![[up]](/small/arrow.up.gif){kind=icon}
![[prev]](/small/arrow.left.gif){kind=icon}
![[next]](/small/arrow.right.gif){kind=icon}
RSNZ: 17 November 2005
Managing Internet Risk in a Scale-Free World
John S. Quarterman, InternetPerils, Inc. Wellington, New Zealand, 17 November 2005
Abstract
Traditional Internet technical security is good and necessary, but no longer sufficient. Attacks from outside the firewall used to be by bored script kiddies trying to impress their teenage friends. No longer. A few years ago, perpetrators discovered there is money in it. Nowadays bot herders get root on zombies so they can sell them to spammers, phishers, and pharmers, who may be anyone from Russian Mafia to individual entrepeneural criminals paying the mortgage. Crimes of negligence are on the rise; the record so far in 2005 for disclosing personal identities is 40,000,000 by a single organization.Meanwhile, reputable researchers estimate $50 billion USD economic damages are possible through a single worst-case worm, and some big-company CEOs think they face $100 billion risk worldwide. Widespread worms, power outages, congestion, meteorological hurricanes: all these can act as force majeure events that affect many organizations.
Fortunately, there are solutions beyond technical security, starting with backups, redundancy, and diversity.
Further solutions include financial risk transfer instruments. Every public building has some sort of fire control mechanism, such as a sprinkler system, because insurers require it for fire insurance. Internet business continuity insurance is already available, and will improve over time. Catastrophe bonds are widely used for retrocessional coverage (which insures reinsurance which insures insurers) of hurricanes, earthquakes, and wildfires, and can be adapted to Internet insurance to handle the problem of aggregation, as in the case of a worst-case worm. Performance bonds are used by electric utilities to cover brownouts, and can be adapted to ISPs for SLAs. All these financial risk transfer instruments will involve requirements for more use of technical security.
Reputation systems can also help. Organizations such as the Anti-Phishing Working Group (APWG) publish statistics on phishing and pharming and related exploits. This can go farther.
Governments are getting into the act. Compliance laws such as SOX, GLBA, HIPAA, DPD, and PIPEDA may help, but seem to me to address the symptoms, not the causes. The banking industry's Basel II is also detailed, but seems to address the underlying problem of corporate culture and ethics perhaps somewhat better. Standards such as the U.S. NIST's FISMA and ISO 17799 also help. Legal solutions are preferable to what happened to the biggest spammer in Russia. In the U.S., some high-profile spammers have been convicted recently; this may provide some deterence.
In sum, aggregate damage requires collective action. Building higher forts around individual organizations is no longer sufficient. Cooperation in information and action is also required.
Slides
Last changed: $Date: 2006/06/23 01:24:14 $
