The wrong way to fight a cyberattack

The Internet has increasingly become a domain for cyberattacks, online threats and security incidents. But governments are approaching the problem from the wrong direction. Rather than maintaining a top-down strategy, they need to focus on the individual.

The US Department of Homeland Security noted this year that cyberattacks against federal agencies increased 782% between 2006 and 2012, with 48,562 separate incidents reported in 2012 alone. That’s enough to send any government searching for a cybersecurity strategy. And those figures don’t even include the daily barrage of attacks on businesses, civil society organizations, users and other governments that largely go uncounted each year.

The cybersecurity sector couldn’t be happier. Industry experts estimate that US$ 1 trillion was spent last year fighting cybercrime and cyberespionage. Yet the scope and magnitude of attacks suggest we might not have a lot to show for it. That’s partly because governments are relying on an outdated military style approach to dealing with cyberthreats that focuses largely on securing borders and national infrastructure.

Is this really what we should be focusing on? While an attack on the national electric grid or public transportation systems could indeed be devastating, the internet’s fundamentally borderless architecture defies a national security approach based on geography and lock down. The current discourse centered on critical infrastructure and information sharing between government and the private sector, as we have seen with reports regarding the US government’s Prism program and the NSA, focuses on one layer of the internet to the detriment others. We need to mature this paradigm, to one focused on securing the whole network, starting with the user, not to the exclusion of them.

An “individual up” paradigm would enable all our security, whether individuals, businesses, government institutions or civil society organizations. To enhance cyber security in this way, we should promote the free flow of information, maximize transparency, invest in digital due process and reduce structural vulnerabilities for the user. Prism and the secrecy attached to the number and scope of national security requests, including Foreign Intelligence Service Act orders, are the wrong way to go, and the global community is right to be horrified. By securing all layers of the stack starting with and enabling the individual, we will be better positioned to respond to cyber attacks holistically and effectively.

This paradigm must emphasize improving security architecture by design so that protections are not bolted on afterwards, and offer incentives and processes to resolve known vulnerabilities for individuals in a timely fashion. With more than 100 governments now possessing network exploitation capabilities, we are in the midst of a digital arms race that relies on exploiting vulnerabilities in software and hardware, not patching them.

One place to start is the looming crisis of mobile security caused by the failure of mobile carriers to systematically update the operating systems on Android phones, placing hundreds of millions of individual mobile phone users at risk.

Furthermore, we must foster open and transparent multistakeholder international dialogue on best practices and red lines. If not, we are entrusting the safety of the Internet – the lifeblood of business and human rights today – to states operating with minimal oversight and offering limited avenues of participation for civil society, the business community and other actors. A recently released infographic by the World Economic Forum’s Global Agenda Council on the Future of the Internet calls for a rich ecosystem network of cyber capabilities and organizations, not just reliance on one type of actor.

Our assessment of how to best protect the Internet from the bottom up must consider what values and norms a cybersecurity paradigm should be based on and what rights it enables. As the Forum’s Partnering for Cyber Resilience Principles & Guidelines state: The ability to provide a trusted environment for individuals and business to interact online is a critical enabler for innovation and growth.

But that trust cannot exist when we are focused on a closed military, nationalistic paradigm. Our collective security will be enhanced when we think more like the Internet itself and shift our attention to information flow, participation, transparency and digital security for the individual user.

This post is part of a series from the World Economic Forum’s Global Agenda Council on the Future of the Internet. You can read more expert views here

To explore The Innovation Engine infographic click on the image below:

 

 

Author: Brett Solomon is the co-founder and Executive Director of AccessNow.org, an international NGO that defends and extends the digital rights of users at risk around the world. He is a member of the Global Agenda Council on the Future of the Internet.

Image: A magnifying glass is held in front of a computer screen REUTERS/Pawel Kopczynski