ICT and Security Governance

This chapter examines in summary form those standards and best practices that have been widely accepted as being the “right things the right way” and also discusses how to determine if things are done “well enough”.

Attackers

Of the three groups of components of information security – tools, processes, and people- the last one should be considered as the weakest link. People range from the tired or unaware employee that clicks on a link that infects a computer or a network, to the security expert working for a criminal, military, or terrorist organization attacking a critical information infrastructure. This chapter examines the various classes of potential attackers and the techniques currently used to perpetrate such attacks.

Terrorism and the Internet

Over the last few years, it has often been suggested that use of the Internet for a variety of terrorist purposes constitutes a serious threat, and requires action of some kind at the international level. This chapter begins by examining the threat. It argues that the looseness of “terrorism” as a phenomenon – particularly as represented on the Internet – means that the problem may have been exaggerated. The issue, after all, is not in and of itself that terrorist organizations or individual “terrorists” are using the Internet, but rather, whether there is more terrorist violence happening as a result. This question is far from resolved, but there does not seem to be compelling evidence that there is. The chapter then considers the proposition that an “international problem” like terrorist use of the Internet requires an “international solution.” It provides the observation that this formula assumes a symmetry between actions available to terrorist actors and states which may, in itself, make for unimaginative counter-terrorism policy. It then considers whether there is a residue of issues arising from terrorist use of the Internet which can genuinely not be countered at a local level, and which are not already relevant to existing international counter-terrorism provisions. Given the serious changes action here would imply for Internet governance, and the uncertainty of the gains that would be delivered in terms of security, there is probably not good reason yet for drastic international action against specifically terrorist misuse of the Internet.

Threats, Vulnerability, Uncertainty and Information Risk

Two other matters complicate this topic: the lack of statistical data relating to cyber-attacks and the vulnerabilities inherent in hardware, software and networks, many of which are unknown until someone exploits them.

To Define or Not to Define

There have been three stages of Internet use: the happy days of e-commerce and optimistic sharing in military and academic circles; the growing awareness of Cybercrime issues to be addressed by law; and recent concerns about cyber attacks and national security issues and the paucity of national and international legal means to address them. This and the following two chapters analyze actual incidents and the applicability and inapplicability of law and policy; attempts to define terms that are thrown about in the media and by legislatures; such conundrums as attribution and anonymity, the lack of precedents and metaphors to guide legislators and policy makers; privacy and civil liberties issues; proposed legal and policy measures at national and international levels.

Economic, Political and Social Threats in the Information Age

There does not appear to be a common framework for quantifying the impact of information security business disruption events resulting in the loss of availability, confidentiality and/or data integrity. Individual incidents are known to have had costs ranging from 1 million US dollars an hour to a bank loss of close of 6 billion Euro. Given the global nature of supply chains and electronic commerce, deliberate disruption through well conducted attacks could have devastating economic consequences. This chapter explores in some detail the various components of such consequences.

The United Kingdom’s Centre for the Protection of National Infrastructure

This chapter examines the effectiveness of the newly-formed CPNI in leading the United Kingdom’s response to cyber attacks on critical infrastructures.

Cyber-Search and Cyber-Seizure

This chapter discusses the nature of cyber threats against government and private computer systems, describing some steps the government has taken and the challenges involved in protecting those systems. The chapter argues that a national security approach for cyber security policy is the most promising option for preventing these cyber threats while operating within the domestic legal framework. After a review of the President’s constitutional authorities to protect the nation from traditional threats, the chapter concludes that the President has some power to monitor Internet communications in transit within the United States when the communications threaten the welfare of the nation. The chapter recommends that this authority be augmented by Congressional action through legislation. The President’s powers in cyber security, even given Congressional support, however, are still restrained by the protections the Fourth Amendment provides for traditional forms of communication and individual privacy. Although there is limited Fourth Amendment precedent in the area of cyber security, the well-established exceptions to the Fourth Amendment requirements, based on consent, special governmental needs and the reasonableness of the search or seizure, provide a legal basis for executive branch action to protect critical infrastructures and their computer systems. As the Courts have long held, these exceptions allow the government to conduct searches or seizures without being bound by all of the requirements of the Fourth Amendment. If the government develops its cyber security policy in line with these exceptions, this chapter argues the government can both protect critical computer systems and operate within Fourth Amendment doctrine that recognizes the legitimacy of privacy in electronic communications.

Culture Clashes

This chapter reviews fundamental U.S. constitutional law in relation to privacy; the various United States federal privacy laws in relation to government surveillance of online communications by private citizens; cases related to these issues, recent amendments and proposed amendments to U.S. law; comparisons to law in other countries. It concludes that this particular area of law, at least in the United States, United Kingdom, India, Australia and Canada, which continues to be hotly debated, has no resolution in sight, and the difficult problem of balancing national security and privacy while maintaining constitutional protections in democracies is still a problem in search of a solution.

Concerns About What Will Happen Next

This chapter discusses vulnerabilities that should be considered by decision makers as they could be seen as the soft underbelly of a society that has an irreversible and deep reliance on information technologies.