The audience at a panel discussing challenges and opportunities from a global IT security perspective Wednesday at the IT Security Entrepreneurs’ Forum was nodding off until question time, when Jody Westby blasted the panelists.
She accused them of not sticking to the topic and suggested they focus more on the issues.
“The issue is a legal one,” Westby said. “We need to stop talking at the 10,000-foot level about private/public partnerships or you gentlemen will be up there [on the stage] for the next few years.”
The panel, moderated by CSO Magazine publisher Bob Bragdon, was held at Stanford University.
Panel members were Sumit Agarwal from the United States Department of Defense (DoD); Adam Hatfield from Canada’s National Cybersecurity Directorate, and Kjetil Nilsen of Norway’s National Security Authority.
The Security Waffle Factor
The 50 or so members of the audience seemed unimpressed as the panelists droned on, mainly about private/public sector cooperation.
The DoD’s Agarwal essentially said nothing in a lot of words. One example is his answer when moderator Bragdon asked whether the level of cooperation that’s needed between the two sectors can be achieved.
“There are things on which there’s a large amount of consensus; there are things on which they’re not all aligned,” Agarwal replied. “The biggest challenge, I think, is in getting comfortable with the inevitable failure, the inevitable breach; understanding that the value of that sharing outweighs the risk of a breach, as long as that benefit we accrue by sharing is larger than the risk we incur by sharing.”
It would probably be fair to say that those involved in IT security in both the private and public sectors would have spent considerable time mulling over this point.
In response to a question from Bragdon about what other policies nations need, Norway’s Nilsen talked about the need for inclusion and trust.
“I think it’s important to make the private sector feel included,” Nilsen said. “To do that we need to establish mutual trust. There must be some incentives for private business to cooperate with government.”
Canada’s Hatfield provided more of the same in his response.
“From a philosophical perspective, the government must be willing to do things together with the private sector, be willing to offer more transparency, but not pull out the heavy hammers of regulation.”
The same philosophy was espoused back in 2008 when the Center for Strategic and International Studies, a bipartisan think tank, called on the then-incoming Obama administration to work closely with the private sector in securing cyberspace. Nothing new here, move on.
Cybercrime and Punishment
Here’s Canada’s Hatfield in response to a question by Bragdon about the definition of cybercrime: “Crime means something specific to government. It means you send someone to arrest someone for doing something.”
Cybersecurity, on the other hand, requires a lot of cooperation between governments as to what to do and governments need to be “extremely clear” as to what they are trying to do when they cooperate, Hatfield added.
After waffling about cooperation being the sharing of information and best practices in response to the question about defining cybercrime, Nilsen said all cooperation requires trust. “The matter of trust is very, very important,” he stated. “I think this may be our largest challenge in the upcoming years,” he added.
“There is no entity anymore that is only an adversary or only an ally,” the DoD’s Agarwal remarked. “There is no clear demarcation on who’s an adversary on the international level in the standards area.”
Yes, that certainly defines cybercrime clearly.
Round and Round We Go
Why the need to define cybercrime at all?
“People have been talking about what cybercrime is for the past 10 years,” Global Cyber Risk CEO Westby huffed. “I tell everybody not to spend 10 years arguing about a definition of cybercrime.”
Several bodies have been set up to facilitate international cooperation for crackdowns on cybercrime, she told TechNewsWorld.
One such body is the Council of Europe Convention on Cybercrime, set up in 2001. This body has 46 signatories, but only 30 have ratified the convention, Westby remarked.
Another body is the G8 High-Tech Crime 24-Hour Point-of-Contact Network, set up in 1997, Westby said. This organization has 50 member states.
The real difficulty in fighting cybercrime across national borders hinges on the law.
For one thing, different countries have different laws, so what may constitute a cybercrime in one nation may be perfectly legal in another, Westby said.
Also, different countries have different interpretations of laws, she added.
Further, not all countries are tackling the cybercrime issue.
“There are many countries that don’t even have cybercrime laws,” Westby stated.
That makes it difficult to pursue criminals across national borders in those countries because “law enforcement agencies can’t even talk to each other,” Westby remarked.