Thursday April 29, 2010
By Lt Col HUSIN JAZRI (Retired)
I HAVE been been involved in national defence and cybersecurity for many years, and I must say that one of the most important international hurdles that we must overcome together - sooner rather than later - is the inconsistency between what I call the "geographic limitation of sovereign national laws" and its inherent conflict with the borderless nature of the Internet.
The Internet as a whole is too important for the global community, as well as our own national society's well-being and progress, for us not to seek improved ways and means to effectively protect participants - call it an Internet governance agenda, if you will.
The issue is this: The usefulness and effectiveness of any country's legislation is bound by its geographic borders (unless specific inter-country treaties are signed) whereas nearly all of our online activities - social media, peer-to-peer networking, instant messaging, streaming content, even straightforward websurfing, and blog or content hosting - are clearly not.
And as for the career cybercriminals who are behind the online incidents of fraud and forgery, system intrusion, international espionage and hate-motivated international cyberincidents (even spam) - many of them are savvy enough to engage in cross border activities when they know that the so-called "long arm of the law" still isn't long enough yet to catch them.
Our current arrangement for conflict resolution in cyberspace, which is generally based on goodwill and a spirit of inter-agency co-operation between the various countries of the world, is still not sufficient and clearly is wanting in many respects.
This is because the way we operate it now is at odds with the realities of information and communications technology: Our laws are formulated to conform within geographic borders thus we cannot expect to get our way forcing that square peg (border-limited preventive measures) into a round hole (borderless world).
There are many cyberincidents that remain pending because the cross-border nature of the Internet does not lend itself to legislation, particularly those that involve multiple sovereign nations (cybercrime frequently involves not one but multiple transiting countries).
No phishing
Identity theft incidents (like phishing sites targeting local banks) are good examples. In many instances, criminals targeting customers of local financial institutions will host their phishing sites abroad. Indeed, 99% of phishing sites targeting Malaysian financial institutions are hosted outside the country.
This essentially leads to two things in their "favour." The first one is delay of the takedown or removal of the phishing sites due to different time zones and other physical-geographic reasons (language too, sometimes).
Secondly, efforts to obtain information such as log files or contents on the server for investigation purposes are also delayed due to differences in legal provisions. The cybercriminals know this and they have been exploiting the loophole for a long time.
Aside from the geographic limitation of laws, another equally important issue is the difference in cultural interpretation of security versus privacy.
In the West for example, personal privacy is revered, thus any manner of disclosure without the express permission of the information owner is frowned upon. Even the idea of national identification that would make it easier to track citizens is treated with suspicion. However, after 9/11, the balance between security and privacy has probably permanently shifted.
To move forward, I believe there is a pressing need for more formalised international diplomacy channels for cyberspace conflict resolution. Many informed experts have advocated a heightened level of international diplomacy as a way to get each of us to understand our differing points of view; and I am in full agreement.
Personally, I hope to see arbitration at the highest global stage, perhaps at the United Nations level. I envision the UN-like resolution concept to be instituted among member nations - something that would not require anything beyond what has already been physically instituted at many national levels in terms of a national agency.
The arbitration committee can take into account all cyberspace issues and conflicts escalated upward by member national agencies and speed up the execution to resolve issues.
I do not say this lightly because we do not now have a mechanism of redress for even a simple issue, say a woman who wants to address the presence of her photo that showed up on the Web without her permission.
While we all welcome freedom of expression and information on the Internet, I am sure we agree that freedom without responsibility is wrong.
Lt Col Husin Jazri is chief executive officer of CyberSecurity Malaysia, the national cybersecurity specialist under the Ministry of Science, Technology and Innovation.
source: http://techcentral.my/columns/industryviews/story.aspx?file=/2010/4/29/it_col_industryviews/20100429165243&sec=IT_Columns_IndustryViews
No comments:
Post a Comment