IN SEARCHING CYBER SECURITY GOVERNANCE

(Muhamad Khairul B.)

I. Introduction to The Cyber Crime

Cyber crime is a term that refers to criminal activities related to a computer or computer network , in which the computer system becomes a tool, target or scene of the crime. Some examples of cybercrimes are online auction fraud, check forgery, credit card fraud, confidence fraud, identity fraud, child pornography. Although cyber crime or cybercrime generally refers to criminal activity with a computer or computer network as its main element, the term is also used for traditional criminal activities where computers or the networks are used to facilitate or enable the crime.

In other literatures, cybercrime is often identified as a computer crime. The U.S. Department of Justice Computer Crime provides understanding cyber crime as: "... any illegal act requiring knowledge of computer technology for its perpetration, investigation, or prosecution". Another notion is given by the Organization of European Community Development, namely: "any illegal, unethical or unauthorized behavior relating to the automatic processing and / or the transmission of data.

Since its first incident, many people try to investigate the cyber crime in order to mitigate and catch cyber crime criminals. Instead of succesfull cyber crimes prosecuted and high investment to have high quality information assurance, most experts believe that a well-resourced and persistent adversary will more often than not be successful in attacking systems, especially if raising defenses is the only response to an attack. For this reason, increasing attention is being paid to enhance preventive efforts in the first instance, especially by governments that have the power to investigate criminal activity and use a wide range of tools to respond to other public safety and national security concerns.

Some efforts to handle cybercrimes including:

a) Building the response team, like CERT.org (or CSIRT). This team focus on cybercrime, its reports and its policy and strategy to minimize the criminal cases;

b) Training the software developer to minimize error codings / software vulnerabilities; c) Building secure payment systems, including VeriSign, PayPal and Mondex payment system; d) Increasing employee’s awareness on security issues. This means to have employees that

understand their responsibilities to secure organization information; e) Building technology advancement. These technology inventions including building technology

socket layer to secure critical information exchanges; f) Composing anti cybercrime laws to sent the criminals into jail.

Despite the above efforts, cybercrime cases are rising in their number and their techniques. According to CERT, cybercrime cases still be our great concern in next future decades. Meanwhile, in order to minimize and handle cybercrime, many experts introduced a new terminology, cyber security. Cyber security refers to the protection of an organizations’ computer network from

unlawful or unauthorized activities. Since the Internet is increasingly the gateway for scams and even acts of terrorism, high quality of cyber security has become an imperative for organizations.

The evolution of Cybercrime

The Cybercrime Cases by CERT.org

II. Cyber Security as System Innovation in Progress

According to (Charney, 2009), the cyber threat is difficult to assess and mitigate for six reasons as follows:

a) There are many malicious actors. Low cost computer technology, widespread Internet connectivity, and the ease of creating or obtaining malware means that almost anyone can engage in malicious activity. Indeed, the Internet is a great place to commit crime because it provides global connectivity, anonymity, lack of traceability, and rich targets. Malicious actors include individuals, organized crime groups, terrorist groups, and nation-states, and actions that might serve to deter one group may be less effective against another.

b) There are as many motives as there are (many) actors. These motives may relate to traditional areas of criminal activity (for example, fraud or the distribution of child pornography), economic espionage, military espionage, or cyber warfare.

c) There are many different but commonly used attack vectors. Leaving aside supply chain and insider threats, which pose their own challenges, remote attackers might take advantage of product vulnerabilities, system misconfigurations, and social engineering. Because different actors may use similar techniques, the nature of the attack might not yield reliable clues about the identity of the attacker or the attacker’s motives. This fact, combined with anonymity and lack of traceability, means that attributing attacks is very difficult, and punishment for malicious activity is unlikely.

d) The Internet is a shared and integrated domain. It is shared by citizens, businesses, and governments in a manner that makes it difficult to segregate one group from another. Moreover, free speech, commercial transactions, espionage activities, and cyber warfare may be occurring in this shared and integrated domain, all at the same time and over the same transport medium. With a limited ability to parse actors and activities, tailored responses to specific threats are extremely hard to craft.

e) The potential consequences of an attack are very difficult to predict. Certain nefarious activity such as network scans or unauthorized system access may be a prelude to information theft, a data integrity breach, or a disruption of service. Moreover, the complex interrelationships between systems suggest that there may be unanticipated cascading effects, some which may be more severe than even the intended effect. Finally, while some attacks may be obvious (for example, a denial of service attack against a critical infrastructure) and generate a quick response, other attacks may be hard to detect. Much has been written about the exfiltration of data from sensitive systems; a more disconcerting scenario might be a critical alteration of data. Not only can this be difficult to detect, but it may be difficult to discern when the data was changed without authority, thus making it difficult to “roll back” to a known good state.

f) The worst-case scenarios are alarming. In the popular press, policy space, and think tanks, these scenarios include disrupting critical infrastructure services, impeding key economic functions, or imperiling public safety and national security (thus explaining oft-repeated references to an “electronic Pearl Harbor”). The complexity of these scenarios, which results

part from massive interconnectivity and dependencies between systems that are not always well understood, has made it difficult to develop a consensus regarding the probable consequences of an attack. As for our ability to recover quickly from such an attack, society’s increasing dependence on information technology systems and the data they contain may that there is no longer an existing manual process with trained people to fall back on.

Based on the previous points, we simply can conclude that cyber threat, as well as cyber security, has the following characteristics:

a) Consists of many parties (the government, the public, think thanks and companies);

b) So many parties mean there are some interests and motives. These means that there are possibilities contradiction of interests. For example, the vendors tend to ignore high quality security because of more secure of a software, more difficult to use a software. This contrast to government / police agents that require high quality softwares;

c) High uncertainties. Because cyber crimes have many involved motives and actors. These means we’ve difficulties to predict how much costs, time and other resources will be provided to handle a cyber crime.

d) Evolution of cyber crimes. Many papers have shown that internet activities are increasing in many aspects of our lives, it also means that cyber crimes have tremendous benefits / funding to steal away. This will invite the smartest crime criminals to do their acts in many ways including combining or evolving many available techniques – lead to evolution cyber crime techniques.

e) Decentralized resources. ICT, especially internet, can be accessed by many people around the world including users from developing countries. Almost all developing countries lack on skilled people, low funding and weak law enforcements and these contrary to those matters in developed countries. This lead to a situation in which decentralized resources exist to mitigate cyber crimes.

Those following points inline with Bruijn (2004). Bruijn (2004) states that introduction of internet in various sectors can be viewed as system innovation1 that in early stage, nobody planned the explosive development of internet activities. Innovations, like internet, cyber security, take place independently and decentralized and certainly difficult to manage in achieving their best performances.

Bruijn (2004) also states that system innovations usually difficult to manage because of three following causes:

a. Substance : lack of knowledge;

1 According to Koch (2004) system innovation is a new system or a fundamental change of an existing system, for instance by the establishment of new organizations or new patterns of co-operation and interaction

System innovations raise some questions that usually have not been directly answered. Like: what type of problems will arise after implementing a system innovation ?; What are the financial costs and social costs of the change process. This questions require appropriate knowledge while our knowledge in predicting the future is limited.

In case of cyber security (and cybercrime). There are arising questions, namely, : W

b. Process : Consensus is not a matter of course; System innovations affect interest of many parties. In modern societies, such parties tend operate in the network, independently and none of these of parties can influences the other parties views.

For example, in credit card fraud. The victims are disappointed with the payment system, while the internet providers or good producers might take more benefits due to high internet/shopping activities. Some parties happy with successful of data leakage and the rests are in poor condition.

c. Values: Conflicting public and private values The changes in a system might interface the private and the public sectors. Many private parties (like software vendors) resist to not open their software/product weakness. While the users / government need more information to operate the software safely.

In understanding of cyber security governance, we can describe the causal loop following the interest of many parties.

1) The Vendors The vendors release many software with unknown vulnerabilities. These software vulnerabilities caused by low incentives for the programmers / researcher, wrong codes or imperfect programming codes.

2) The Hackers Because of intellectual or economic motives, a hacker exploit and find the holes to benefit the software application unlawfully. There are two possibilities, the white hat hackers2 would report the vulnerabilities to vendors (or CERT) to investigate / improve. While the rest hackers, the black hat hackers3, would use these holes to do cybercrimes.

As the reported vulnerabilities rises, the vendors are pushed to improve their software quality. It can lead to support high internet activities (e-commerce, for example) and result in higher profit for the vendors / e-commerce companies.

3) The Government /Authority

2

White hat hackers are those who attempt to break into systems or networks in order to help the owners of the system by making them aware of security flaws, or to perform some other altruistic activity

3

Black Hat Hackers a person who is able to exploit a system or gain unauthorized access through skill and tactics, and not to refer white-hat hacker.

Due to high cybercrimes and unsatisfaction of public safety, the government acts to catch the criminal and send them into jail. This act need some appropriate cybercrime laws.

This description can be pictured in the following causal loops ( all are negative/balancing loops). There are three/ two loops. Loop 1 affirms that the vulnerabilities handling require high skill programmers/hackers/ researcher to minimize the vulnerabilities – as potential cybercrimes. The loop 2 enhances that appropriate laws is a mandatory pre-requisites to combat the cybercrimes.

Software Releases Unknown Vulnerabilities

Known Vulnerabilities by

Black Hackers

Cybercrime Efforts to Combat

Cybercrime

Software Improvement

Software Quality

Internet Activities

Vendors Profits/ E-commerce profit

Known Vulnerabilities

by White Hackers

Hackers Motivation and Skills

Programmers Skills and Incentives

+

-

-

+

-

+

+

+

+

+

+

+

+

+

+

+

+

+

-

-

Successful Cybercrime Charges

Laws / Policies

to Combat Cybercrime

(The Government/Authority’s Role)

Research and Training Activities

(The System Science’s Role)

Research Funding and Incentives

(The System Market’s Role)

Loop 1

Loop 2

The Causal Loop

As the balancing loops tend to reach the equilibrium, the working together of the government, the market and science system has behavior to minimize the cybercrimes.

What will happen, for example, if the ecommerce doesn’t support the research ? it will reduce the software improvement progress that finally increasing cybercrimes. The market system ( ecommerce companies) has abundance funding to support the software improvement / research activities related to combat the cybercrimes.

Another example, what will happen, if the government doesn’t produce appropriate laws to combat cybercrimes ? of course the black hackers can’t be prosecuted and sent to a jail. This case actually happen in Indonesia (before cyber laws passed the senate).

The rest example, while the system science isn’t related to the system innovation. In this case, the black hat hackers will dominate the cybercrimes without challenging from their “compatriots”, the white hat hackers. Finally software quality will not reach highest level of security – means the high potential of cybercrimes.

III. The Model

Based on the previous causal loop, we build the flow diagram (Powersim) to explore further on behaviors of interaction such parties involved in cyber crime as well as cyber security. In the model we try to explore what effects on cyber crimes after a system involved (i.e. system science, system market or system authority / government). We assume that the system science contribute to provide high skilled programmer / researcher, the system market provide incentives to support system science’s activity and the rest, system authority contribute on handling and prosecuting cyber criminals / law enforcement.

The line 1 represent baseline (business as usual) scenario where no laws, no research on rising software quality and no incentives to research activities. The line 2 represented the effects of cyber crime laws application, while the line represented cyber crime laws application together with system market (incentives for research). The rest in the line 4 represented three systems involved: system authority (cyber law implementation), system market (incentives for researcher) and system science (producing high quality of programmers).

According to picture 1, business as usual (while there is involving a system, line 1) number of cyber crimes rising. This number is lowering while a system authority investigate the cyber crimes (line 2), and two systems working together (system authority and system science, line 3) and the lowest of cyber crimes is pictured by line 4 ( all system working together, system science, system authority and system market).

The model simulates with a 60 month of time horizon and time step 0.125. The simulation results on below of this timestep have no different results with the timestep of 0.125.

Software_Quality

Vendors_Ecommerce_Profit

Increased_Profit_Rate

Known_Vulnerabilities_type_2

Unknown_Vulnerabilities

Known_Vulnerabilities_type_1

normal_profit_rate_growth

normal_reduced_rate

normal_growth_crime_caughtsNumber_Cyber_Crimes

Delay_Info_CyberCrimes

Number_Cyber_Crimes

Effect_Cyber_Crimes_to_Vendors_Ecommerce_Profit

Effect_Cyber_Laws_to_CyberCrime

normal_growth_cybercrime_rate

CyberCrime_Rate

normal_growth_findings_type_1

Software_Quality

Unknown_Vulneb_Rate

delay_effect_system_science

Cyber_Crime_CaughtsNumber_Cyber_Crimes Number_CyberCrimes_Prosecuted

growth_of_unknown_vulnerabilites

Reduced_Profit_Rate

effeciency_research_funding

effect_system_market

delay_effect_system_market

normal_growth_finding_type_2

delay_effect_sof_qual_vulnebty

effect_software_quality_to_vulnerabilities

effect_system_science_to_finding_rate_type2

efficiency_of_system_science

Effect_Cyber_Crime_to_White_Black_Hat_Hackers

Software_Quality

Software_Improvement

effect_known_vulnerabilities_type_2_on_soft_improvement

Effect_Software_Quality_to_Ecommerce_Profits

switch_system_science

efficiency_of_cyberlaws

Delay_Effect_CyberLaws_to_Cybercrime_Caughts

Percentage_Cybercrime_Caughts

Findings_by_Black_Hat_Hackers

Findings_by_White_Hat_Hackers

switch_law

switch_system_market

switch_system_science

The Flow Diagram

Time

Num

ber_

Cyb

er_C

rimes

0 10 20 30 40 50 60

2.000

4.000

6.000

8.000

1 2 3 4

1 2 3 4

1 23

4

1 2

3

4

12

3

4

12

3

4

1

2

3

4

Picture 1. Number of Cyber crimes

Time

Per

cent

age_

Cyb

ercr

ime_

Cau

ghts

0 10 20 30 40 50 60

0,1

0,2

0,3

0,4

0,5

0,6

1 2 3 41

2 34 1

23

41

23

4

1

23

4

1

23

4

1

2

4

Picture 2. Percentage of Cyber crime caughts to Number of cyber crimes

The simulations concluded that involvement of three systems (system market, system science and system authority) can bring cyber security, as system innovation, to achieve its peak performance i.e. low cyber crimes, high percentage of cyber crime caughts and higher profit for companies related to computer networks.

Time

Ven

dors

_Eco

mm

erce

_Pro

fit

0 10 20 30 40 50 600

3.000.000

6.000.000

9.000.000

1 2 3 4 1 2 3 4 1 23

4

1 2

3

4

1 2

3

12

1

2

Picture 3. Amount of ecommerce profit

These simulation results inline with Bruijn (2004) that a system innovation will likely to have best performances if three systems involved in a system innovation. This a mandatory pre-requisite for potential system innovation. It is difficult to realize a system innovation that in touch with legal/law issues (system authority), market/benefit possibilities (system market) or scientific challenges.

IV. The Further Steps In compromising of this paper – as theory view, and the practice of cyber security, It will be our mandatory to investigate further on implementing this theory to the real world. In the simple way, we can explore recently our cyber security world to find whether the opinion on this paper can be a sustainable solution in governing a cyber security.

Another important challenge is to compute benefits of a system innovation, together in point of money with societal values and society safety. Indeed a system innovation might benefit on public safety (safe to transact via internet, for example), societal values (confidence to each other parties) and high potential economic development.

We can also view the cyber security in the theme of insitutional characteristics i.e transaction cost. The higher level of governance a cyber security, the lower transaction cost will be. According to many literatures, the transaction cost of information, monitoring, coordination and negotiation. In theme of cyber security governance, the transaction costs will include cost to manage / govern cyber security like monitoring cyber transactions, handling cyber’s negative effects (i.e cyber crimes) and coordinating cyber security acts (including cyber’s negative effects).

The Literatures.

Bruijn, Hans de., Voort, Haiko cs. 2004. Creating System Innovation. Bakelma Publishers.

CERT.org., some statistics on Cybercrime Cases.

Charney, Scott., Rethinking the Cyber Threat A Framework and Path Forward © 2009 Microsoft Corp. All rights reserved.

Deloitte., The People Dimension of Security and Privacy: Eight training and awareness habits of highly effective organizations

Koch, P., Cunningham, P., Schwabsky, N. and Hauknes, J. Innovation in the Public Sector- Summary and policy recommendations Publin Report No. D24 Published by NIFU STEP Studies in Innovation, Research and Education http://www.step.no/publin/reports/d24-summary-final.pdf

Norton’s Cybercrime Report.

Radianti, Jaziar.,. Gonzalez, Jose. J., A preliminary model of the vulnerability black market. Submitted to the 25th International System Dynamics Conference Boston, USA 29 July-2 August 2007

The Large View of Model

Software_Quality

Vendors_Ecommerce_Profit

Increased_Profit_Rate

Known_Vulnerabilities_type_2

Unknown_Vulnerabilities

Known_Vulnerabilities_type_1

normal_profit_rate_growth

Number_Cyber_CrimesDelay_Info_CyberCrimes

CyberCrime_Rate

normal_growth_findings_type_1

Software_Quality

Unknown_Vulneb_Rate

delay_effect_system_science

Cyber_Crime_CaughtsNumber_Cyber_Crimes

growth_of_unknown_vulnerabilites

Reduced_Profit_Rate

effect_system_market

delay_effect_system_market

normal_growth_finding_type_2

delay_effect_sof_qual_vulnebty

effect_software_quality_to_vulnerabilities

Effect_Cyber_Crime_to_White_Black_Hat_Hackers

Software_Quality

Software_Improvement

effect_known_vulnerabilities_type_2_on_soft_improvement

Effect_Software_Quality_to_Ecommerce_Profits

switch_system_science

efficiency_of_cyberlaws

Percentage_Cybercrime_Caughts

Findings_by_Black_Hat_Hackers

Findings_by_White_Hat_Hackers

switch_system_market

switch_system_science

Number_CyberCrimes_Prosecuted

efficiency_of_system_science

effeciency_research_fundingeffect_system_science_to_finding_rate_type2

Effect_Cyber_Crimes_to_Vendors_Ecommerce_Profit

normal_reduced_rate

Effect_Cyber_Laws_to_CyberCrime

Number_Cyber_Crimes

normal_growth_cybercrime_rateDelay_Effect_CyberLaws_to_Cybercrime_Caughts

normal_growth_crime_caughts

switch_law

The equations

init Known_Vulnerabilities_type_1 = 50 flow Known_Vulnerabilities_type_1 = +dt*Findings_by_Black_Hat_Hackers init Known_Vulnerabilities_type_2 = 50 flow Known_Vulnerabilities_type_2 = +dt*Findings_by_White_Hat_Hackers init Number_Cyber_Crimes = 100 flow Number_Cyber_Crimes = -dt*Cyber_Crime_Caughts

+dt*CyberCrime_Rate init Number_CyberCrimes_Prosecuted = 5 flow Number_CyberCrimes_Prosecuted = +dt*Cyber_Crime_Caughts init Software_Quality = 0.5 flow Software_Quality = +dt*Software_Improvement init Unknown_Vulnerabilities = 1000 flow Unknown_Vulnerabilities = +dt*Unknown_Vulneb_Rate

-dt*Findings_by_Black_Hat_Hackers -dt*Findings_by_White_Hat_Hackers

init Vendors_Ecommerce_Profit = 100000 flow Vendors_Ecommerce_Profit = -dt*Reduced_Profit_Rate

+dt*Increased_Profit_Rate aux Cyber_Crime_Caughts = Number_Cyber_Crimes*Delay_Effect_CyberLaws_to_Cybercrime_Caughts aux CyberCrime_Rate = Known_Vulnerabilities_type_1*normal_growth_cybercrime_rate aux Findings_by_Black_Hat_Hackers = IF(Unknown_Vulnerabilities>2,Unknown_Vulnerabilities*normal_growth_findings_type_1*Effect_Cyber_Crime_to_White_Black_Hat_Hackers,0) aux Findings_by_White_Hat_Hackers = IF(Unknown_Vulnerabilities>2,Unknown_Vulnerabilities*delay_effect_system_science*delay_effect_system_market,0) doc Findings_by_White_Hat_Hackers = Unknown_Vulnerabilities*delay_effect_system_science*delay_effect_system_market aux Increased_Profit_Rate = Vendors_Ecommerce_Profit*Effect_Software_Quality_to_Ecommerce_Profits aux Reduced_Profit_Rate = Vendors_Ecommerce_Profit*Effect_Cyber_Crimes_to_Vendors_Ecommerce_Profit aux Software_Improvement = Known_Vulnerabilities_type_2/5*effect_known_vulnerabilities_type_2_on_soft_improvement/5000 aux Unknown_Vulneb_Rate = Unknown_Vulnerabilities*growth_of_unknown_vulnerabilites*delay_effect_sof_qual_vulnebty aux Delay_Effect_CyberLaws_to_Cybercrime_Caughts = DELAYINF(Effect_Cyber_Laws_to_CyberCrime,2,1,Effect_Cyber_Laws_to_CyberCrime) aux delay_effect_sof_qual_vulnebty = DELAYMTR(effect_software_quality_to_vulnerabilities,5,1,effect_software_quality_to_vulnerabilities) aux delay_effect_system_market = DELAYINF(effect_system_market,5,1,effect_system_market) aux delay_effect_system_science = DELAYINF(effect_system_science_to_finding_rate_type2,5,1,effect_system_science_to_finding_rate_type2) aux Delay_Info_CyberCrimes = DELAYINF(Number_Cyber_Crimes, 2,Number_Cyber_Crimes) aux Effect_Cyber_Crime_to_White_Black_Hat_Hackers = IF(Delay_Info_CyberCrimes>200,Delay_Info_CyberCrimes/200,1) aux Effect_Cyber_Crimes_to_Vendors_Ecommerce_Profit = Number_Cyber_Crimes/1000*normal_reduced_rate aux Effect_Cyber_Laws_to_CyberCrime = (efficiency_of_cyberlaws*normal_growth_crime_caughts)*switch_law+(normal_growth_crime_caughts)*(1-switch_law) aux Effect_Software_Quality_to_Ecommerce_Profits = IF(Software_Quality>1,Software_Quality/1,1)*normal_profit_rate_growth aux effect_software_quality_to_vulnerabilities = IF(Software_Quality>=0.5,1,1.5) aux effect_system_market = switch_system_market*effeciency_research_funding+(1-switch_system_market) aux effect_system_science_to_finding_rate_type2 = switch_system_science*(normal_growth_finding_type_2*efficiency_of_system_science)+(1-switch_system_science)*(normal_growth_finding_type_2)

aux efficiency_of_cyberlaws = IF(switch_system_science=1,1.75,1.5) aux Percentage_Cybercrime_Caughts = Number_CyberCrimes_Prosecuted/Number_Cyber_Crimes const effeciency_research_funding = 1.5 const effect_known_vulnerabilities_type_2_on_soft_improvement = 1.1 const efficiency_of_system_science = 1.5 const growth_of_unknown_vulnerabilites = 0.2 const normal_growth_crime_caughts = 0.01 const normal_growth_cybercrime_rate = 0.1 const normal_growth_finding_type_2 = 0.1 const normal_growth_findings_type_1 = 0.2 const normal_profit_rate_growth = 0.15 const normal_reduced_rate = 0.05 const switch_law = 1 const switch_system_market = 1 const switch_system_science = 1