UK cyber-security expert joins international calls for online regulation

“There is a vast swathe of corporates who have valuable intellectual property, much more valuable than they understand, which is inadequately protected”, she said, adding that “level of awareness is nothing like it needs to be”.

Dame Neville Jones speech follows last week’s publication “Cyber-security: the vexed question of global rules”, by Brussels think-tank Security and Defence Agenda (SDA), featuring “country-by-country stress tests” on 23 major countries, as well as the United Nations, NATO and the EU, based on methodology devised by former US Defence official Robert Lentz.

Echoing the views of Dame Neville-Jones, Evangelos Ouzounis, expert at ENISA, the European agency responsible for information security, also called for the creation of a ‘pan-European curriculum for cyber-security’. “There’s a big gap between what the market needs and what universities produce….most universities don’t produce cyber-security professionals but computer scientists with little specialisation in security”, he said.

According to the report’s authors, who include senior NATO official Jamie Shea, Israel, Finland and Sweden are among the countries most capable of withstanding cyber-attacks to their computer network.

Despite this, against the backdrop of fragmented regulatory standards, cyber experts spoke of the need for common rules to regulate online information flows amidst concerns that the world has embarked on an unregulated data revolution.

Phyllis Schneck of web security firm McAfee said that industry needed to “destroy the profit element (of cyber crime) by improving control over malicious instructions.

“Swimming pools have chemical filters. Networks and computers need intelligence filters”, she added.

A popular demand of experts was for an international agreement making countries responsible for their own sovereign cyber-space and for blocking infected computers in their jurisdiction from the Internet.

According to Lars Nicander, Director of Cyber-Security at the Swedish National Defence College, Israel, China and Russia are “the most consistently offensive countries” in cyber-attacks. Indeed, many of the 250 senior security practitioners surveyed called on Western governments to seek a multi-lateral cyber security policy with China and Russia, with BP Director John Meakin saying “by incentivising these countries to gradually change, we may gradually reduce the number of attacks.”

However, there is little scope for international regulation. Indeed, although some, including Hamadoun Toure, Secretary General of the UN’s International Telecommunications Union, want to agree a ‘cyber peace treaty’, the SDA report states that “there is little agreement between experts and national authorities on terminology, and without that the prospects for regulating cyber-space are poor.”

Policy on cyber-security is currently handled by Member States, although the EU institutions are working on an inter-institutional cyber emergency response unit. Last November the EU held its first joint cyber exercise with the US and this year will see Member States produce their first annual reports to ENISA on cyber security incidents.

According to Freddy Dezure, who heads up the fledgling unit, the intention is not to create extra regulation but to “become the glue, the catalyst to initiate new systems and foster information exchange.”

However, while worldwide agreement seems unlikely, the Commission wants to address the disparity in online security between Member States. In its e-commerce communication last month, the Commission promised to outline an internet security strategy to increase protection against cyber attacks in 2012.