New ways to police the internetTuesday, June 27, 2000
It is the private sector’s responsibility, not that of governments, to combat cyber-attacks, argue Vint Cerf and John Patrick. During the past year computer users throughout the world have fallen victim to a series of “cyber-muggings”. Well-publicised viruses such as the “ILOVEYOU” bug and recent “denial of service” attacks, which flood computer systems with incoming messages and bring sites to their knees, have brought internet security to the attention of the world. Internationally, policymakers and law enforcement officials are seeking ways to address this issue, but now more than ever it is essential that lawmakers resist the urge to reach for the blunt instruments of regulatory or legislative “solutions”. Cyber-attacks undeniably harm the global economy. Computer and network repair costs weigh heavily on many internet users – according to some estimates bugs such as the “ILOVEYOU” virus have cost billions of dollars in lost data and time. In addition to great frustration and initial expense, there is an untold cost of shaken consumer confidence in the internet as a safe communications tool and as the foundation of the new economy. Understandably, national governments want to act responsibly. But because the internet ignores borders, nationally imposed regulatory regimes will not only be impractical but will arrest the online growth they seek to protect. To be truly effective, government policies would have to be implemented through international and intergovernmental action while having the flexibility to adapt to the dynamic nature of the internet. Yet the very nature of government bureaucracies limits their ability to co-ordinate on a global basis. A better way to ward off these cyber-attacks is through strong and effective private-sector leadership. Business leaders around the globe must lead online security efforts. Internet technology advances so quickly that government-imposed solutions would rapidly become obsolete and actually hinder the deployment of new and better internet security technologies. The myriad of online applications and services requires varying levels of security solutions. It is difficult to imagine any set of regulatory requirements flexible enough to deal with the wide range of customised solutions developing in the commercial marketplace today. Internet stakeholders, including many leading companies in the private sector, are motivated to develop ways to prevent and rapidly respond to cyber-attacks and viruses. Private sector and industry players should move forward by: performing security audits to determine how best to protect their systems from both external and internal threats; improving the physical security of mission-critical systems such as domain name servers and root servers; making certain that employees, especially general managers, understand that security is part of their normal responsibilities; instituting specific company policies that require updating anti-virus software on a regular basis and having all employees use password protection systems that are available; deploying better internet security technologies; and developing improved authentication systems including public key infrastructures and certificate authorities. This is not to say that governments do not have an important role to play in online security. The most effective contribution governments can make is to work alongside industry and facilitate open and earnest information-sharing. Furthermore, governments need to ensure that existing laws against fraud, copyright theft and computer hacking are effectively applied in cyberspace. Governments can also be model users by securing their own computer systems and networks. Lastly, governments need to remove the remaining controls on encryption technologies, which are an essential tool in the fight against hackers. These actions would go a long way towards protecting internet assets and the people that rely on them. The internet has developed into what it is because governments and industry have worked together to ensure its openness, competitiveness, and dynamic nature. Now more than ever, that partnership must continue. Policymakers must urge the market to seek solutions to internet concerns and resist the urge to impose governmental “solutions”. By combining their efforts, governments and the private sector can make great strides in protecting the internet and its many applications from the harmful intruders and attacks. As corporations and business leaders around the globe adapt to and address these problems, the frequency and magnitude of “cyber-muggings” will greatly diminish, and consumer and corporate confidence online will be able to reach its rich and exciting potential. Vint Cerf is senior vice-president for internet architecture and technology, WorldCom, and a member of the Global Internet Project, a group of executives that campaigns for internet growth. John Patrick is vice-president for internet technology, IBM, and chairman of GIP.