One of the world’s leading cyber security strategists is calling for tax breaks for consumers and businesses to encourage them to use the latest in cyber protection to combat cybercrime.
Speaking in an exclusive interview with Future Intelligence, Melissa Hathaway, a former top White House adviser, who lead the cyber security strategy for both President Bush and President Obama, outlined a radical new strategy to combat the cybercrime issue that calls for tax incentives, safety certification for computers and Internet Service Providers to do more to filter out computer attacks.
Hathaway hit out at what she states is a piecemeal approach by governments to cybercrime, and called for concerted government policy to deal with the issue involving both tax incentives and regulation along similar lines to the system being used for the environment.
“From a policy perspectives if you want people to adopt particular measures you want to use a mix of market levers to encourage that adoption and so I believe that if we want cyber security to move forward and be taken up then we should probably model the policy on that for energy diversification.
“I think that there should be tax incentives for individuals and for businesses to adopt effective cyber security measures to protect their interests,” says Hathaway, adding that the current policy adopted by governments around the world only involved regulation. “If you want to have adoption you have to encourage the adoption it can’t all be penalty based.
“We should be looking at a broader mix of market levers and not just focus on regulation but also look at the incentive based area to encourage the adoption of policy objectives.”
More controversially, Hathaway also called for the equivalent of a UK Mot scheme for computers banning unsafe machines from being on the internet in the same way that cars that are considered unsafe are banned from being on roads.
“I think that soon there could be a situation where you will be unable to get internet service if you are running an old Windows XP machine for example, that you are going to be forced to move into the next generation product because the current product is unsafe to be on the internet,” says Hathaway, who stated that she saw a role for the ISPs offering managed computer security services to businesses and individuals.
“I think that there should be an incentive for the household to subscribe to a managed security service through the internet service provider that gives them an enhanced level of security for their overall household infrastructure.
“If you do not turn to something like a response from the internet service providers it won’t scale because you will have too many people who won’t adopt so you need to take it to the place, where you have the broadest impact.”
A role that Hathaway believes that exists for all ISPs and not just large companies such as BT, AT&T and Verizon as Hathaway believes that they could do more to counter cyber crime particularly in dealing with Botnets, the network of criminally compromised personal and business computers that currently sit at the heart of cybercrime.
“We should be demanding clean pipes and I think the ISPs when they see infections across computers they have a responsibility to tell us and that they should prevent the botnets and the infected computers from doing harm on the rest of the networks.
Hathaway’s intervention comes at a time of intense cybercrime activity at state, business and individual levels.
Since the end of October alone, details have emerged that Adobe had actually leaked more than 38m customer details from an earlier attack, confirmation from McAfee that cybercrime gangs are now offering cybercrime services for hire to all and sundry – a trend first revealed by Future Intelligence in 2007 – Europol police broke up a £7.5m credit card hacking gang, the FBI put five hackers on its most wanted list, the UK Government became the target of a sustained computer Trojan campaign as hackers distributed fake tax return email aimed at stealing UK residents tax details, the Dutch police arrested the £1m TorRat BitCoin hacking gang, the UN admitted it’s nuclear agency computers had been hacked, and Interpol arrested six Rumanians and an Albanian for a multi-million pound E-Bay fraud.
Activity that has occurred against a virtually continuous backdrop of state-sponsored surveillance revelations and hacking breaches ranging from the news that the Finnish Government has discovered a systematic penetration of the computers of its Ministry of Foreign Affairs that is likely to have effected other EU states, to details of the Russian Government trying to introduce viruses into the computers of G20 leaders via gifts of USB sticks, that European intelligence agencies were co-operating in the development of a Europe-wide surveillance system, equivalent to the US NSA and UK GCHQ models and that Brazil has also been seeking to spy on US networks.
A flood of attacks that would appear to give some justification to the recent figures that have been given for losses due to cyber attacks, according to the US House of Representatives Permanent Select Committee on Intelligence could be costing the US £250bn a year, some 2.5% of GDP, while the UK Government has come up with a figure of £27bn, 1.7% of UK GDP.
Hathaway’s comments might be seen as radical but there are signs that many in the technology community are beginning to share her reasoning.
In the last six months three different companies have launched insurance policies against cyber attacks among them NCC Group: “Setting out incentives for organisations to do more and adopt good cyber security measures is an idea that UK Government has been considering. There has been a push towards producing a cyber organisational standard that if adopted may make it easier to get cheaper cyber insurance,” said Daljit Barn, an associate director at NCC Group, and chairman of the Cyber Risk and Insurance Forum.
Though, according to Barn, each case is different.
“The problem is, ‘what does good look like?’ varies from the size of organisation to the sector, so you need to know the threat you are facing to implement effective cybersecurity.
“By calling for a MOT-based solution to protect users and systems on the internet, we also must remember that the vehicle may be classed as roadworthy but the driver could be negligent. Training and awareness are just as critical in reducing the cyber threat to businesses.”
And awareness is still at dangerously low levels.
On the 26th of November, 2013 the UK Government revealed that only 14% of top companies take cyber security seriously enough. On the same day the research house Ovum stated that 2014 was the year of the cyber security timebomb and at a conference in Dublin Deloitte’s Jared Carstensen stated that many companies had not yet opted for cyber insurance.
See editorial comment: The crisis of confidence caused by Government surveillance
