Cyber security became ever more crucial for global business and modern society. We are living in a data-centric world in which information technology and associated communications’ systems as well as networks that provide goods and services permeate every facet of our lives. This creates the safeguard of our digital assets and activities within cyberspace of critical importance, whether for individual life experience or a prosperous and sustainable society. But the challenge to understand cyber risk and deliver effective and accessible security becomes harder as technology continues to rapidly evolve and our systems become ever more complex. We are increasingly dependent upon such information and communications infrastructures, and the threats we face are organised and evolving the skills to exploit our dependency to further their interests.
There is an exigent need for creative ideas leading to the next generation of cyber security capability. Existing approaches are simply not able to meet the demands of a global society growing in cyberspace on the current path. New business models are forcing greater interdependency between people, organisations and nation states in order to successfully manage cyber risk. Success will necessarily require an ability to anticipate, deter, detect, resist and tolerate attacks, understand and predict cyber risks, and respond and recover effectively at all levels, whether individual, enterprise, national or across international markets. In order to meet the demands of the future we will require new understanding, governance, regulation, partnerships, skills, and tools.
1. The implication of cyber security for individuals, organisations and society
Before we address any issues relating cyber-security, we must look at the definition of the term in the first place. According to Wikipedia, cyber-security is called as computer security which is described as information security as applied to computers and networks. In other words, the protection of data and systems held and transferred in networks that are connected to the Internet. It is an extension of traditional IT security, and emphasises protecting systems, applications and data that exposed to a variety of forms of attack via the internet, ranging from data theft and espionage to corruption of data and denial of service attacks. Today, computers allow us to reach our financial needs readily through online banking, mutual fund management, stock trading services, and a variety of other online applications that provide access to accounts 24 hours a day. Beyond financial services, we have the ability to connect a broad variety of information, including social media content such as Facebook, Youtube, and Twitter, as well as magazines, video games, and other Web 2.0 content.
The interconnectivity of such systems has not only provided individuals with access to a wide variety of data, but now businesses have the ability to leverage the Internet as a part of their day-to-day operations. Whether it be human resources management, email and coordinated calendar systems, or sales tracking systems, the cloud offers opportunity to businesses for quicker, modernised processes and potential cost savings. In addition to that, the government utilises interconnected computer system to manage public services such as energy systems, coordinated public transportation logistics, synchronised emergency services, management of water treatment facilities, and propulsion of technology for a variety of services advancing the public.
However, personal, business and government use of computer systems, because of their inter-connectedness, opens these systems up to a variety of activities that they were never intended for. End-users without significant protection against viruses and other malware prevalent in today’s computer environment represent the greatest source of vulnerability to our current technologies and systems. In numerous reported incidents, inadequately protected PCs connected to the Internet have been used to perpetuate cybercrime and mobilised to launch cyber attacks. At the same time, individuals are also the victims of a wide range of cybercrimes and cyber nuisances such as spam, phishing, and computer fraud. Because today’s technologies generating cyber risks makes it very difficult to fight potential attackers in advance, the adoption of technical and procedural protective measures becomes a crucial element in ensuring security.
Similarly, for more than two decades, businesses and governments worldwide have struggled to understand the nature and scale of the cyber threat facing them, and to develop appropriate responses to tackle it. In many cases, the strategies adopted to manage and mitigate these risks have included heavy investment in information assurance. Despite this investment, the view of many professionals is that a persistent adversary will still get through most organisations’ defences. Countering the threat of attack on critical information assets and systems has emerged as a key priority for our federal government and other governments worldwide. Similarly, private sector corporations are taking the risk of cyber attacks with increasing seriousness, in part as a response to a series of high-profile attacks from banks to online retailers to ISPs. Against this background, attention is increasingly switching to deterring such attacks before they take place.
This focus is especially prevalent among governments, which have the necessary resources and tools. However, neither government not industry are well positioned to respond. The result is that a degree of paralysis has developed in the face of the growing threat. Uniting the public and private sector agendas, cybersecurity is an especially key issue for organisations that are part of the Critical National Infrastructure or where security of supply is in the national interest. Moreover, given the importance of the issue, cybersecurity is, or should be a board-level issue for any large organisation.
2. The limitations of the technology solution for dealing with cyber security breaches for individuals, organisations and society
Nowadays, we are often facing with the downside of digital revolution, one which individuals and businesses may be scared away themselves or restricted by governments in their use of the Internet. Online fraud and identity theft are common, and there is an ongoing challenge to address flows of illegal information and incorrect data. These negatives mean that the benefits of the Internet are countered with real and direct costs. And yet, the final result of this balance calculation is not universally agreed. While our current firewalls, anti-virus and anti spam measures and Internet security practices can improve cybersecurity, the increasing complexity of the system and its open nature poses new challenges. As reported at the New Security Paradigms Workshop [NSPW], a variety of seemingly straightforward preventive measures, such as requirements for strong passwords, have given us a false sense of protection against potential attacks. In fact, the report says, we are not paying enough attention to more potent threats.
Recent highly publicised discoveries of worldwide “ghost nets”, fundamental flaws in Internet security infrastructure as shown by the Diginotar incident [DIGINOTAR], and cyber-attacks against companies like Google [NYT-GOOGLE] or entire nations like Estonia [WIKI-ESTONIA2007] indicate that there are still serious vulnerabilities to be addressed and new ones that we have not even imagined yet. If large attacks became commonplace – and seemingly unstoppable – our confidence in the Internet may be significantly eroded or come to an abrupt halt. Technologies like intrusion detection systems, firewalls, anti-virus software, virtual networks, encryption and biometrics etc. involve significant flaws in preventing and managing those serious cyber security problems prevalent in today’s cyberspace. Many devices and systems generate hundreds of events and report various problems or symptoms. Also, these devices may all come at different times and from different vendors, with different reporting and management capabilities and – perhaps worst of all – different update schedules. The technologies are not integrated, and each technology provides the information in its own format and meaning.
In addition, these systems across versions, product lines and vendors may provide little or no consistent characterisation of events that represent the same symptom. Also, the systems are efficient and scalable because they rely on human expertise to analyse periodically the data collected with all these systems. So, from the viewpoint of today’s organisations, network administrators regularly have to query different databases for new vulnerabilities and apply patches to their systems to avoid attacks. Quite often, different security staff is responsible and dedicated for monitoring and analysis of data provided by a single system. Security staff does not periodically analyse the data and does not timely communicate analysis reports to other staff. The tools employed have very little impact on security prevention, because these systems lack the capability to generalise, learn and adapt in time. In addition to organisations’ perspective, individuals and government also need to pay close attention regularly to updating their devices and tools as well as emerging cyber security threats in safeguarding their system in use. On the other hand, we are facing a considerable issue in improving cyber security through which increased use of carefully thought out measures to improve confidence, safety and security will be needed.
Unfortunately, some current proposals to improve cyber security pose a danger to the open, generative Internet. Some national governments are erecting borders in cyberspace. Not all these efforts are aimed at imposing political control; indeed, some are intended to improve cyber security but nonetheless threaten the openness and functionality of the Internet. For example, the Australian government considered and then abandoned a proposal to require ISPs to implement filtering using a government-controlled list. The goal is to block “child sexual abuse imagery, bestiality, sexual violence, detailed instruction in crime, violence or drug use or material that advocates the doing of a terrorist act.” More than dozen countries have plans to deploy mechanisms intended to block Internet content for political, social and security reasons. These plans pose a significant risk to global interoperability and the goal of an open, accessible and generative Internet. Therefore, the limitation of each security technology existing in today’s computer and network environment impact the efficiency of cyber security for various aspects, and increases the activities to be performed by individuals, organisations and society as a whole.
3. Solutions to the cyber security challenge
Cyber security requires cooperation among all the players such as users, ISP’s, software developers and security providers. There is no “least cost avoider”, and security depends on actions at all levels, or “defence in depth”. This applies equally to the use of offensive or defensive tactics. Counter-attacks work best when there is at least some coordination among the players; they are most dangerous when an individual end-host takes unilateral action against another host. When an attack occurs, all players should consult with each other about what possible actions they can take. Ideally, one should launch a counter-attack because it is the best option, not because it is the only one available. Fortunately, the computer industry does seem to be trending towards greater cooperation. ISP’s employ a variety of security measures, such as egress filtering of spoofed packets, and the use of specialised devices to “scrub” traffic streams of malicious packets. Also, some ISP’s are providing security services for customers, such as “black-holing” DDOS attack traffic, and coordinating with customers to respond to attacks.
The driving force behind this appears to be the threat of liability (for example, the Sarbanes-Oxley Act). Since the Internet is a shared resource, i.e., a public good, one might consider creating a non profit or governmental organisation that acts as police on the network. When a system detects that it is under attack, it (with or without consent of the user) informs the Cyber Police. This administrative body’s machine equipped with all the necessary tools does the authentication of the complaint, then either neutralises the attacking party or if required deploys a counter attack. While the attack is carried out it collects all required logs for future investigations. This just means of centralising the counter attack strategy to reduce cost and provide neutral intervention. The procedures it will follow have to be open. While on the other, this also means that it’s vulnerable to be attacked. The obvious questionable issue with regard to the entity is “to what extent the Cyber Police can exercise its power and authority within the cyberspace”.
One possible worrisome aspect on the issue is that it may interfere with the development of new technologies on the Internet. Amongst all those existing and emerging solutions, the best cyber security solutions are dynamic and adaptable with minimal impact on network performance. These tools secure systems without crippling innovation, suppressing freedom of expression or association, or impeding global interoperability. In contrast, there are other approaches such as national-level filters and firewalls, as providing only an illusion of security while hampering the effectiveness and growth of the Internet as an open, interoperable, secure and reliable medium of exchange.
The same is true commercially; cyberspace must remain a level playing field that rewards innovation, entrepreneurship, and industriousness, not a venue where a certain being arbitrarily disrupt the free flow of information to create unfair advantage. Individuals, organisations and society as a whole should commit to international initiatives and standards that enhance cybersecurity while safeguarding free trade and the broader free flow of information. There are diverse solutions standing in a row for today’s various cyber security problems. However, none of them are perfect in curing and preventing those existing and emerging threats in our vast cyberspace. We should keep focusing on the issue and be always conscious of the gravity of the subject.
4. A half day experience without digital technologies
I chose not to use any digital technologies available on 31st December 2012, because I had expected that I can feel the most discomfort I have ever felt before. Like almost everyone else who owns one, a smartphone is the most dependent technology I am relying on for the most part in everyday life. I had planned to meet my girlfriend at 2. While I was preparing myself and spending the gap without using any digital devices or technologies, I extremely felt a feeling of frustration about the situation I was facing. I wanted to find out the train timetable as well as the session time of the movie that we wanted to see in advance. Furthermore, it was the very last day of the year and every one of my friends must have been excited of going out at night, but I was not allowed to have words with them and share the joy of the day by talking on the phone and text messaging. Even if I did not inform them in advance that I will be offline until 6, it would have been a disaster for them as well. As a result of being not planned for the date, my girlfriend and I terribly felt of inconvenience and impatience as I asked a favour of not using her smartphone either until 6.
Consequently, we missed a train when we got to the station by calling at Gloria Jeans to get a coffee. In addition, we could not see the movie that we wished to see because we missed the session time that we had to go for, otherwise we could not meet other friends for New Year’s Eve dinner. I felt so devastated and helpless with my smartphone being locked in my girlfriend’s handbag. My girlfriend and I use the phone to death. I would say that we check it every few minutes to see update on News app or Facebook and to check emails especially when there is a momentary pause in out conversion. The moment was exceptionally awkward to each other we had ever felt before. For the problem of giving up using my bank card for cash, I managed to get some enough cash the day before I undertake the experience. If I did not expect this part of the experience, then it would have been a lot sorry to my girlfriend since the task that she was participating in was caused by me. By the bye, I suddenly came up with the question “why am I so clinging to the little device for this short period of time and why can I not get rid of the image of my phone in my head?”
The moment I was scared a little bit about the little electronic device controlling my everyday life. I could more concentrate on my girlfriend and I was not busy checking all those contents on my phone. I was actually less stressed when I retraced the period. I did get a little anxious to finally use my phone again about an hour before 6. I anxiously awaited checking any missed calls, texts, or emails. But other than that, the period without using my smartphone was not too bad experience where I actually felt more calm and happy later on. Now I believe that being constantly connected to so much information does subconsciously stress us out. Several days, or even a day, without using a smartphone can be quite a beneficial experience. Smartphones are a great invention, but if we let them, they can become too invasive and cause some anxiety and stress. I do believe society can function even without technology. That is of course, if we are referring to complex technological gadgets and complex technological machineries. Societies in the past didn’t use such complex machineries and gadgets before. It would make life difficult to live though since technology offers convenience in our lives.
People just came to believe that we need it because they got so hooked to the easy lifestyle. It may be true that a lot of people would die and suffer due to the loss of technology but it would not wipe out humanity and societies as a whole. But if you are referring to technology as applied knowledge, we might have ceased to exist a long time ago without technology. Even creating fire using stones and wood would be considered a technological advancement in the olden days. People have not created the word science and technology then, but they were already using the principles of science to find their means of surviving.
The mere fact that they apply that knowledge, it would already serve as technology since technology as said earlier is applied knowledge. I think they call it friction in science (about creating fire). The technology there would simply be the use of stones and wood to create the fire. Making tools to hunt for food would already serve as technological advancement, since it is still an application of one’s knowledge. Planting and growing crops would also need knowledge applied. Even creating one’s home even if it be a shanty would already be an application of knowledge. Without basic technological advancement, societies won’t develop at all.
Cyber security is a broad term that has evolved over time with no clear consensus on its exact meaning. Public awareness of the status of cyber security is coloured by the often-sensational lapses in security that occupies the media. The exposure of personal information, stolen financial data, and spread of malware and viruses all give the impression of danger and chaos, of the imminent collapse of the Internet. In fact, the sky is not falling; but there could be storms on the horizon. There is certainly reason to be cautious, but the overall balance weighs heavily on the side of value. Cyber space has become a tool for knowledge, communication, expression and commerce, a trusted resource and a powerful for personal freedom. Our daily life depends of IT and the services it provides. We make use of cyberspace in our social life, at work and for daily activities. Information Communication Technology has penetrated in every single area of our economy and society (finance, health, education, energy etc.).
This high dependence calls for new measures of safety and security in order to maintain this new style of living. There are not any borders or geographical limits for the cyber space. This makes providing the cyber security a harder process. The challenge requires different partners to cooperate. Actors that need to work to achieve to cyber security includes policy makers, regulatory bodies, international organisations, public/private sector and individual users. This paper has demonstrated that cyber security solutions are widespread and complex – as we move forward to address new challenge, we must ensure that the open and innovation spirit of cyber space is not compromised. Solutions to cyber security problems must also further the goal of users of cyber space: an open, accessible, and trustworthy space. The openness is one of its key strengths, making it a major worldwide source of creativity, innovation, and growth. Ultimately, success in addressing cyber security problems lies in multi-stakeholder cooperation and collaboration, now new command-and-control systems.
University of Oxford n.d., Cyber Security Centre, Oxford, viewed 21 December 2012, <http://www.cybersecurity.ox.ac.uk/>
Swan, D. n.d., Cybersecurity Vulnerabilities Facing IT Managers Today, viewed 21 December 2012, <http://www.academia.edu/1416741/Cybersecurity_Vulnerabilities_Facing_IT_Managers_Today>
Simson L. Garfinkel 2012, Inside Risk: The Cybersecurity Risk, ACM, viewed 21 December 2012, <www.csl.sri.com/~neumann/cacm227.pdf>
International Telecommunication Union (ITU) 2009, Cybersecurity: The Role and Responsibilities of an Effective Regulator¸ ITU, viewed 22 December 2012 <http://www.itu.int/ITU-D/treg/Events/Seminars/GSR/GSR09/doc/GSR-background-paper-on-cybersecurity-2009.pdf>
Accenture 2010, Cyber security: An escalating global challenge for all organizations, Accenture, viewed 22 December 2012, <http://www.accenture.com/SiteCollectionDocuments/PDF/Cyber%20Security%20Email%20Final.pdf>
Internet Society 2012, Some Perspective on Cybersecurity 2012, Internet Society, view 22 December 2012, <http://www.internetsociety.org/sites/default/files/bp-deconstructing-cybersecurity-16nov-update.pdf>
Hentea, M. n.d., Information Security Management – OVERVIEW, SECURITY THREATS IMPACT, EMERGING SECURITY TECHNOLOGIES, SOLUTIONS, SEM MODEL REQUIREMENTS, CONCLUSION, Southwestern Oklahoma State University, USA, viewed 22 December 2012, <http://encyclopedia.jrank.org/articles/pages/6625/Information-Security-Management.html>