Reading up on COVID-19 and Zoom/Boris Johnson outcry yesterday, an analogy struck me between the two: the lack of testing. In both cases, to truly know how safe and secure we are, testing needs to be stepped up considerably. This post focuses on cybersecurity.

Over the past days and weeks, more and more organisations have switched to digital products and services to sustain working from home, to keep productivity up and to be connected. Our dependency on the Internet has become even larger, with perhaps one large difference: more people are actively aware of their dependency and not as something they see as normal without thinking about it. Let’s not forget that by far, most people have slipped into the digital age, without comprehending the implications. Let alone how it works. With this newly found realisation, this is the time to act where cybersecurity improvements are concerned. First, let me give a few examples of how we slipped into the digital age.

How we moved onto the internet

Over the past years, we all have started to use products and services we do not truly understand, nor do we have an overview of the implications coming with the use of these products. This goes for apps that transgress every basic rule of privacy without any hindrance, but also for government organisations using cloud services in the U.S.. We use Google, Facebook, Whatsapp, etc. multiple times daily without being aware that we are the product, “the user,” of these companies. Energy companies connecting a nuclear reactor to the Internet as running maintenance from home, if necessary, is so easy. Or, a machine in a factory that is directly connected to the manufacturer for maintenance without built in security. And what about all those connecting devices entering our home without basic security installed. Etc., etc., etc. All were decisions with large implications, usually made without security in mind, not offered, not asked for, not (fully) understood. Let’s make it more tangible.

Secure/insecure?

On Wednesday 31 March, Boris Johnson, U.K. prime minister, posted a photo online, showing his cabinet’s video conference, giving away a load of data about his workplace, gear and even his unique username to the Zoom application the U.K. cabinet used for the conference. Twitter sort of exploded because of it, and yes, the lack of understanding in the PMs office is extremely disconcerting, but a part of the Twitter explosion focused on the program used. Zoom is an application that is used all over the world for video conferencing, one of many. What was pointed out yesterday, at a time that almost every organisation depends on video conferencing, that Zoom is not as secure as it advertises. Many people pointed out that Zoom blatantly lies about its level of security on offer.

And here is where I am coming to my point that we need to test, test, test. An important question ought to be: Why did some people only bother to test the service now and not last year or the year before? Can you tell me whether any of the other services are better? I can’t.

Responsibility for a secure internet

The world fully depends on ICT products and services, something that today is more clear than ever. It also means that the products and services need to become more secure. 100% Security is something no one can offer. Avoidable mistakes, though, should no longer be acceptable when a product or service enters the marketplace. Not in a product connecting to the Internet, not in software and not in online services and hosting. If the current crisis shows us anything, it is the responsibility the internet market has where the world’s security is concerned.

Making the Internet more secure

This can easily be improved if, during the production phase, testing becomes a prerequisite. For everything already on the market, it is quite clear that the status quo is that a company awaits an alert or a breach before taking action to amend the flaw in its product, if even then. To become safer, there are three ways forward:

1. New products are made by new rules assuring a higher level of quality and security;
2. Testing;
3. Attribution.

White hat testing – I would like to focus on the last two. Mark Goodman proposed in his book ‘Future Crimes’ to create a worldwide pool of white hat hackers who test products and alert a company or a central agency on discovered flaws that are then repaired and updated. One thing is certain, the “bad guys” test products 24/7 in search of flaws and use them for their own nefarious purposes. So why don’t the “good guys” do this in an organised way? Yes, this is a challenge to organise, but the white hat hackers already exist. So why not pool them and make use of their energy? Finding flaws before the bad guys do saves everybody money, time, losses, hurt, bankruptcy, etc. Yes, it is a burden on the manufacturers, but then they are the source of the flaws. Not the consumers. In fact, not even the “bad guys” are the source; they are just using what is on offer in a bad way.

A related example is the city of The Hague that organises a yearly hack contest on itself. Something more companies and organisations should do.

Consumer organisation testing – A second way of testing is through consumer organisations. Products and services with online components from now on need to be tested on cybersecurity aspects. Are certain internet standards deployed? Are passwords in place? Are patches guaranteed? Is data protected? Etc., etc. This way, the pressure is applied to manufacturers and service providers to up their game. This way, consumers can compare products. The test of webshop websites in The Netherlands and privacy adherence in an app in Belgium are good examples of this.

Attribution of breaches – When hacks or other digital breaches occur, one way forward is to collectively learn from the cause(s). E.g., by making it known, the breach was caused by a lack of security in product X or service Y. This puts pressure on manufacturers who currently produce sub-optimal or even less safe products. No product wants to be associated with negative news, so most likely all will progress because of it.

A milder form is to mention the cause without the name but including explicit mention of costs and losses, in combination with suggested questions consumers can ask to their vendors or demands they can make for a more secure product. This creates awareness at the customer side and puts pressure on the manufacturer.

Is this bad for innovation? All other products in the world show that rules or regulations do not stop progress. So why would the Internet be different?

Security investments come with costs

More than ever before, the world has become dependent on the Internet. It is time that the internet business takes responsibility for this dependency. This comes at a cost. Yes, there is another side to this debate. It has to become normal to pay for internet security. It is only fair money is made on the investment industry has to make to provide cybersecurity.

Conclusion: start testing!

Just like at this point in time in the COVID-19 crisis, a lot of people are not aware whether they have attracted the disease and are cured because they have not been tested, many internet services and products can get on the market, even with false claims, without testing. It is time for change. Societies have to start testing.

In a recent report published on the website of the Internet Governance Forum, I have identified 25 pressure points in society that can aid in making the Internet more secure. If you are interested to learn more you can download it here: Setting the Standard report