Kostyuk, EWI’s cybersecurity coordinator, argues in her piece that, “Domestic challenges that nations face in addressing cybersecurity in an effective and comprehensive manner include ambiguous legislation, recalcitrant officials and a lack of both fiscal and human capital.” 

Click here to read the full article: “International and Domestic Challenges to Comprehensive National Cybersecurity”

Photo credit: Mecanoeil

EWI's Professorial Fellow Greg Austin was the keynote speaker at the 2014 Canada-U.S. Cybersecurity Conference on February 28, 2014. Co-hosted by the Consulate General of Canada in New York and the Securities Industry and Financial Markets Association, the theme of this year's conference was Securing our Financial Infrastructure. Event discussions focused on the interconnected nature of governmental policy, economic competitiveness and cybersecurity. Austin also participated in a Cybersecurity Working Group. 

In his keynote speech–International Protection of Exchanges and Clearing Houses from Systemic Shock in Cyberspace–Austin stressed the need for the private sector and governments to work together in addressing threats to global financial infrastructure. He highlighted key issues and risks in cyber financial regulation.

Austin stated: "The [financial services] sector has been a consistent focus of attention at the EastWest Institute, from our earliest work on the reliability of underseas cables in 2009, to more recent work on priority international communications. Our interest in international protection of the financial services sector in cyberspace is directed at systemic threats, not enterprise-level threats. What threats are there in cyberspace that may cause a global economic shock and what can be done about them at the international level?"

In his remarks, Austin recommended a treaty to ensure absolute protection of designated exchanges and clearing houses in cyberspace, in the same way that states now commit to absolute protection of diplomats or embassies abroad. While admitting the idea may sound novel, Austin suggested that it is an innovation in keeping with today’s cyber Zeitgeist. More importantly, it offers an essential pathway to help secure a global economy wholly dependent on the functioning of information systems and networks that support currency, stock and derivatives trading, as well as clearing house operations. His proposal recognizes that data integrity is the new frontline of global economic security.

Read the full text of Austin's speech on EWI's Policy Innovation Unit blog. 

The EastWest Institute is calling for a new computing paradigm called Highly Secure Computing (HSC), in a new report, "Resetting the System: Why Highly Secure Computing Should be the Priority of Cybersecurity Policies." The EastWest Institute's goal is to make the world safer by addressing seemingly intractable problems that threaten regional and global stability. Current IT paradigms have "tolerated inherent structural security deficits of information technology for too long," according to authors Sandro Gayacken and Greg Austin. Traditional IT security and its social management are not up to the task of combating state-sponsored cyber-attacks, the EastWest Institute report says. The remedy is so-called passive security measures, regardless of who launched a cyber-attack. This "new ecology of cyber security" would result in less pressure on liberty and privacy in the name of political security, the authors claim. Instead, HSC espouses the concept of "deterrence by denial," which would render attribution of attacks irrelevant and reduce the need for surveillance and Internet control. They argue that HSC would therefore be a win-win strategy for both security and civil liberties. To read the full report, click here.  

_

Click here to view the slideshow.  

High Time to Act Against Information Catastrophe: Time to Strengthen Cyber Security

We need stronger cyber security to protect against massive consumer data breaches

If you are a leader in business or government, or even just a private citizen, there is an emerging phenomenon that you need to know more about. It’s called “information catastrophe.”

This is the event where the marvelous technologies of the cyber age combine with the actions of a person (accidental or malicious) to dump the larger share of your confidential database into the public domain, to criminals or to hostile governments.

It just happened in Korea, as announced this week. The event in question involved the theft and illegal sale of the credit card information of most of the country’s consumer population.

Don’t worry so much about identity theft, though that is happening. You need to be preparing for information catastrophe.

There are important defensive measures, such as reviewing security procedures, vetting your staff or associates better, or establishing strong relations with law enforcement or national intelligence agencies. Those approaches, however, are only band-aid solutions and temporary fixes.

Market pressure + policy failures = low security

The biggest source of the problem is the low-security character of the information systems and networks you are using.

A series of market pressures over half a century as well as regulatory policy failures have somehow convinced most of us to entrust our life savings of information and our inner-most feelings and secrets to data “banks” somewhere in the ether.

Only gradually are people becoming aware that these data banks are highly insecure and more regularly being breached in the bright glare of unwanted publicity.

The data banks comprise software and hardware products in which high vulnerability to attack has been tolerated as a trade-off for lower cost and more convenient accessibility.

When the initial choices for lower cost and lower security were made in many technical sub-fields decades ago, we did not quite foresee the combined effect of those choices.

A paradigm shift in cyber security

Now that we fear NSA can hack anything and anyone, and we know some other, more sinister governments are mining all of our personal information with malicious intent, it is time for us all to trade-up to “highly secure computing.”

In a recent paper released by the East West Institute, called “Resetting the System,” German researcher Sandro Gaycken and I make the case for this paradigm shift in cyber security.

We note that the U.S. Department of Homeland Security (DHS) has identified highly secure computing as one of the highest priorities for research in this field. U.S. scientists are reserving the right to legally develop NSA-resistant encryption.

And the Defense Advanced Research Projects Agency (DARPA), where key elements of Internet technology were developed, is now running new projects in highly secure computing.

We understand that term to mean information technology with security that is unlikely to be breached — except in unusual and rare circumstances (or at high cost and risk to the perpetrator).

Highly security computing is a gigantic investment

This is not some unachievable holy grail. As John Dobson and Brian Randell argued in 1986, while being critical of those who believed it possible to build totally secure systems, “highly secure computing” is a worthwhile goal for scientific research and public policy.

As the DHS’s research plan mentioned above has noted, the more highly secure technologies cannot be bolted on top of the existing ones.

By and large, a move to less vulnerable IT would require a gigantic initial investment by manufacturers and consumers. It could be more expensive to operate and perhaps less convenient and less functional. So consumers—firms and individuals—will not rush to adopt it voluntarily.

The roles of governments and the private sector

Typically, a market failure—where private markets do not provide goods or services needed by customers or do not provide them in adequate quantities at an affordable price—triggers the question of government intervention.

In most market economies, considerable care is taken to craft policies that address the national interest (or public interest) without unduly constraining innovation and competitiveness in the private sector.

But once a government chooses to intervene, the inevitable result—absent a complete course reversal by the private sector—must be some compromise with and by private sector interests. Just how this might play out in particular economies demands detailed study. The policy outcome would inevitably be imperfect.

At the very least, this cyber security dilemma probably demands a price signal of some sort by government and a transition plan with clear benchmarks and standards to provide for phasing out of low security equipment and software.

With or against markets: the EU and China

While this may seem anathema within a U.S. free market environment, the pace of change may be forced on the global market by the European Union or its individual member states with considerable influence.

China is definitely acting against the market, as we have known it. The Snowden leaks about NSA successes against it have led to decisions by the government to accelerate its indigenous cyber security efforts, including new design standards. China is also reviewing its exposure to commercially available products that fall into the low-security and highly vulnerable category.

Today, it seems like we are many years from a consistent effort by any government to adopt highly secure standards for its IT market.

But as the information catastrophes start to affect more and more politicians or significant national economic or security actors, the rush to new products will intensify.

As we move closer to adoption of cloud computing, where confidentiality expectations will be paramount, we can expect that to drive a more rapid move to maximum security in cyber space. The companies that judge this moment well may ride the crest of a new wave of IT wealth.