Working for Symantec, the world leader in information security, when invited to write about the main security threat facing the UK part of the internet you might expect me to cite the latest technical sounding hacker or Trojan attack currently causing havoc on the cyber superhighway. Don’t get me wrong I could easily do that. According to our latest Internet Security threat report in 2008 alone Symantec created more than 1.6 million new malicious code signatures which is more than sixty percent of the total malicious code signatures ever created by Symantec in direct response to the rapidly increasing volume and proliferation of new malicious code threats.
However, I don’t believe it is possible to simply say that the biggest threat to the safety of Internet users in the UK, or around the world, is the latest online malicious risk or highlight one single threat. We all know that just as technology evolves the same can be said, unfortunately, for cyber criminals. It is important therefore that users are aware of online risks and have appropriate up-to-date technologies in place to ensure they are safe online. However, given the very nature of the internet I believe it is also important to recognise that addressing internet security issues is not something that can be solved only through technological solutions, or solely by a single person, organisation or country.
We all share a collective responsibility to protect ourselves and our customers and that is why to me the UN IGF is so important; it enables countries, industry and civil society to come together to discuss and learn from each other about the key Internet security that all of them are facing across the world. I hope that a key message that resonates from the forthcoming IGF is the value and importance of finding appropriate ways to work together and taking a partnership approach to addressing online security issues. The act of businesses, governments, law enforcement, academia and other stakeholders coming together to discuss issues of concern plays a vital role in increasing our understanding of online risks and also finding possible ways to address the current online threat environment.
But I also believe that this year’s IGF is an opportunity not only to highlight the importance of partnerships but to perhaps consider and discuss possible challenges and potential barriers which could in fact prevent parties working together now and in the future. It is important to highlight that internet security is not only about a technological problem and therefore a technological solution. It is also a question of education and legal framework. We often refer to information security as a people, process and technology issue.
When one is looking at people of key importance is the ability to understand the risk of one’s actions and the appropriate measures one needs to take to protect itself. In many ways if one was to compare this with the off-line world it is developing this sixth sense of being “street-wise”. Knowing how to avoid walking late at night into streets that are not well lit, or understand why chatting with strangers online is sometimes no different than chatting up strangers in the street. Remembering that when putting information on-line the end result may very well be the loss of effective control over that information.
When one is looking at regulation I think one of the biggest challenges is to ensure a pragmatic regulation that is both enforceable and serves the true interests of those who it is trying to protect. I think a good example there is the discussions we have been having in Europe about breach notification and about IP addresses being or not personal data. I can easily see how breach notice is for the interest of everybody that is operating in an online environment. It is designed to reward and motivate the diligent enterprise that protects its customer’s data. It is aiming at empowering the user/customer/consumer with knowledge about how its information is being used and protected. It is providing information to the policy makers that allow them to decide what measures work, what not and what is the level of risk of a particular environment. It will also penalize entities that fail to ensure an adequate level of protection.
On the complete opposite side is the whole discussion about IP addresses. In a number of member states there are conflicting court decision as to whether an IP is personal data or not, even within the same jurisdiction. From a technical standpoint arguing that an IP is personal data is somewhat oxymoron because the basis of data protection is information self-determination, i.e. the right to refuse to share personal data. Obviously in the case of IP if you do not share it you are not connected… From a technical standpoint IP addresses do not identify individuals, but together with other identifiers (and some effort) can lead eventually to identification depending on circumstances. Then the question arises, who are we really trying to protect? Do we successfully protect the individual rights by classifying IP addresses as personal data? I am not so sure… in fact I would even argue that by doing so we may sometime put perhaps unintentionally other rights at risk.
Clearly finding the right balance to this and frankly other similar questions that arise when regulation online activity is something that is exercising minds across the world. The IGF alone cannot resolve such complex regulatory issues. But as we look towards to coming together in Egypt I hope that we use this opportunity not only to promote the benefits of collaboration where appropriate but also to recognise the possible impact and unintended consequence of decisions taken on public policy issues. We need flexible regulation that can withstand the test of time. In addition we need to recognise that no matter how much regulation and policies and projects governments put into place, unless there is effective education of users and a gradual shift in our attitude the progress on information security will be limited.
Posted by Nominet on behalf of Susan Daley – Symantec Government Relations Manager UK & Ireland.