1

Building a Secure European Business Community

Nicklas Lundblad Stockholm Chamber of Commerce

Agenda

• Chambers of Commerce in the EU – a background

• Policy: New legal challenges• Networks: Informal learning for security• Services:The idea of a trusted third party• Some future challenges

Eurochambres

2

Members

Chambers of Commerce in EU

• Eurochambres – founded 1958• Members are national associations of

Chambers of Commerce.• 43 such national associations are

members as of 2004 (enlargement +).• Information Society Taskforce under vice

president Peter Egardt.

A European Market?

Have any breaches of your information security occurred in your establishment in the last 12 months?

3

A European Market?

Which of the following types of information security breaches have occurred in your establishment in the last 12 months?(Source: SIBIS 2003)

A European Market?

How important are the following factors as barriers to effective information security?

A European Market?•Where do you believe these breaches mainly came from?

4

A European Market?

Which of the following tools do you use for information security in your establishment?

A European Market?

ICT Use

Many European Markets!

Countries

Sect

ors

5

Basic question

How can Chambers of Commerce help build a secure

European business community?

Basic Answer

• By doing what Chambers of Commerce have always done: policy work, establishand maintain networks and offer services based on the position of a trusted third party.

Policy Work

Striking a balance between trust, security and cost.

6

Current policy agenda

• Information requirements• Codes of Conduct• Security requirements in e-invoicing• Data retention• Privacy and Radio Frequency Identifiers (RFID)• Digital Rights Management (DRM)• Security in e-government

Policy: Information Requirements

• Article 5 of Directive 2000/31/EC– Name, geographic address, e-mail, trade

registration number, authorisation (if applicable), VAT-numbers et cetera must be given.

• One-stop-shop identity theft. • Information storm.

Policy: Internet Trading Platforms

7

Policy: E-invoicing

• Security requirements and implementation– Electronic signatures? Qualified? Advanced? – Other similar security measures?

• The harmonisation effect?– Legislation as transaction cost

• Standardisation – the answer?

Policy: Data Retention

• ” The framework document, proposed in April last year by the UK, will require communications service providers to keep user data for a minimum of a year, and possibly indefinitely. Service providers have long been concerned about how much it will cost them to comply with the stringent requirements on keeping and storing data.” (The Register 12th of April 2005)

Data Retention and Security

• Leaks are inevitable• Costs will be rolled over to customers• Privacy issues for both organizations and

individuals

8

Policy: Privacy and RFID

Policy: Digital Rights Management

Policy: Security in E-government

• The Swedish example– ” The Government Interoperability Board was

established in January 2004 with the mandate to establish common standards and guidelines for electronic information exchange within government.”

– Government wide, mandatory implementation of a dialect of the security standard ISO 17799 (OffLIS)

9

Establish & Maintain Networks

Local, national and international networkshelp share knowledge and educate users.

Establish & Maintain Networks

Services:The Idea of a Trusted Third Party

Chambers have always acted as TrustedThird Parties. How do we extend this service in the information economy?

10

Online Confidence

ChamberPass

ChamberSign

11

CS: Electronic Evidence

CS: Electronic Insurance Inspection

CS: Electronic Procurement

12

CS: Electronic Procurement

CS: Electronic Source CodeDeposition

Mathematics of Trusted Third Parties

• The formulas: – Cost (risk management) + Cost (operations) >= Income

(Services)– Cost (operations) = Cost (daily operations) + Cost (establishing

trust) – Alternative investment for customers? In their own trademark!– In summary: TTP-services will sell if the calculated profit from

using them exceeds the calculated profit from investing in charging one’s own trademark with trust!

– Chambers have been providing trust for more than a hundredyears in most markets.

13

Future Challenges

• Think tank activities & Member concerns• 5 future challenges that seem to matter for

businesses

Challenge 1

How do we balance security and usability?

Usability and security

• ”Users are the greatest securityproblem”

• Passwords for chocolate

• What is a good tool? • What is a secure

tool?

14

Ron Rivest’s dilemmaUsability

Security

Research

• "Moving from the design of usable security technologies to the design of useful secure applications" D. K. Smetters & R. E. Grinter (2002)– ” We take the more extreme position that the environment in

which security technology is deployed is undergoing radical change, and that change is such that current usability problems are only going to get rapidly worse. We argue that attempting to "add on" usability to existing security technology is no more likely to be successful than attempts to "add on" security to existing software systems designed without it, and that new security technologies need to be designed from the ground up with the user foremost in mind.”

Challenge 2

How do we build security in fragmentedenvironments?

15

Web Services…

Outsourcing…

”Colonizing technologies”

16

Three kinds of fragmentarisation

• Architecture falls apart– Component based development & web services…

• Production is becoming more and morefragmented– Outsourcing

• Informationsystems are fragmenting– Social control over information flows is lapsing (blogs)

Research

• "WWW applications: Security in the Web Services Framework" Chen Li, Claus Pahl

• WS Security – working group • "Impact of offshore outsourcing on CS/IS

curricula" Ernest Ferguson & "Information systems outsourcing: a survey and analysis of the literature" Jens Dibbern, Tim Goles, Rudy Hirschheim, Bandula Jayatilaka

Challenge 3

How do we learn more about attackers?

17

In the mind of the attacker

Onel de Guzman• Onel De Guzman: I am

not a hacker; I am a programmer.

• CNN Host: Questionfrom: [There] What doyou think a virus writer'smotivation is?

• Onel De Guzman: Theywant to learn. They wantto be creative.

Honey Nets

A Honeynet is nothing more then one type of honeypot. Specifically, it is a high interaction honeypot designed primarily for research, to gather information on the enemy.

Attackers

• Usual suspects– Employees– Former employees– Hackers

• Serious hackers• Script Kiddies

• New suspects– Governments?

18

The Surveillance Aircraft incident

The Iraq war?

• mi2g has noticed a pattern pertaining to politically motivated digital attacks and the mounting threat of war, as research indicates a risein attacks against the UK and Italy and a decline against France.The UK has risen from the 8th most attacked country worldwide in February 2002 to the rank of 2nd one year later, and Italy has moved up from the 14th position to 4th, while France's ranking plunged from 4th to 16th. Furthermore, the verifiable and successfuldigital attacks against the U.S. remain at an all time high of 43,802 with the UK at 7,516, Italy at 4,945 and France at 2,920.

Research

• "Design of network security projects using honeypots" Karthik Sadasivam, Banuprasad Samudrala, T. Andrew Yang – Honeypots are closely monitored decoys that are employed in a

network to study the trail of hackers and to alert network administrators of a possible intrusion. Using honeypots provides a cost-effective solution to increase the security posture of an organization. Even though it is not a panacea for security breaches, it is useful as a tool for network forensics and intrusion detection.

– In this paper, we advocate the use of honeypots as an effective educational tool to study issues in network security..

19

Research

• Preliminary findings: Understanding Criminal Computer Behavior: A Personality Trait and Moral Choice Analysis - Rogers, 2003

• New Book Chapter: The Psychology of Cyber Terrorism - Rogers 2003• Doctoral Thesis: A Social Learning Theory and Moral Disengagment

Analysis of Criminal Computer Behavior: An Exploratory Study - Rogers 2001

• A New Hacker Taxonomy "REVISED VERSION"- Rogers, 2000• Psychological Theories of Crime and Hacking - Rogers, 2000• Modernday Robin Hood or Moral Disengagement -Rogers, 1999• The Increase in Organized Criminal Activity in Cyberspace - Rogers, 1999..• Specific Computer Crime Sections -Criminal Code of Canada• The Insider Threat (PDF) - Shaw et al., 1998• Cybercrime and Criminology-Adamski, 1998

Challenge 4

How do we calculate economicconsequences of information security

lapses?

The CERT Gap – is it real?

20

Costs?

• Computer economics institute: 13 miljarder US dollars (maliciouscode attacks) 2001

Costs?

• ”At the present growth rate, 2003 is likely to be hit with more than 180,000 digital attacks worldwide, accordingto mi2g's estimates, putting economic damage between$80 and $100 billion for the whole year. That's a bigleap from 2002's numbers, which rang in at 87,525.”

Research recommends…waiting?

• "Evaluating information security investments using the analytic hierarchy process" Lawrence D. Bodin, Lawrence A. Gordon, Martin P. Loeb February 2005 Communications of the ACM, Volume 48 Issue 2

• Gordon, L.A. and Loeb, M.P. ”The economics of investment in information security”. ACM Transactions on Information and System Security 5, 4 (Nov. 2002), 438–457.

• Gordon, L.A., Loeb, M.P., and Lucyshyn, W. Information securityexpenditures and real options: A wait and see approach. Computer Security Journal 19, 2 (Spring 2003), 1–7.

21

Challenge 5

Is there cyberterrorism and whatbusinesses should be afraid?

Cyberterrorism?

Terrorism and new kinds of technology

Dear Friend , Especially for you - this cutting-edge

announcement . If you are not interested in ourpublications

and wish to be removed from our lists, simply do NOT

respond and ignore this mail ! This mail is being sent

in compliance with Senate bill 2116 , Title 2 ; Section

305 ! This is different than anything else you've seen

. Why work for somebody else when you can becomerich

within 58 MONTHS . Have you ever noticed people love

convenience plus people will do almost anything to

avoid mailing their bills ! Well, now is your chance

to capitalize on this ! We will help you increase customer

response by[…]

22

Research

• ”Defending against an Internet-based attack on the physical world" Simon Byers, Aviel D. Rubin, David Kormann– ” We discuss the dangers that scalable Internet functionality may

present to the real world, focusing upon an attack that is simple, yet can have great impact, which we believe may occur quite soon. We offer and critique various solutions to this class of attack and hope to provide a warning to the Internet community of what is currently possible.”

– Mail order attack!

Summary

• Chambers of Commerce are trying to work to ensure that we can build a secure European Business Community through policy work, networks and services.

• Contact details: – nicklas.lundblad@chamber.se