Home > Articles > Security > General Security and Privacy

Software [In]security: Computer Security and International Norms

The Obama administration recently released its "International Strategy for Cyberspace" outlining America's ideals and strategies for cyberspace. Security expert Gary McGraw explains why he thinks the document is promising in its effort to make our national goals and policies clear when it comes to cyberspace.
Like this article? We recommend

Though the Obama White House has certainly had more to say about cyber security than previous administrations, much of the early policy and positioning work emanating from the White House did more to define the problem and present a number of plattitudes than it did to address the policy vacuum. Things seem to be turning around with the recently-released "International Strategy for Cyberspace," which the President himself said is "the first time that our Nation has laid out an approach that unifies our engagement with international partners on the full range of cyber issues."  This is a promising development and one long overdue.

Regardless of the Internet's US provenance and its California-inspired vibe, today's Internet is a global phenomenon.  Americans are usually surprised to learn that less than 15% of the population using the Internet is American  and only around half of the Internet's traffic is American .  The upshot should be obvious—if we as Americans intend the Internet to be used as a tool to promote democracy, corruption-free international commerce, and freedom of speech (and explicitly not to be used as a tool for Big Brother oppresion and the erosion of individual liberty and privacy) we need to make our goals explicit.

As it turns out, computer security has been used in widely different ways to justify widely different objectives internationally.  For example, Russia has been rumored to use trumped up computer hacking charges to oppress political dissidents while at the same time encouraging grass-roots hacking efforts in support of national patriotic fervor .  China has turned a blind eye to rampant piracy of digital content and has engaged in massive state-sponsored theft of intellectual property .  The United States' well-developed military-industrial complex itself is using computer security and the threat of cyber war to ramp up spending on advanced cyber weaponry .  Hopefully, a clear policy statement from the executive branch of the United States can counter some of these disturbing trends and help spark development of a set of acceptable international norms of behavior in cyber space that promote liberty, commerce, and cyber peace.

Obama's International Strategy for Cyberspace

The strategy document itself is very approachable and is worth a read.  It serves as a policy statement and a future vision for the Internet and cyberspace divided into four sections: 1) building cyberspace policy, 2) cyberspace's future, 3) policy priorities, and 4) moving forward.

Section one emphasizes our dependancy as a global society on technology and the net.  The notions of trust, trustworthiness, confidence, openness, and interoperability are used to emphasize the role of security and the rule of law (as opposed to, say, cyber menaces including war, terrorism, crime, espionage and the sordid underbelly of human society).  American ideals such as freedom of expression and freedon of association are linked to the notion of freedom of information in cyberspace.  The usual cyber bogeymen do rear their heads around page four in a paragraph about challenges, but this plays second fiddle (or maybe even viola) to the emphasis afforded three core US principals:

  1. Fundamental freedoms (freedom of expression and freedom of association paramount among them)
  2. Privacy (though frankly when it comes to the rule of law, the US is lagging behind other parts of the world in this domain)
  3. Free flow of information (underscoring instead of counterbalancing cybersecurity)

The "free flow of information" notion is worth a few extra words.  The document declares, "States do not, and should not have to choose between the free flow of information and the security of their networks."  This is an important and insightful view that is not commonly expressed in cyber politics.  Security should enhance freedom, not trade off against it.  Censorship is not good security.

Section two of the document provides a vision for the future of cyberspace and the net.  As many technologists already know, the Internet can be a powerful force for peace and prosperity.  The main idea in this section is to emphasize this vision for the net and to discuss preservation of "the Internet and its core characteristics."  A concisely stated goal captures the essence of this section and seems to put the entire document in a nutshell:

    "Our Goal. The United States will work internationally to promote an open, interoperable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation To achieve that goal, we will build and sustain an environment in which norms of responsible behavior guide states' actions, sustain partnerships, and support the rule of law in cyberspace."

If there is a flaw in section two, it is a distinct underemphasis on security engineering and software security.  Old school computer security emphasizes three things: protecting the broken stuff from the bad people, focusing on monitoring and network security operations, and sharing information about ongoing attacks.  In my view, the only effective way to make these activities tenable is to build security into the very fabric of cyberspace.  Simply put, our modern systems are still coming off the assembly line with too many security vulnerabilities.  We need to fix that, and our national policy would do well to address this problem more explicitly.  In fact, more broadly speaking, if as the document argues "distributed systems require distributed action" and "in an interconnected global environment, weak security in one nation's systems compounds the risk to others," then we need to make sure that the rest of the world builds security in as well.

The notion of international norms (State Department speak for rights and responsibilities) is an important one not familiar to most technical people.  A clear statement of what the US believes are its cyber rights and a corresponding set of cyber responsibilities rounds out the section.  But once again, building highly reliable, secure systems and system components needs more emphasis here.

The United States remains a superpower, and it puts this weight to use in the section on defense.  One quote sums it up nicely: "the United States will defend its networks, whether the threat comes from terrorists, cybercriminals, or states and their proxies."  Putting cyber miscreants on notice is important, but one of the main problems in cybersecurity is identifying exactly who is doing the attacking.  Misdirected response can have severe and devastating consequences, and attribution is not something built into today's Internet.  (It should go without saying that striking a balance between our desire for free flow of information, privacy, and the fundamental freedoms and the notion of attribution makes technical approaches to this aspect of policy thorny indeed.)

In my view, the section on defense needs the most attention.  There is too much reactive computer security here and not enough proactive philosophy.  We have an opportunity to up our computer security game to the next level and lead the way to more secure systems that in turn bolster our core principals, but that will require better engineering and implementation up front (not better operational defense).  We can use our position of strength and leadership to move things in the right direction and take the beach.

Section three boils down the discussion of sections one and two into a set of policy statements in support of the political philosophy and the reality of the situation. From the perspective of international commerce, this policy statement both coheres with core principals and supports international business.

Section four sums things up with a description of the Internet and cybersace as a tool of democratization and freedom.

International Commerce and Computer Security

The word "security" is mentioned in the cyber strategy document more than 80 times, including on the title page, and yet the document does not fall into the usual Fear Uncertainty and Doubt trap all too common in discussions of computer security.  Instead, the emphasis is on spreading American ideals and developing international norms that foster a secure and reliable cyberspace.  As the document says, "the benefits of an interconnected world should not be limited by national borders."

It is particularly interesting that the strategy addresses "cyberspace," but without a close read of the document (especially the title page) any reader might come away with the feeling that this is a cyber security strategy document.  From this, the direct impact that organized crime and cyber-miscreants have had on the Internet economy should be obvious.  Security is now inextricably bound up with "cyberspace" and has become a necessary part of any way forward.

Many countries are much smaller and less wealthy than the US.  Because of this fact, there are specific elements woven throughout the US cyberspace strategy that are critical enablers allowing smaller partners to contribute effectively to evolve, protect, and leverage the cyberspace we have in common.  One of the main issues we face is how to both protect and empower our citizens simultaneously while avoiding the nanny state trap.  As things stand, myriad competing international laws and regulations blur the already hard to discern boundaries between security, privacy, personal identity, and freedom.  This makes cyberspace a difficult environment for businesses and their customers to operate in efficiently, while unfortunately making it trivial to be an "international" bad actor.

Multinational corporations and the people of the world who use their services will all benefit from a set of norms (some codified into law) that clearly demarcate the fractal boundary between privacy and attribution.

Any successful national strategy must necessarily provide benefit to all legitimate actors (including those outside the nation) if it is to be widely adopted.  Private sector organizations have the ability to innovate and drive adoption much more effectively and quickly than any government can—in fact, adoption will happen organically under the invisible hand of the market if there is a benefit to the private sector actor.  The upshot is that cyberspace strategy and emerging international norms of behavior should directly address global economic and cultural differences in a manner that benefits all constituents.  Put more simply, good behavior in cyberspace should be rewarded and bad behavior not tolerated.

Last Word to the President

President Obama puts it best when he says, "By itself, the Internet will not usher in a new era of international cooperation.  That work is up to us, its beneficiaries.  Together, we can work together [sic] to build a future for cyberspace that is open, interoperable, secure, and reliable."  We applaud the effort to make our national goals and policies clear when it comes to cyberspace, and we look forward to more of the incredible growth and progress that the Internet has delivered to date.

Acknowledgement

Early versions of this article benefitted directly from discussion with one particular international banker who specializes in computer security.  He wishes to remain anonymous.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020