiring a multi-layered security approach to address security issues across the myriad services available online. In such a design it is crucial to have compatibility and information sharing between the various security solutions, resulting in a seamless and reliable security layer across the Internet. With the large number of vendors offering security solutions, and no enforced standards or services to ensure these solutions interoperate, the varying vendor-specific deployments create "islands of security" with each operating independently and with no ability to share information between systems. Some vendors attempt to design this interoperability into their solutions, yet there is little consensus between vendors in terms of which standards, protocols, or services should be used to provide compatibility.

The lack of enforced operating system and client security standards, accompanied by the lack of user education in terms of security awareness and best practices, becomes another vulnerability exploited by cyber criminals when seeking a method of access or attack. Because vendors incorporate their own set of "best practices" into their products there are different levels of security, and thus different vulnerabilities, in each product. Uniform standards for end user applications and security are virtually non-existent, primarily due to the lack of cooperation between vendors. This same lack of cooperation extends throughout the Internet security paradigm with the result being a far less secure global Internet community.

Government oversight of Internet security is becoming a reality as the threat from cybercrime continues to grow. However, legislation of Internet security will face many of the same roadblocks as private industry has encountered, with standards and enforcement being the most difficult to overcome. It is more likely that successful security standards could be created and enforced using existing Internet standards organizations such as the Internet Engineering Task Force (IETF), which operates under the auspices of the Internet Society (ISOC). Even though ISOC is already engaged in Internet security it is not taking a leading role in developing the standards or enforcement practices, instead acting as an information clearing house and as a coordinator of Internet-related security initiatives. A separate ISOC task force, much like the IETF but dedicated and focused only on Internet security, does not exist.

While some security experts and consultants advocate the creation of and adherence to universal standards for Internet security, the reality is that vendors will continue to support only those that contribute to their bottom line until enforcement of standards takes place. Unless security collaboration is elevated above profit and market share, or the establishment of a governing body responsible for Internet security takes place, the security of the Internet will likely remain an unachievable goal.

By Mike Dailey, IT Architect and Sr. Network Engineer

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Mike, you'll have to distinguish between two things By Suresh Ramasubramanian  –  Jul 07, 2011 5:59 pm PST

1. Vendors forming initiatives to push their own products / standards and look good in press

2. True multistakeholder initiatives - ranging from open, public ones to those that are closed and behind the scenes.

There's often a bit of crossover between the two and an initiative of one sort can over time become one of the other sort.

Like I said in an earlier comment in another article, having too much belief in "code is law" and expecting / hoping for universal standards compliance is utopian, to say the least.  And we cannot expect vendors to act out of purely altruistic motives, and nor can we expect just civil society or government to see anything beyond their own perspective.  That is why, as I said, true multistakeholder initiatives do exist, and they do a lot of good work.

As you mentioned ISOC, they're doing a lot of good by continuing with their role of engagement (at the individual and institutional level) with both technical standards groups such as the IETF, and policy groups such as various UN agencies and the OECD.

Hi Suresh. I see your point, By Mike Dailey  –  Jul 07, 2011 6:38 pm PST

Hi Suresh.  I see your point, just not sure we're on the same page.

The "code is law" and utopian points you make are based on human belief/emotion.  The points I make in my article are based on technology.  The Internet as a technology--as a system--has grown to the point where point solutions and vendor-specific deployments are no longer workable.  If two technologies need to interoperate they must be able to intercommunicate and exchange information; this isn't utopia.. it's application design, in my opinion. 

To expect mail server vendors to adopt a standard that allows MTAs to better exchange information about spam, for example, isn’t utopian ideology, but the natural progression of a growing mail exchange technology.  Instead of having 50 vendors all competing to sell their anti-spam products we need a single adopted standard by which all mail systems exchange spam information to correlate and share information.  The problem isn't that the technology doesn't exist, or that it's far-fetched, the problem is that the vendors want market share, not email security.

We already see the effectiveness of solutions such as Project Honey Pot, and Cisco’s Global Correlation Engine (just examples off the top of my head).  When information is shared between systems each node becomes more secure.  This is the next logical progression of Internet security technology, in my opinion, but cannot occur as long as vendors continue to treat Internet security as though it is something they develop in the R&D;lab.

Thanks for your response; you have some good points and I appreciate the feedback.

Best practices rather than standards, at least for spam filtering By Suresh Ramasubramanian  –  Jul 07, 2011 6:42 pm PST

Take a look at http://www.maawg.org for a lot of relevant collaboration. There are some standards in this space too, that are gaining wider adoption, such as the Abuse Reporting Format (ARF), but by and large the work in this space, and in most other such broad spaces, is usually focused on best practice, engagement and cooperation.

You might (not) be surprised to find that the same vendors have showpiece cybersecurity collaboration projects for PR / advocacy / sales reasons, but they also constructively engage in other, more multistakeholder projects.

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

New TLDs

Sponsored byAfilias

Whois

Sponsored byWhoisXML API

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byIPv4.Global

Cybercrime

Sponsored byThreat Intelligence Platform