London Cyber Conference ends, but what next?

 
Business Continuity Forum opinion
London Cyber Conference
2011 
 
 
Over two days the London Cyber Conference 2011 delivered a truly international focal point to examine how our digital world is developing and share what needs to be done to keep the benefits, but remove some of the risks.  
 
With over 700 people from 60 countries there really was a global presence and the issues discussed in the plenary and private sessions clearly communicated the breadth of the challenges being faced in cyberspace.
 
One of the most compelling figures shared stated that the Internet has had an impact on our societies in just 15 years that it took the Industrial Revolution nearly 50 to match and this impact was global and not nested in the more industrialised nations making the effect even more amazing.         
 
For those working in the Business Continuity, Security and Risk fields the principle discussions centred on the need to do 'something' urgently to increase the measures that protect us from both Cyber Crime and even Cyber Warfare.
 
A constant stream of speakers built on the need for improvements in on-line security and the need for government and industry to work more closely together to tackle this 'Tier One Risk' as the UK's National Risk Register describes it.      
 
Conference Chairman, the UK Foreign Secretary William Hague, in closing the Conference summed the general consensus in this area as follows:

"the debate noted prevention as being central to tackling cyber crime. There was general agreement that all sectors - private companies and individuals as well as governments and law enforcement agencies – have responsibilities in preventing cyber crime."
 
 
He built on this theme by adding that: 
 
"Delegates thought government and industry had a shared responsibility to do more to prevent cyber crime, in industry’s case for example through more secure devices, systems and services."  
 
"Industry must be a part of the solution on prevention. " 
 
"There was general support for the view that the public and businesses should get more help to able to identify easily products that have good security.  Delegates encouraged the private sector to lead development of improved Internet security products, systems, services and standards in cyberspace, and to make the market easier to navigate for consumers."
 
One of the principle themes that was repeated through the conference and reiterated in the final address was the need for International Law, particularly the Budapest Convention to which more countries were encouraged to sign up to, to be applied more consistently. Neither Russia or China are currently signatories to the Convention and are often cited as the source of much of the criminal activity seen across the Net. (It is interesting to note that the UK though only ratified its commitment in May of 2011, some 10 years after it was introduced and just four months before the conference)
 
For Security, IT, Business Continuity and Risk professionals probably the most significant strand of opinion related to the phrase 'norming' that was heard in many of the sessions with William Haig even referring to it in the closing speech saying: 
 
"There was strong support for the recommendations of the 2010 UN Group of Government Experts on further dialogue among states to discuss norms pertaining to state use of information and communication technologies to reduce collective risk and protect critical national and international infrastructure."
 
Interesting choice of phrase 'norming', but what does it actually mean?  Well in my dictionary 'norm' means something that is "a principle of right action binding on members of a group and serving to guide, control or regulate, or indeed an authoritative standard". 
 
If we look at the way organisations approach Cyber threats internationally it certainly isn't consistent, typical or standard. A more appropriate description might be patchy, incomplete, or even rarely considered in any depth! 
 
But why is this? Why is it just so difficult to address these problems?
 
Well in my opinion its because the perceived risk for many years was not that great or significant in the culture of organisations and as a result government and industry were more than a little complacent. The approach taken was that we can always retrospectively issue a patch to fix something and that this was good enough. The realisation is forming though that this really isn't good enough anymore and that much more thought and effort needs to go into ensuring that systems and process are secure from the start and then kept that way.
 
Now this isn't as straightforward as it may sound as vulnerabilities abound in cyberspace arising from a higgledy-piggledy approach over the past 20 or so years and any chink in the armour can leave just enough of a gap for a bit of malicious code to wriggle through. This can be illustrated by the use of Word Documents recently to introduce a backdoor trojan to specifically hack into companies in the chemical and defence sectors. Symantec reports that at least 40 companies were targeted for this very focused form of Intellectual Property theft.  
 
Weak links in the protection measures often extend outside of the organisation to partners and suppliers systems, though human factors and to the infrastructure underpinning the digital world and this extends the 'interest group' vastly and complicating tremendously any individual attempt to get truly effective measures in place cost effectively. For many the task looked a bit like trying to eat the elephant except that no-one really had the appetite for it or the motivation to decide where to take the first mouthful from.
 
I think here we are homing in on main point for our sector and its a simple one.
 
It shouldn't (and can't) be down to individuals or companies to work in isolation to try and address the security issues and then take the blame for failures. What is urgently needed is a top down approach where EVERYONE from the manufacturers of hardware, the developers of software and the providers of infrastructure all step up and take the responsibility to develop the connected security and resilience we now all need.
 
There has been a laissez faire attitude by many to the issues and these have resulted in the rather deep rooted set of problems mentioned with each affecting the resilience and security of the whole.
 
By trying to create international focus and momentum, and fostering an environment of cooperation, to address these issues the London Conference has been very useful, but as many of the delegates have said it is "what happens next" that really matters.
 
I have already mentioned the phrase 'norming' being repeatedly used and vaguely connected it to standards, but developing some real standards in this area is something that can be done pretty quickly and, dare I say it, simply. By producing a formalised 'norm' i.e. a Standard for CyberRisk we'd be making a big step forward in a very practical way that could help drive and importantly motivate cooperation between sectors and companies to address the problem ... So the question then emerges from all this talk of 'norming' can we create a Standard to help the management of Cyber Risk? Well, the answer is of course we could!
 
The complexity of the field would pose some issues, but through the use of a management standard the required agility and reference points could all be built in and a clearer roadmap could be built that would, over time, help address and reduce the risks posed.
 
In addition, by creating a proper standard the various interest groups from the public and private sectors could be brought together to share expertise and perhaps even sign up to some core principles that would underpin the development of a more secure and safe cyberspace. It would also bring some clarity and additional support for other existing standards in IT, Business Continuity and Risk Management that should be included in the process. This to me is all good!
 
If a standard were produced it would be a major first step in shifting the debate from the largely theoretical position, where it is acknowledged by most that more has to be done (amidst much wringing of hands and fevered brows), to a more practical one where connected measures are being developed to encourage more consistency and cooperation in practical ways that diminish the threat over time. 
 
We have to be reasonable in our expectations though and expect a far amount of criticism as many do not like standards, especially where there is a risk it'll cost them money, but what is the alternative? Are we to continue to build the digital economy of the world on an infrastructure that has insufficient and inadequate security? That is just akin to leaving your money under the mattress and that might be fine for you, but don't expect me to be putting mine there too!  
 
Finally, a lot of the conference was focussed on the unique and empowering benefits the Net and cyberspace brings to the world. We are seeing a global transformation underway that reaches out to potentially every person on the planet.
 
A few years ago I saw a lot of T-shirts printed with the phrase "nobody trusts the Web, but the spider", its not quite as bad as that, but lets face it all of the education, social, health and economic benefits that can be envisioned require proper security and resilience to realise the potential before us. We absolutely must start to more effectively build the systems, infrastructure and processes that will enable us all to trust the Web and bring all the opportunities the web presents together without many of risks that we have left unaddressed for so long.
 
Editor
Continuity Forum 
 
Please feel free to email your thoughts on this article by clicking here