Cyber security: public problem, private answers
11.10.11 @ 18:13
Each day the number of cyber attacks against individuals, corporations and government entities grow. As the profile of attackers rises above the nerd in a garage pay grade, the attacks become more vicious, pervasive and money/power oriented.
Policy makers everywhere are looking for viable structures to defend their people and economies.
In Europe we are seeing a network of "Computer emergency response teams" being set up with pan-European exercises taking place. This comes hot on the heels of US President Barack Obama’s national cyber security strategy. Both sides of the pond are engaged in a dialogue politically - via the EU-US working group on cyber security and cyber crime (May 2011) and militarily, with Nato putting in place its own cyber army to ensure the 2007 attacks on Estonia do not happen elsewhere.
So far, the cornerstones are there but the walls have yet to come up. Safe to assume that all of this will cost millions to taxpayers.
Let’s pause here for a moment and consider a few recent appointments in the US. In 2009 US homeland security advisory council appoints Jeff Moss, founder of the Black Hat and Def Con hacker and security conferences. In 2010, the Federal Trade Commission appoints Ed Felton as its first chief technologist. And earlier this year, the Internet Corporation for Assigned Names and Numbers (Icann) appoints ex-hacker Jeff Moss as chief security officer.
The appointment of hackers to these posts makes sense. If you want to avoid a robbery, a professional robber is perhaps your best counsel. Franklin Roosevelt had already put this lesson to good use when appointing wheel-dealer Joe Kennedy (JFK's father) as first Chairman of the Securities and Exchange Commission. Joe Kennedy knew how to play the system and used his knowledge to make it (until recently) one of the most respected bodies in the US. He was the perfect choice. Can we say the same of the military and public administrations when it comes to cyber security?
If we need help, we can’t turn our backs on tech entrepreneurs. Many small and medium-sized enterprises (SMEs) are developing the next generation of cyber security solutions and Europe may lose out by enacting cyber security-related regulation that may hinder the kind of innovation we need to protect ourselves.
Hacking techniques continually evolve. New worms, malware, phishing techniques and predatory programmes are born every day. Only those at the forefront of innovation can keep pace. Europe has to give itself the means to fight this new intangible enemy and to do so, it must use its best suited troops: those that are developing the next generation of cyber security solutions, innovative SMEs.
This is a great chance for the EU to leverage this brain power whilst at the same time investing in its SME network. The cyber issue should be approached like a threat to the commons – man-made in its origin and man-dependent on its resolution. Public responses to climate change have wielded growth in many industries such as the creation of a massive solar industry in Germany, largely supported by a string of innovative SMEs.
We need to think about cyber security in that way. While public money is indispensable to boost and coordinate a new agile and effective security solutions industry, the responsibility for developing these solutions should lie in the hands of those that are closest to the problem. As such, the EU should consider giving a wider role to SMEs in terms of research and implementation.
The EU has already taken some good steps by putting in place a number of research credits towards resilience and security programmes. To make sure this turns into a virtuous economic cycle, EU policy recommendations on cyber security should start incorporating SMEs in day-to-day activities in order to tap into their knowledge base and fuel what may become the blue fields of a rich and versatile EU economy.
The writer is the head of the Association for Competitive Technology, a Brussels-based non-profit association focusing on the interests of small and mid-size entrepreneurial technology companies.