Telecom and Logistics Associates	Security NEWs Service: TLAnews
publication: Christian ALT	TLAalert    Security Service
Translate this page from:  English to French  English to German  English to Italian  English to Portuguese  English to Spanish	Save Time and Money

16.5.2000 Security: G8: Statement discussed on How To Improve Reliability and Security of the Internet The Global Internet Project (GIP) released a statement at this week's G-8 conference in Paris to help both businesses and governments prevent, detect and respond to cyber attacks. En français: G8: Une proposition est discutée pour ameliorer la fiabilité et la sécurité d'Internet. Le groupe appelé "Global Internet Project (GIP)" a emis des propositions pour aider les gouvernements etles entreprises à détecter et répondre aus attaques sur Internet.

These different types of attacks necessitate various counter-measures. The GIP believes that improving the security of the Internet will require that businesses and organizations around the globe (that have not already done so) do the following:

1. Identify and disseminate information about security holes in computer systems (cf. CERT, www.cert.org, and the FBI National Infrastructure Protection Center, www.fbi.gov/nipc/).
2. Perform security audits and determine how best to protect their systems from both external and internal threats.
3. Cooperate with law enforcement or other authorized government agencies or relevant bodies in order to detect and mitigate attacks.
4. Improve the physical security of mission-critical systems, particularly systems like the domain name servers and the root servers.
5. Guarantee that the security tools already being shipped and implemented are appropriately installed with sufficiently robust settings, and strongly encourage system administrators and users to be adequately trained in their use.
6. Make sure that employees, and especially general managers, understand that security is part of their normal responsibilities, and that there is as much focus on protecting the infrastructure from internal attacks as there is on external attacks.
7. Institute specific company policies that require updating anti-virus software on a regular basis and having all employees actually use password protection systems that are available; also encouraging vendors, suppliers, and professional associates to activate appropriate security technology.
8. Advise governments on how to better protect government computer systems and how better to track down and apprehend malicious hackers (cf., the Japanese government's Commission on Critical Infrastructure Protection -- supported by IFTECH, the Institute for Future Technology; the U.S. President's Commission on Critical Infrastructure Protection in the United States at www.pccip.gov; and the recently-created U.S. Federal Trade Commission's Advisory Committee on Internet Security and Privacy (www.ftc.gov)).
9. Invest in research on new techniques for reducing the vulnerability of the Internet and the computers that use it.
10. Take all the necessary steps to secure networks including the filtering out of incorrect routing information from customers and peer networks and sources of spam. Stakeholders should also deny unauthorized access to their network equipment, disseminate security alerts, educate customers on how to secure their networks, and provide network security services.
11. Support outreach programs designed to instill a strong code of cyber ethics in the next generation of cybercitizens (cf. The Information Technology Association of America/U.S. Department of Justice's "Cybercitizen Partnership").
12. Encourage the deployment of IPsec and IPv6 (which will make it easier to deploy better Internet security technologies). It is important to emphasize, however, that the new standards will only offer such protection if they are promptly and properly implemented. (cf. The Internet Engineering Task Force's Working Group on IP Security and many other IETF activities described at www.ietf.org/html.charters/wg-dir.html#Security_Area).
13. Encourage and develop the deployment of better authentication systems, including public key infrastructures (PKIs) and certificate authorities (CAs).

While national governments are understandably concerned about the recent cases of cyber-attacks, and wish to take action to ensure that the Internet is robust, reliable, and secure enough to support the full range of e-commerce, electronic government, and other applications, they should resist the temptation to propose regulatory measures to address this problem.

The private sector, not governments, must take the lead in making the Internet more secure for a number reasons, including:

1. Internet technology is advancing so quickly that government-imposed solutions or requirements are likely to quickly become obsolete and counter-productive, actually hindering the development and deployment of new, better Internet security technologies, and, through uniformity, potentially creating much greater exposures.
2. Governments and the regulations they impose are national, while the Internet is a global medium. Finding effective global solutions would require international, inter-governmental action, a slow and difficult process at best.
3. Different situations and on-line services will require varying levels of security. It is hard to imagine any set of regulatory requirements that would be flexible enough to deal with the wide range of customized solutions developing in the commercial marketplace today.

Rather than trying to dictate levels of security or impose standards, we strongly encourage governments to work with the private sector to increase cooperation and information sharing in this area. We recommend that governments consider the following steps:

1. Lead by example. Governments should ensure that their computer systems and networks are secure and run in accordance with best information security practices.
2. Arrest and prosecute computer criminals. Governments need to clarify laws regarding malicious hacking and denial of service, and ensure that such laws are vigorously enforced. This will often require effective international cooperation among different law enforcement agencies, which has increased substantially over the last 2-3- years.
3. Foster information sharing. Governments can play an important role in facilitating international information exchange among industries.(i) In the aviation industry, a private-sector initiative exists that enables airline pilots and others to report aviation mishaps in full confidentiality, without having to worry that the reports will result in recrimination or bad publicity. Similar models in other countries might be used to collect and disseminate information about cyber-attacks and countermeasures, without compromising proprietary corporate information or embarrassing companies that are victims of cyber-attacks.
4. Promote the use of open standards. The very openness of open standards means that they will be scrutinized before adoption/implementation, and as they are modified. Through this process, vulnerabilities will be more readily identified and corrected.
5. Remove the remaining controls on civilian encryption technologies. Encryption is a powerful tool for protection of data transmitted over the Internet or stored on computer systems connected to it. Government restrictions on the use or export of encryption technologies hinder the uses of this technology and reduce the security of the Internet.
6. Provide better threat assessments. National governments, particularly intelligence agencies, have done assessments of the vulnerabilities of networks and computer systems and the threats posed by cyber-terrorism and malicious hackers. More details of these assessments could be shared with the private sector, either in a non-classified or classified setting, so that they are better able to prepare for, and respond to, the threats posed by cyber-attacks.
7. Support pre-competitive research on Internet security. Since the inception of the Internet, governments have played an important role in funding the pre-competitive research that led to the development of key Internet technology. The original ARPANET, the NSFNET, the World Wide Web, and the first graphical Web browser were all made possible by government research grants. Governments need to continue funding research on Internet security.
8. Fund the education and training of information security experts. One reason government R&D funding is so critical is because government grants support the training of the next generation of computer scientists and engineers. In addition, if there is a shortage of necessary skills, those available are likely to gravitate to the private sector, leaving a greater shortage of these skills in the public sector.
9. Encourage and support efforts by the private sector to teach children and teenagers how to behave ethically in a virtual world.

Without effective Internet security it will be impossible to provide Internet users with on-line privacy. GIP member companies have been leaders in promoting industry practices to protect their customers' privacy. However, strong, effective corporate policies on privacy protection are only useful if they are properly implemented - and that requires strong, effective computer security.

Nor will it be possible, without effective Internet security, to protect the intellectual property of companies that seek to use the Internet. Users -- whether governmental, academic, corporate, or individual - will be reluctant to use the full range of Internet applications if they do not trust the technology. The benefits of this transforming and enabling technology are enormous, but they will not be realized if user trust is undermined or derailed. Trust, like corporate goodwill, takes a long time to be built up, but can be very quickly eroded.

The companies represented by the GIP and other leaders of the Internet Economy are strongly motivated to address the problem of Internet security. We believe that with effective cooperation between the private sector and relevant government agencies, the secure nature of the Internet and e-commerce can be significantly enhanced. It will not happen overnight; but effective measures must be taken in order to realize the full potential of the Internet.

The Global Internet Project

The Global Internet Project (GIP) is an international group of senior executives committed to fostering continued growth of the Internet. Members come from leading Internet-centric companies representing the telecommunications, software, financial services, and content sectors. GIP participants are well-known leaders in the Internet Revolution and represent companies based in Asia, Europe, and North America. Dr. James Clark, former chairman of Netscape Communications Corporation, founded the group. John Patrick, Vice President for Internet Technology at IBM, is the current chairman of the GIP.

To access complete information about GIP http://www.gip.org

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.