How the 'Wild West' of the In­ter­net will be won

For now, the in­ter­net is still the play­ground of en­gi­neers and en­trepreneurs. But they will have to yield to lawyers, com­pli­ance of­fi­cers and au­di­tors soon enough.

Financial Nigeria Magazine - - Contents - “How the 'Wild West' of the In­ter­net Will Be Won” is re­pub­lished un­der con­tent con­fed­er­a­tion be­tween Fi­nan­cial Nige­ria and Strat­for.

Na­tional de­fence is one of a govern­ment's core re­spon­si­bil­i­ties. The pur­suit tra­di­tion­ally has played out on land, over wa­ter and, since the 20th cen­tury, in air and space. But to­day, cy­berspace is emerg­ing as the lat­est theatre of na­tional de­fence as gov­ern­ments around the world take more of their crit­i­cal func­tions and day-to-day op­er­a­tions on­line. And the in­ter­net is such a re­cent phe­nom­e­non that, un­like the other the­atres of de­fence, it lacks in­ter­na­tional agree­ments and in­sti­tu­tions to gov­ern it.

At least for now. To ad­dress the pit­falls in the cur­rent reg­u­la­tory sys­tem (or lack thereof), New York State's Depart­ment of Fi­nan­cial Ser­vices will be­gin en­forc­ing a new set of cy­ber­se­cu­rity reg­u­la­tions from Aug. 28. Fi­nan­cial ser­vices firms in New York by that date will have had 180 days to bring their op­er­a­tions into com­pli­ance with the new measures, which first took ef­fect in March. The reg­u­la­tions are broad, re­quir­ing com­pa­nies to have a cy­ber­se­cu­rity pro­gramme with poli­cies on pro­tect­ing data, re­strict­ing ac­cess, main­tain­ing aware­ness of at­tacks and re­spond­ing to them – all things that re­quire a chief in­for­ma­tion se­cu­rity of­fi­cer to over­see their im­ple­men­ta­tion.

By adopt­ing the new rules, the State of New York has joined a grow­ing move­ment among gov­ern­men­tal en­ti­ties to start hold­ing com­pa­nies and pri­vate cit­i­zens more ac­count­able for their own cy­ber­se­cu­rity. The wave of reg­u­la­tion prom­ises to usher in a new era in the in­ter­net's de­vel­op­ment – and in the age-old de­bate over how far the govern­ment should go to ad­vance na­tional se­cu­rity in­ter­ests.

Stick­ing to the Rules

For bet­ter or worse, thou­sands of reg­u­la­tions at the fed­eral, state and lo­cal lev­els ex­ist to limit what com­mer­cial and pri­vate in­ter­ests can do. The U.S. govern­ment reg­u­lates ve­hi­cle spec­i­fi­ca­tions and pro­motes best prac­tices through the Na­tional High­way Traf­fic Safety Ad­min­is­tra­tion (NHTSA), while state gov­ern­ments set min­i­mum safety re­quire­ments for ve­hi­cles driv­ing on pub­lic roads. The Food and Drug Ad­min­is­tra­tion (FDA) ap­proves new drugs and med­i­cal de­vices. And the Se­cu­ri­ties and Ex­change Com­mis­sion (SEC) pun­ishes fi­nan­cial in­sti­tu­tions that do busi­ness with the United States' po­lit­i­cal en­e­mies.

In the realm of cy­berspace, how­ever, Wash­ing­ton has fewer reg­u­la­tory tools at

its dis­posal. Com­pa­nies such as Ver­i­zon and AT&T Inc. con­trol much of the in­fras­truc­ture that makes the in­ter­net pos­si­ble in the United States. Tech giants such as Ama­zon, Face­book and Google, own the cen­tres that store and share data. And firms such as Ap­ple Inc., Mi­crosoft Corp. and Len­ovo Group Ltd. pro­duce much of the phys­i­cal hard­ware that sup­ports net­works. So though the U.S. govern­ment owns and op­er­ates net­works and the hard­ware com­po­nents nec­es­sary to main­tain them, it is hardly the pre­dom­i­nant force in the field. Be­cause cy­berspace is so heav­ily di­ver­si­fied, more­over, its over­sight is dif­fuse. No sin­gle body is re­spon­si­ble for policing the in­ter­net in the same way that the Fed­eral Avi­a­tion Ad­min­is­tra­tion, Coast Guard, or Cus­toms and Bor­der Pro­tec­tion se­cure the air, sea and land.

That's not to say that the U.S. govern­ment isn't in­vested in cy­ber­se­cu­rity. The De­fence and Home­land Se­cu­rity de­part­ments have pri­or­i­tized shor­ing up govern­ment net­works against at­tacks, stay­ing on top of emerg­ing threats and de­vel­op­ing of­fen­sive ca­pa­bil­i­ties. Even so, Wash­ing­ton rec­og­nizes that it can't con­trol the in­ter­net as it does other the­atres of de­fence. To fill in the gaps, govern­ment agen­cies work with pri­vate com­pa­nies and in­di­vid­u­als to keep the grow­ing role of cy­berspace in nearly all as­pects of daily life from be­com­ing a crip­pling li­a­bil­ity.

Bet­ter Reg­u­late Than Never?

But their ef­forts have some­times fallen short in the ab­sence of reg­u­la­tory over­sight. In Oc­to­ber 2016, for ex­am­ple, a dis­trib­uted de­nial of ser­vice (DDoS) at­tack hi­jacked over 100,000 de­vices, rang­ing from digital video recorders to baby mon­i­tors, to try to in­ca­pac­i­tate Dyn Inc., which han­dles in­ter­net traf­fic for such com­pa­nies as Net­flix and Twit­ter. Most of the de­vices co-opted dur­ing the at­tack were poorly pro­tected be­cause their man­u­fac­tur­ers had ne­glected to pro­vide – or their users had dis­re­garded – ba­sic se­cu­rity fea­tures, in­clud­ing unique pass­word re­quire­ments and reg­u­lar soft­ware up­dates. With­out these safe­guards in place, the ag­gres­sors had lit­tle trou­ble mus­ter­ing their bot­net army.

Many of the com­pa­nies that man­u­fac­tured the hi­jacked de­vices re­sponded by re­call­ing the prod­ucts and bol­ster­ing se­cu­rity fea­tures. Still, their ac­tions may not be enough to stave off sim­i­lar cy­ber­at­tacks in the fu­ture. The Fed­eral Com­mu­ni­ca­tions Com­mis­sion, af­ter all, has yet to is­sue a reg­u­la­tion spec­i­fy­ing what fea­tures man­u­fac­tur­ers must in­clude to pre­vent in­trud­ers from gain­ing unau­tho­rized ac­cess to in­ter­net­ca­pable de­vices or how of­ten they must re­lease soft­ware up­dates. As thou­sands more "smart" ma­chines and ap­pli­ances come on­line each day, the in­ter­net of things will pose an even greater se­cu­rity risk, so long as its com­po­nent de­vices are vul­ner­a­ble.

To mit­i­gate the threat and firm up cy­ber­se­cu­rity prac­tices, gov­ern­men­tal en­ti­ties are adapt­ing their reg­u­la­tions and guide­lines. Law en­force­ment agen­cies are work­ing to build a body of case law to de­ter­mine the lim­its of ac­cept­able behaviour in cy­berspace, a field that lies within their ju­ris­dic­tion even if it's be­yond their con­trol. The U.S. leg­is­la­ture, mean­while, is draft­ing new laws and amend­ing ex­ist­ing statutes to ac­com­mo­date the rapidly chang­ing land­scape of the in­ter­net.

As com­put­ers pro­lif­er­ate and make their way into more and more con­sumer goods, the bu­reau­cracy in charge of cy­ber­se­cu­rity will grow in turn, at least in the United States. The coun­try, built as it was around the rule of law, tends to take a le­gal­is­tic ap­proach to is­sues like cy­ber­se­cu­rity. Na­tions such as China and Rus­sia, by con­trast, pre­fer a heav­ier hand to keep in­ter­net users in line with their po­lit­i­cal sys­tems.

At the same time, cy­berspace is in­creas­ingly en­croach­ing into ar­eas that are al­ready heav­ily reg­u­lated, such as the au­to­mo­tive, health care and fi­nan­cial sec­tors. In the wake of the DDoS at­tack in Oc­to­ber 2016, the NHTSA is­sued guid­ance en­cour­ag­ing car man­u­fac­tur­ers to pri­or­i­tize cy­ber­se­cu­rity in their ve­hi­cles and to es­tab­lish stan­dard cy­ber­se­cu­rity prac­tices. The more pas­sen­ger ve­hi­cles in­cor­po­rate com­put­ers into their ba­sic op­er­a­tions, the greater the op­por­tu­nity to ex­ploit weak­nesses in the tech­nol­ogy, per­haps to deadly ef­fect. (A car be­comes a much more dan­ger­ous weapon in a cy­ber­at­tack than, say, a DVR.)

In April, the FDA threat­ened to take ad­verse ac­tion against an un­named health care com­pany un­less the firm ad­dressed known vul­ner­a­bil­i­ties in its de­vices. The SEC, like­wise, fined a com­pany $1 mil­lion in 2016 af­ter one of its em­ploy­ees mis­han­dled cus­tomer data that a hacker then com­pro­mised. The hacker ap­pears to have stopped short of us­ing the data for crim­i­nal ends, but the SEC nev­er­the­less found the firm at fault for fail­ing to pre­vent the breach.

A Brave New World

The mount­ing le­gal prece­dents and thick­en­ing rule books seem to her­ald the end of the in­ter­net's free­wheel­ing era and the start of a new chap­ter. The tran­si­tion will bring ad­van­tages as well as dis­ad­van­tages. On the one hand, for­ti­fy­ing the United States' ecosys­tem of com­puter net­works will help pro­tect com­pa­nies and con­sumers against cy­ber­at­tacks that can lead to dev­as­tat­ing dis­rup­tions and fi­nan­cial loss. In­creased reg­u­la­tion, more­over, will help dis­tin­guish the re­spon­si­bil­i­ties of the state from those of a com­pany or in­di­vid­ual, thereby en­abling firms and cit­i­zens to fo­cus their re­sources ac­cord­ingly.

On the other hand, com­ply­ing with reg­u­la­tions is a costly en­deav­our and one that can sti­fle small com­pa­nies, such as the start-ups that drive in­no­va­tion in the tech sec­tor. Fur­ther­more, based on the SEC's and FDA's re­cent ac­tions, the threat of lit­i­ga­tion against com­pa­nies over in­for­ma­tion breaches ap­pears to be ris­ing; in time, a firm may even face charges if it is the vic­tim of a cy­ber­at­tack. And then there's the risk of com­pla­cency. Many com­pa­nies, par­tic­u­larly in the tech sec­tor, are wor­ried that work­ing within pre­scribed cy­ber­se­cu­rity reg­u­la­tions will blunt the com­pet­i­tive edge they cul­ti­vated dur­ing the law­less days of the early in­ter­net.

With each new at­tack that af­fects U.S. com­pa­nies and in­di­vid­u­als, how­ever, the calls for en­hanced cy­ber­se­cu­rity will grow louder. Reg­u­la­tors will re­spond by set­ting min­i­mum se­cu­rity re­quire­ments for the rapidly ex­pand­ing web of con­sumer prod­ucts with mi­crochips embed­ded in them. The cy­ber­se­cu­rity bu­reau­cracy will ma­ture, and as it does, it will start to look more like the other en­ti­ties tasked with en­sur­ing na­tional se­cu­rity. The United States will amass a stock­pile of cy­ber weapons, ramp up its in­tel­li­gence gath­er­ing and be­come more as­sertive in con­trol­ling con­flicts in cy­berspace. For now, the in­ter­net is still the play­ground of en­gi­neers and en­trepreneurs. But they will have to yield to lawyers, com­pli­ance of­fi­cers and au­di­tors soon enough.

Cloud com­put­ing fa­cil­i­ties

Newspapers in English

Newspapers from Nigeria

© PressReader. All rights reserved.