At the beginning of this month, President Barack Obama received the final report from the commission he established to assess the state of digital security and its impact on the country’s internet economy. The 12-strong team’s report reviewed a vast range of topics impacted by cybersecurity, from governance to critical infrastructure, public awareness, and the state of America’s cybersecurity workforce.
It also devoted considerable space to security around the Internet of Things — the notion that hundreds of millions of new non-computing and non-communication devices, ranging from sensors to consumer appliances, will be connected to the internet each year.
Ironically, the report won’t be much of a resource for the current, pro-Internet president. It remains to be seen whether president-elect Donald Trump will see it as a resource at all, despite the fact many of the Commission on Enhancing National Cybersecurity’s recommendations were purposefully addressed for the attention of the incoming administration.
Given the broad nature of its remit, most recommendations focused on ways to employ cybersecurity processes and frameworks to help America’s digital economy remain robust and globally dominant, and as a result are often high level to the point of being stratospheric. At the same time, recommendations included establishing provisions for training 100,000 cybersecurity “practitioners” over the coming four years, and for issuing security labels for IoT devices along the lines of the voluntary nutrition information labels plastered on every item in the grocery stores.
Yet the report makes little mention of specific acts to increase cybersecurity internationally, beyond setting up a global cybersecurity ambassador, and working with “like-minded” nations to establish peace-time security norms. This adds another layer of irony, given that cyber-threats from other nations were a specific catalyst for setting up the commission, and concerns about cyber-malfeasance originating from China, Russia and elsewhere is increasingly shaping the political rhetoric and legislation in the US: the House of Representatives included a specific measure to counter Russian cyber-attacks in the 2017 Intelligence Authorization Act; and then there was the CIA’s little bombshell about Moscow’s meddling in the US elections.
“The notion of millions of sticky labels slapped on Internet-enabled cameras and toasters does not immediately conjure a notion of cybersecurity best practice, but it is a solid attempt to direct policy-makers to the incursion threat posed by billions of independent devices”
Despite its ocean-boiling efforts, there are several notable aspects of the commission’s report that should inspire, if not compel, cyber-bureaucrats across Asia to provide better guidance for their own digital economies. These include a rigorous set of standards for updating authentication procedures, and the aforementioned focus on creating a security framework for IoT. While the notion of millions of sticky labels with densely worded warnings slapped on Internet-enabled cameras and toasters does not immediately conjure a notion of cybersecurity best practice, it is at least a solid attempt to direct the attention of policy-makers to the incursion threat that millions (and soon to be billions) of independent devices will create.
Unfortunately, much of Asia’s recent attempts at cyber-legislation are more along the lines of the House’s recent anti-Russia ruling: serving political aims through policy aimed at defending against cyber-miscreants, rather than securing the underlying infrastructure and networks themselves. Worse still, most of the threats countries such as Indonesia and Thailand are seeking to combat through legislation are internal, not external, raising concerns about growing infringement of digital freedom.
Indonesia recently amended a law to include a “right to be forgotten” provision, giving citizens the right to petition internet companies to remove supposedly defamatory material. Many see this as serving the interests of powerful elites who are keen to evade any historical reckoning over past misdemeanours. In Thailand, where online rights have been whittled since a military coup in 2014, the Computer Crime Act may be amended and a new cybersecurity law enacted. Both of these could greatly expand the state’s ability to access personal internet data and restrict online content, all in the name of “cybersecurity.”
Slapping labels on IoT sensors may seem a busywork task, but it at least focuses policy work on real and substantive threats posed by the internet. Asian policy-makers should set their cybersecurity sights higher and broader, and not conflate control with security.
I attended a talk by a cyber security consultant recently. He noted that every company needed at least 5 cyber security roles including analyst, network security, endpoint security, etc.
The problem with this recommendation is that – even excluding issues like skills availability and retention – the cost of even a minimal program would be far too much for any company under say 200 or 500 employees (and insanely profitable).
Basic criminology dictates that skilled criminals generally arise from a population of unskilled criminals. Expertise rarely emerges spontaneously from nothing – the experiential process of success and unsuccessful crime is the most common path of criminal expertise building (much like any other skill set).
So long as there remain millions and tens of millions of vulnerable individuals and small businesses due to pure economic factors, it seems unlikely that sweeping government mandates will help much.