A fledgling international cyber security alliance is continuing to gather backing from private business, according to a recent article published on ComputerWeekly.com. The International Cyber Security Protection Alliance (ICSPA) aims to support law enforcement agencies in countries that lack the resources to fight cybercrime. Commercial security organizations such as McAfee and Trend Micro are supporting the alliance.
The National Cyber Security Alliance, funded in part by Symantec, Cisco, Microsoft, and other technology industry leaders, partners with government entities such as the Department of Homeland Security. The mission of the NCSA is to promote cyber security awareness for home users, small and medium size businesses, and primary and secondary education.
These are examples of private technology companies funding and supporting public security initiatives, which are an important factor in securing the Internet. Without the private sector driving the technology to enhance Internet security—often by mitigating security holes in products released by the very same companies providing the funding—the individual Internet consumer would likely find themselves connected to a much less secure World Wide Web than we have today. Although critically important to Internet security, the issue with private funding is that in many cases the funding is provided as a means of furthering the fiscal goals of the contributing company. In the case of cyber security this raises several concerns and potential roadblocks to the deployment of effective security measures.
When funding or support is contributed by private businesses such as Cisco, Microsoft, McAfee, or similar players in the realm of Internet security, the motivation behind the contribution is often to further propagate their own proprietary technologies and solutions in a move to gain market share or offset the gains of competitors. While there is likely a genuine concern for global Internet security on the part of these companies, each would prefer that security issues be mitigated with their technologies as opposed to those of a competitor. This undercurrent of competition becomes a roadblock to pervasive and reliable Internet security for several reasons.
Service, protocol, and API incompatibilities are a leading concern in a multi-vendor security design. Securing the Internet is a highly complex task requiring a multi-layered security approach to address security issues across the myriad services available online. In such a design it is crucial to have compatibility and information sharing between the various security solutions, resulting in a seamless and reliable security layer across the Internet. With the large number of vendors offering security solutions, and no enforced standards or services to ensure these solutions interoperate, the varying vendor-specific deployments create “islands of security” with each operating independently and with no ability to share information between systems. Some vendors attempt to design this interoperability into their solutions, yet there is little consensus between vendors in terms of which standards, protocols, or services should be used to provide compatibility.
The lack of enforced operating system and client security standards, accompanied by the lack of user education in terms of security awareness and best practices, becomes another vulnerability exploited by cyber criminals when seeking a method of access or attack. Because vendors incorporate their own set of “best practices” into their products there are different levels of security, and thus different vulnerabilities, in each product. Uniform standards for end user applications and security are virtually non-existent, primarily due to the lack of cooperation between vendors. This same lack of cooperation extends throughout the Internet security paradigm with the result being a far less secure global Internet community.
Government oversight of Internet security is becoming a reality as the threat from cybercrime continues to grow. However, legislation of Internet security will face many of the same roadblocks as private industry has encountered, with standards and enforcement being the most difficult to overcome. It is more likely that successful security standards could be created and enforced using existing Internet standards organizations such as the Internet Engineering Task Force (IETF), which operates under the auspices of the Internet Society (ISOC). Even though ISOC is already engaged in Internet security it is not taking a leading role in developing the standards or enforcement practices, instead acting as an information clearing house and as a coordinator of Internet-related security initiatives. A separate ISOC task force, much like the IETF but dedicated and focused only on Internet security, does not exist.
While some security experts and consultants advocate the creation of and adherence to universal standards for Internet security, the reality is that vendors will continue to support only those that contribute to their bottom line until enforcement of standards takes place. Unless security collaboration is elevated above profit and market share, or the establishment of a governing body responsible for Internet security takes place, the security of the Internet will likely remain an unachievable goal.