2
reports In terms of IT, most of the anti-terror- ism legislation enacted share the follow- ing characteristics: • A legal separation between data that relates to the content of an electronic communication and the data which relates to the fact that an electronic communication event has occurred (e.g. telephone numbers connected, duration of connection). Additionally there is usually a requirement for telecommunications providers (e.g. Internet Service Providers and public telecommunications opera- tors) to retain data about all commu- nication events (e.g. all Internet access or all telephone contacts). In the UK this period is likely to be one year. • A gateway which permits the authori- ties to access the content of a commu- nication. — This is usually subject to a warrant issuing procedure, which can be subjected to varying degrees of direct judicial oversight. • A gateway which permits the authori- ties to access data about a communica- tion event without recourse to direct judicial oversight — Indirect judicial oversight can occur on grounds such as whether access to the data is propor- tionate (e.g. in terms of human rights in Europe) or infringes constitutional- ly-protected rights (e.g. in the US). • A gateway which allows many public authorities to exchange information in relation to any minor criminal acts. — The argument is that minor crimes involving, for example identity theft, mobile phone theft or credit card theft could all occur in connection with ter- rorism. • A gateway which allows many public authorities to exchange information in relation to financial or personal affairs (e.g. taxation or education records held by the authorities). — The argument is that an investigation, which initially concerns a small financial transaction, could widen to involve terrorism (e.g. the sums of money posted to the 11 September terrorists were a few thou- sand dollars). • A gateway which allows many public authorities to pass over information in relation to their areas of responsibility (e.g. an investigation commenced by the police could discover financial irregularities which are then handed over to the tax authorities). A gateway which requires many private authorities to provide information to the authorities in relation to travel and financial affairs (e.g. most affected are the airline and banking sector). • A gateway which permits the authori- ties in one country to cooperate and exchange information with the authori- ties in another country; the agreed Council of Europe Cybercrime Convention will be increasingly impor- tant in this regard. • A very truncated debate by the legisla- ture which, by and large, has had to trust the executive (in the UK, for example, the House of Commons scru- tinized a 130 page act within one week of Parliamentary time). Most legislation contains a sunset clause, which will negate the above requirements, if the perceived threat, which arises from terrorism (and the organized crime, which can support such activities) diminishes. However, since most governments are talk- ing of a ‘long-haul’ in the fight against ter- rorism, one suspects that this is one piece of legislation where the sun will never set. 7 Terrorism laws impact on network providers By Chris Pounder When President Bush signed the USA Patriot Act into law before Christmas, he was not acting alone. Most European countries, including the UK with its Anti- Terrorism, Crime and Security Act, and Canada have followed suit. The report went a step further and said software and computer vendors should be held liable for system breaches if they do not drastically improve the security of their products. However, the report does not detail any specific sanctions for such offenses. The Computer Science and Telecommunications Board (CSTB), a part of the National Academy of Sciences, said in its report, “Cyber-security Today and Tomorrow: Pay Now or Pay Later,” that many US companies do not imple- ment the necessary level of security because that can be expensive. Authors Herb Lin and Marjory Blumenthal wrote: “The unfortunate reality is that relative to the magnitude of the threat, our ability and willingness Companies shoddy about cyber-attacks By John Sterlicchi As security concerns mount after the horrific 11 September attacks, a new report found US companies are not doing enough to protect their IT systems from the threat of cyber-attacks.

Companies shoddy about cyber-attacks

Embed Size (px)

Citation preview

Page 1: Companies shoddy about cyber-attacks

reports

In terms of IT, most of the anti-terror-ism legislation enacted share the follow-ing characteristics:• A legal separation between data that

relates to the content of an electroniccommunication and the data whichrelates to the fact that an electroniccommunication event has occurred(e.g. telephone numbers connected,duration of connection). Additionallythere is usually a requirement for telecommunications providers(e.g. Internet Service Providers andpublic telecommunications opera-tors) to retain data about all commu-nication events (e.g. all Internetaccess or all telephone contacts). Inthe UK this period is likely to be oneyear.

• A gateway which permits the authori-ties to access the content of a commu-nication. — This is usually subject to awarrant issuing procedure, which canbe subjected to varying degrees of directjudicial oversight.

• A gateway which permits the authori-ties to access data about a communica-tion event without recourse to directjudicial oversight — Indirect judicialoversight can occur on grounds such aswhether access to the data is propor-tionate (e.g. in terms of human rightsin Europe) or infringes constitutional-ly-protected rights (e.g. in the US).

• A gateway which allows many publicauthorities to exchange information inrelation to any minor criminal acts. —The argument is that minor crimesinvolving, for example identity theft,mobile phone theft or credit card theftcould all occur in connection with ter-rorism.

• A gateway which allows many publicauthorities to exchange information inrelation to financial or personal affairs(e.g. taxation or education records heldby the authorities). — The argument isthat an investigation, which initiallyconcerns a small financial transaction,could widen to involve terrorism (e.g.

the sums of money posted to the 11September terrorists were a few thou-sand dollars).

• A gateway which allows many publicauthorities to pass over information inrelation to their areas of responsibility(e.g. an investigation commenced bythe police could discover financialirregularities which are then handedover to the tax authorities).

• A gateway which requires many privateauthorities to provide information tothe authorities in relation to travel andfinancial affairs (e.g. most affected arethe airline and banking sector).

• A gateway which permits the authori-ties in one country to cooperate andexchange information with the authori-ties in another country; the agreedCouncil of Europe CybercrimeConvention will be increasingly impor-tant in this regard.

• A very truncated debate by the legisla-ture which, by and large, has had totrust the executive (in the UK, forexample, the House of Commons scru-tinized a 130 page act within one weekof Parliamentary time).Most legislation contains a sunset clause,

which will negate the above requirements,if the perceived threat, which arises fromterrorism (and the organized crime, whichcan support such activities) diminishes.However, since most governments are talk-ing of a ‘long-haul’ in the fight against ter-rorism, one suspects that this is one pieceof legislation where the sun will never set.

7

Terrorism laws impact onnetwork providersBy Chris Pounder

When President Bush signed the USA Patriot Act into law before Christmas, hewas not acting alone. Most European countries, including the UK with its Anti-Terrorism, Crime and Security Act, and Canada have followed suit.

The report went a step further and saidsoftware and computer vendors should beheld liable for system breaches if they do

not drastically improve the security oftheir products.

However, the report does not

detail any specific sanctions for suchoffenses.

The Computer Science andTelecommunications Board (CSTB), apart of the National Academy of Sciences,said in its report, “Cyber-security Todayand Tomorrow: Pay Now or Pay Later,”that many US companies do not imple-ment the necessary level of securitybecause that can be expensive.

Authors Herb Lin and MarjoryBlumenthal wrote: “The unfortunatereality is that relative to the magnitudeof the threat, our ability and willingness

Companies shoddy aboutcyber-attacksBy John Sterlicchi

As security concerns mount after the horrific 11 September attacks, a new reportfound US companies are not doing enough to protect their IT systems from thethreat of cyber-attacks.

march.qxd 2/14/02 8:23 AM Page 7

Page 2: Companies shoddy about cyber-attacks

reports

to deal with threats has, on balance,changed for the worse. From an opera-tional standpoint, cyber-security todayis far worse than what best practices canprovide.”

The report urged lawmakers to take“steps that would increase the exposure ofsoftware and system vendors and systemoperators to liability for system breaches”.

The report also found that payback isuncertain “because serious cyber-attacksare rare”. But the CSTB warned short-changing security could be catastrophicfor companies.

The CSTB recommended that compa-nies should establish and provide adequate resources to an internal entitywith responsibility for providing direct

defensive operational support to systemadministrators.

It also recommended that ensuring thatadequate information security tools areavailable and that everyone is properlytrained in their use.

“The degree to which a computer sys-tem and the information it holds can beprotected and preserved is a broad con-cept,” the CSTB said. “Security can becompromised by bad system design,imperfect implementation, weakadministration of procedures, orthrough accidents, which can facilitateattacks.”

The report also concluded that much ofthe blame for the state of security in cor-porate and government networks belongs

to administrators and CIOs who fail toimplement readily available technologiessuch as firewalls and intrusion-detectionsystems or follow industry best practices.

Many security problems exist notbecause a fix is unknown but because some responsible party has notimplemented a known fix, the reportsaid.

In addition, the authors recommendedthat vendors should develop better securi-ty interfaces for their products to simplifyadministration and conduct better testingof their products for security vulnerabili-ties.

The authors also said simple and clearblueprints for secure operation that userscan follow should be put in place.

The objective is to specify those securitystandards, which licensed telecommuni-cations operators should attain; failure toattain could then eventually result inenforcement action arising from aninfringement of OFTEL’s licensing condi-tions.

The draft guidelines propose thatPTOs, for example, should be under anobligation to meet “essential require-ments for network security and integri-ty”. This obligation includes therequirement to take “all reasonablepracticable steps to maintain networkavailability in the event of catastrophicnetwork failure, fire, earthquake orflood” and to take all reasonably practi-cal steps to maintain “network integrityagainst malfunctions caused by electri-cal conditions, signalling protocols ortraffic loads”. PTOs, should also install

“appropriate fire warning systems andpower back-up systems in theirexchanges”.

OFTEL has indicated that the factors itwill assess are whether a PTO:• Has invested properly in technical and

non-technical measures in order main-tain network security and integrity.

• Has undertaken an analysis of risk andconsequent impact of any network fail-ure.

• Has implemented, documented andmanaged complete contingency plans.

• Can demonstrate continual manage-ment commitment to all the policiesand procedures that have been devel-oped in the interests of network securi-ty and integrity.In summary, the guidelines run to

about 25 pages of single spaced text.General sections relate to physical

security procedures, network security,management and operational proce-dures, network testing and integrity,abnormal electrical conditions, accessnetwork frequency plan, inappropriateuse of signalling protocols, terminalequipment and excessive traffic loads.In addition, there are sections on spe-cific problem areas where integrity and continuity are important – forexample, in relation to the networkswhich support the emergency 999 ser-vices and other bodies and individualswho might have special needs (e.g. AAroadside recovery, NHS Direct andthose being remotely monitored in con-nection with specific medical conditions).

David Edmonds, Director General ofTelecommunications, said “All publictelecoms operators have a licence obliga-tion to ensure that the security andintegrity of their network is maintained atall times and that for the first timeOFTEL has set out guidelines on themeasures we expect operators to have inplace to meet this obligation”. Edmondsadded his own Nelsonian touch:“OFTEL expects operators to ensure theyare prepared for an event such as a fire orpower cut so that services to consumerscan continue uninterrupted and any dis-ruption is minimal.”

8

OFTEL plans to require telcos to maintain securenetworks OFTEL has commenced a public consultation about guidelines which set out themeasures that public telecommunications operators (PTO) should take in order tomaintain network accessibility, integrity and security.

march.qxd 2/14/02 8:23 AM Page 8


Security Attacks and Cyber Crime: Computing through Failures and Cyber Attacks

Security Attacks and Cyber Crime: Computing through Failures and Cyber Attacks

Documents
Attributing Cyber Attacks - Thomas Rid › d › rid-buchanan-attributing-cyber-attacks.pdf · International Law 36 (2011),. 421–59, 447; Nicholas Tsagourias, ‘Cyber Attacks,

Attributing Cyber Attacks - Thomas Rid › d › rid-buchanan-attributing-cyber-attacks.pdf · International Law 36 (2011),. 421–59, 447; Nicholas Tsagourias, ‘Cyber Attacks,

Documents
Anticipating Cyber Attacks

Anticipating Cyber Attacks

Documents
Cyber-Attacks on Electric Power System€¦ · EPS Cyber-Attacks: The Good • Recent cyber-attacks involve hacking into databases and learning/revealing information. • Electric

Cyber-Attacks on Electric Power System€¦ · EPS Cyber-Attacks: The Good • Recent cyber-attacks involve hacking into databases and learning/revealing information. • Electric

Documents
How Cyber-Attacks Can Impact M2M

How Cyber-Attacks Can Impact M2M

Technology
Preventing zero day cyber attacks

Preventing zero day cyber attacks

Technology
Attributing Cyber Attacks - Brown Universitycs.brown.edu/courses/cs180/sources/Attributing_Cyber_Attacks.pdf · Attributing Cyber Attacks ... Clifford Stoll, The Cuckoo’s Egg

Attributing Cyber Attacks - Brown Universitycs.brown.edu/courses/cs180/sources/Attributing_Cyber_Attacks.pdf · Attributing Cyber Attacks ... Clifford Stoll, The Cuckoo’s Egg

Documents
Cyber Attacks & Defense

Cyber Attacks & Defense

Documents
Cyber attacks september 2014

Cyber attacks september 2014

Technology
The rising threat of Cyber Attacks & expectations from the ... · The rising threat of Cyber Attacks & expectations from the Professional Accountants. Cyber attacks against Banks

The rising threat of Cyber Attacks & expectations from the ... · The rising threat of Cyber Attacks & expectations from the Professional Accountants. Cyber attacks against Banks

Documents
DLIB Cyber - 5 Types of Cyber Attacks - Dan Lawriedanlawrie.com/...Cyber-5-Types-of-Cyber-Attacks.pdf · 5 Types of Cyber Attacks That Threaten Small Businesses Small businesses face

DLIB Cyber - 5 Types of Cyber Attacks - Dan Lawriedanlawrie.com/...Cyber-5-Types-of-Cyber-Attacks.pdf · 5 Types of Cyber Attacks That Threaten Small Businesses Small businesses face

Documents
Cyber Analytics – A Proactive Approach to Cyber Attacks

Cyber Analytics – A Proactive Approach to Cyber Attacks

Documents
CHECKLIST Cyber Attacks

CHECKLIST Cyber Attacks

Documents
Attacks on the cyber world

Attacks on the cyber world

Education
Collective Ingenuity against Cyber Attacks

Collective Ingenuity against Cyber Attacks

Business
Cyber-security - Defending your company against cyber attacks

Cyber-security - Defending your company against cyber attacks

Technology
Cyber attacks 101

Cyber attacks 101

Internet
Cybersecurity 2 cyber attacks

Cybersecurity 2 cyber attacks

News & Politics
The Evolution of Cyber Attacks

The Evolution of Cyber Attacks

Technology
Cyber Attacks Implications for Uk

Cyber Attacks Implications for Uk

Documents
Cyber Crisis Management Plan for Countering Cyber Attacks

Cyber Crisis Management Plan for Countering Cyber Attacks

Documents
Cyber Attacks & HIPAA Pabrai Compliance: Prepared? · Cyber Attacks & HIPAA Pabrai Compliance: Prepared? Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) Cyber Attacks & HIPAA ... Cyber Attacks

Cyber Attacks & HIPAA Pabrai Compliance: Prepared? · Cyber Attacks & HIPAA Pabrai Compliance: Prepared? Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) Cyber Attacks & HIPAA ... Cyber Attacks

Documents
Future Cyber Attacks & Solution - Symantec

Future Cyber Attacks & Solution - Symantec

Technology
Responding to Cyber Attacks: Introduction

Responding to Cyber Attacks: Introduction

Documents
COMMUNIST CHINESE CYBER–ATTACKS, CYBER–ESPIONAGE …

COMMUNIST CHINESE CYBER–ATTACKS, CYBER–ESPIONAGE …

Documents
Cyber attacks 2015

Cyber attacks 2015

Technology
Mitigating Cyber Attacks

Mitigating Cyber Attacks

Documents
Cyber Attacks and the Beginnings of an International Cyber

Cyber Attacks and the Beginnings of an International Cyber

Documents
Uk banks targeted in cyber attacks

Uk banks targeted in cyber attacks

Business
Impact of Alleged Russian Cyber Attacksnsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-027.pdf · The high likelihood of future cyber attacks, the ease of conducting cyber attacks,

Impact of Alleged Russian Cyber Attacksnsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-027.pdf · The high likelihood of future cyber attacks, the ease of conducting cyber attacks,

Documents