Upload
muhamad-khairul-bahri
View
276
Download
9
Embed Size (px)
DESCRIPTION
This paper explains how internet governance shall be applied. It is complemented with system dynamics modeling.
Citation preview
IN SEARCHING CYBER SECURITY GOVERNANCE
(Muhamad Khairul B.)
I. Introduction to The Cyber Crime
Cyber crime is a term that refers to criminal activities related to a computer or computer network , in which the computer system becomes a tool, target or scene of the crime. Some examples of cybercrimes are online auction fraud, check forgery, credit card fraud, confidence fraud, identity fraud, child pornography. Although cyber crime or cybercrime generally refers to criminal activity with a computer or computer network as its main element, the term is also used for traditional criminal activities where computers or the networks are used to facilitate or enable the crime.
In other literatures, cybercrime is often identified as a computer crime. The U.S. Department of Justice Computer Crime provides understanding cyber crime as: "... any illegal act requiring knowledge of computer technology for its perpetration, investigation, or prosecution". Another notion is given by the Organization of European Community Development, namely: "any illegal, unethical or unauthorized behavior relating to the automatic processing and / or the transmission of data.
Since its first incident, many people try to investigate the cyber crime in order to mitigate and catch cyber crime criminals. Instead of succesfull cyber crimes prosecuted and high investment to have high quality information assurance, most experts believe that a well-resourced and persistent adversary will more often than not be successful in attacking systems, especially if raising defenses is the only response to an attack. For this reason, increasing attention is being paid to enhance preventive efforts in the first instance, especially by governments that have the power to investigate criminal activity and use a wide range of tools to respond to other public safety and national security concerns.
Some efforts to handle cybercrimes including:
a) Building the response team, like CERT.org (or CSIRT). This team focus on cybercrime, its reports and its policy and strategy to minimize the criminal cases;
b) Training the software developer to minimize error codings / software vulnerabilities; c) Building secure payment systems, including VeriSign, PayPal and Mondex payment system; d) Increasing employee’s awareness on security issues. This means to have employees that
understand their responsibilities to secure organization information; e) Building technology advancement. These technology inventions including building technology
socket layer to secure critical information exchanges; f) Composing anti cybercrime laws to sent the criminals into jail.
Despite the above efforts, cybercrime cases are rising in their number and their techniques. According to CERT, cybercrime cases still be our great concern in next future decades. Meanwhile, in order to minimize and handle cybercrime, many experts introduced a new terminology, cyber security. Cyber security refers to the protection of an organizations’ computer network from
unlawful or unauthorized activities. Since the Internet is increasingly the gateway for scams and even acts of terrorism, high quality of cyber security has become an imperative for organizations.
The evolution of Cybercrime
The Cybercrime Cases by CERT.org
II. Cyber Security as System Innovation in Progress
According to (Charney, 2009), the cyber threat is difficult to assess and mitigate for six reasons as follows:
a) There are many malicious actors. Low cost computer technology, widespread Internet connectivity, and the ease of creating or obtaining malware means that almost anyone can engage in malicious activity. Indeed, the Internet is a great place to commit crime because it provides global connectivity, anonymity, lack of traceability, and rich targets. Malicious actors include individuals, organized crime groups, terrorist groups, and nation-states, and actions that might serve to deter one group may be less effective against another.
b) There are as many motives as there are (many) actors. These motives may relate to traditional areas of criminal activity (for example, fraud or the distribution of child pornography), economic espionage, military espionage, or cyber warfare.
c) There are many different but commonly used attack vectors. Leaving aside supply chain and insider threats, which pose their own challenges, remote attackers might take advantage of product vulnerabilities, system misconfigurations, and social engineering. Because different actors may use similar techniques, the nature of the attack might not yield reliable clues about the identity of the attacker or the attacker’s motives. This fact, combined with anonymity and lack of traceability, means that attributing attacks is very difficult, and punishment for malicious activity is unlikely.
d) The Internet is a shared and integrated domain. It is shared by citizens, businesses, and governments in a manner that makes it difficult to segregate one group from another. Moreover, free speech, commercial transactions, espionage activities, and cyber warfare may be occurring in this shared and integrated domain, all at the same time and over the same transport medium. With a limited ability to parse actors and activities, tailored responses to specific threats are extremely hard to craft.
e) The potential consequences of an attack are very difficult to predict. Certain nefarious activity such as network scans or unauthorized system access may be a prelude to information theft, a data integrity breach, or a disruption of service. Moreover, the complex interrelationships between systems suggest that there may be unanticipated cascading effects, some which may be more severe than even the intended effect. Finally, while some attacks may be obvious (for example, a denial of service attack against a critical infrastructure) and generate a quick response, other attacks may be hard to detect. Much has been written about the exfiltration of data from sensitive systems; a more disconcerting scenario might be a critical alteration of data. Not only can this be difficult to detect, but it may be difficult to discern when the data was changed without authority, thus making it difficult to “roll back” to a known good state.
f) The worst-case scenarios are alarming. In the popular press, policy space, and think tanks, these scenarios include disrupting critical infrastructure services, impeding key economic functions, or imperiling public safety and national security (thus explaining oft-repeated references to an “electronic Pearl Harbor”). The complexity of these scenarios, which results
part from massive interconnectivity and dependencies between systems that are not always well understood, has made it difficult to develop a consensus regarding the probable consequences of an attack. As for our ability to recover quickly from such an attack, society’s increasing dependence on information technology systems and the data they contain may that there is no longer an existing manual process with trained people to fall back on.
Based on the previous points, we simply can conclude that cyber threat, as well as cyber security, has the following characteristics:
a) Consists of many parties (the government, the public, think thanks and companies);
b) So many parties mean there are some interests and motives. These means that there are possibilities contradiction of interests. For example, the vendors tend to ignore high quality security because of more secure of a software, more difficult to use a software. This contrast to government / police agents that require high quality softwares;
c) High uncertainties. Because cyber crimes have many involved motives and actors. These means we’ve difficulties to predict how much costs, time and other resources will be provided to handle a cyber crime.
d) Evolution of cyber crimes. Many papers have shown that internet activities are increasing in many aspects of our lives, it also means that cyber crimes have tremendous benefits / funding to steal away. This will invite the smartest crime criminals to do their acts in many ways including combining or evolving many available techniques – lead to evolution cyber crime techniques.
e) Decentralized resources. ICT, especially internet, can be accessed by many people around the world including users from developing countries. Almost all developing countries lack on skilled people, low funding and weak law enforcements and these contrary to those matters in developed countries. This lead to a situation in which decentralized resources exist to mitigate cyber crimes.
Those following points inline with Bruijn (2004). Bruijn (2004) states that introduction of internet in various sectors can be viewed as system innovation1 that in early stage, nobody planned the explosive development of internet activities. Innovations, like internet, cyber security, take place independently and decentralized and certainly difficult to manage in achieving their best performances.
Bruijn (2004) also states that system innovations usually difficult to manage because of three following causes:
a. Substance : lack of knowledge;
1 According to Koch (2004) system innovation is a new system or a fundamental change of an existing system, for instance by the establishment of new organizations or new patterns of co-operation and interaction
System innovations raise some questions that usually have not been directly answered. Like: what type of problems will arise after implementing a system innovation ?; What are the financial costs and social costs of the change process. This questions require appropriate knowledge while our knowledge in predicting the future is limited.
In case of cyber security (and cybercrime). There are arising questions, namely, : W
b. Process : Consensus is not a matter of course; System innovations affect interest of many parties. In modern societies, such parties tend operate in the network, independently and none of these of parties can influences the other parties views.
For example, in credit card fraud. The victims are disappointed with the payment system, while the internet providers or good producers might take more benefits due to high internet/shopping activities. Some parties happy with successful of data leakage and the rests are in poor condition.
c. Values: Conflicting public and private values The changes in a system might interface the private and the public sectors. Many private parties (like software vendors) resist to not open their software/product weakness. While the users / government need more information to operate the software safely.
In understanding of cyber security governance, we can describe the causal loop following the interest of many parties.
1) The Vendors The vendors release many software with unknown vulnerabilities. These software vulnerabilities caused by low incentives for the programmers / researcher, wrong codes or imperfect programming codes.
2) The Hackers Because of intellectual or economic motives, a hacker exploit and find the holes to benefit the software application unlawfully. There are two possibilities, the white hat hackers2 would report the vulnerabilities to vendors (or CERT) to investigate / improve. While the rest hackers, the black hat hackers3, would use these holes to do cybercrimes.
As the reported vulnerabilities rises, the vendors are pushed to improve their software quality. It can lead to support high internet activities (e-commerce, for example) and result in higher profit for the vendors / e-commerce companies.
3) The Government /Authority
2
White hat hackers are those who attempt to break into systems or networks in order to help the owners of the system by making them aware of security flaws, or to perform some other altruistic activity
3
Black Hat Hackers a person who is able to exploit a system or gain unauthorized access through skill and tactics, and not to refer white-hat hacker.
Due to high cybercrimes and unsatisfaction of public safety, the government acts to catch the criminal and send them into jail. This act need some appropriate cybercrime laws.
This description can be pictured in the following causal loops ( all are negative/balancing loops). There are three/ two loops. Loop 1 affirms that the vulnerabilities handling require high skill programmers/hackers/ researcher to minimize the vulnerabilities – as potential cybercrimes. The loop 2 enhances that appropriate laws is a mandatory pre-requisites to combat the cybercrimes.
Software Releases Unknown Vulnerabilities
Known Vulnerabilities by
Black Hackers
Cybercrime Efforts to Combat
Cybercrime
Software Improvement
Software Quality
Internet Activities
Vendors Profits/ E-commerce profit
Known Vulnerabilities
by White Hackers
Hackers Motivation and Skills
Programmers Skills and Incentives
+
-
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
Successful Cybercrime Charges
Laws / Policies
to Combat Cybercrime
(The Government/Authority’s Role)
Research and Training Activities
(The System Science’s Role)
Research Funding and Incentives
(The System Market’s Role)
Loop 1
Loop 2
The Causal Loop
As the balancing loops tend to reach the equilibrium, the working together of the government, the market and science system has behavior to minimize the cybercrimes.
What will happen, for example, if the ecommerce doesn’t support the research ? it will reduce the software improvement progress that finally increasing cybercrimes. The market system ( ecommerce companies) has abundance funding to support the software improvement / research activities related to combat the cybercrimes.
Another example, what will happen, if the government doesn’t produce appropriate laws to combat cybercrimes ? of course the black hackers can’t be prosecuted and sent to a jail. This case actually happen in Indonesia (before cyber laws passed the senate).
The rest example, while the system science isn’t related to the system innovation. In this case, the black hat hackers will dominate the cybercrimes without challenging from their “compatriots”, the white hat hackers. Finally software quality will not reach highest level of security – means the high potential of cybercrimes.
III. The Model
Based on the previous causal loop, we build the flow diagram (Powersim) to explore further on behaviors of interaction such parties involved in cyber crime as well as cyber security. In the model we try to explore what effects on cyber crimes after a system involved (i.e. system science, system market or system authority / government). We assume that the system science contribute to provide high skilled programmer / researcher, the system market provide incentives to support system science’s activity and the rest, system authority contribute on handling and prosecuting cyber criminals / law enforcement.
The line 1 represent baseline (business as usual) scenario where no laws, no research on rising software quality and no incentives to research activities. The line 2 represented the effects of cyber crime laws application, while the line represented cyber crime laws application together with system market (incentives for research). The rest in the line 4 represented three systems involved: system authority (cyber law implementation), system market (incentives for researcher) and system science (producing high quality of programmers).
According to picture 1, business as usual (while there is involving a system, line 1) number of cyber crimes rising. This number is lowering while a system authority investigate the cyber crimes (line 2), and two systems working together (system authority and system science, line 3) and the lowest of cyber crimes is pictured by line 4 ( all system working together, system science, system authority and system market).
The model simulates with a 60 month of time horizon and time step 0.125. The simulation results on below of this timestep have no different results with the timestep of 0.125.
Software_Quality
Vendors_Ecommerce_Profit
Increased_Profit_Rate
Known_Vulnerabilities_type_2
Unknown_Vulnerabilities
Known_Vulnerabilities_type_1
normal_profit_rate_growth
normal_reduced_rate
normal_growth_crime_caughtsNumber_Cyber_Crimes
Delay_Info_CyberCrimes
Number_Cyber_Crimes
Effect_Cyber_Crimes_to_Vendors_Ecommerce_Profit
Effect_Cyber_Laws_to_CyberCrime
normal_growth_cybercrime_rate
CyberCrime_Rate
normal_growth_findings_type_1
Software_Quality
Unknown_Vulneb_Rate
delay_effect_system_science
Cyber_Crime_CaughtsNumber_Cyber_Crimes Number_CyberCrimes_Prosecuted
growth_of_unknown_vulnerabilites
Reduced_Profit_Rate
effeciency_research_funding
effect_system_market
delay_effect_system_market
normal_growth_finding_type_2
delay_effect_sof_qual_vulnebty
effect_software_quality_to_vulnerabilities
effect_system_science_to_finding_rate_type2
efficiency_of_system_science
Effect_Cyber_Crime_to_White_Black_Hat_Hackers
Software_Quality
Software_Improvement
effect_known_vulnerabilities_type_2_on_soft_improvement
Effect_Software_Quality_to_Ecommerce_Profits
switch_system_science
efficiency_of_cyberlaws
Delay_Effect_CyberLaws_to_Cybercrime_Caughts
Percentage_Cybercrime_Caughts
Findings_by_Black_Hat_Hackers
Findings_by_White_Hat_Hackers
switch_law
switch_system_market
switch_system_science
The Flow Diagram
Time
Num
ber_
Cyb
er_C
rimes
0 10 20 30 40 50 60
2.000
4.000
6.000
8.000
1 2 3 4
1 2 3 4
1 23
4
1 2
3
4
12
3
4
12
3
4
1
2
3
4
Picture 1. Number of Cyber crimes
Time
Per
cent
age_
Cyb
ercr
ime_
Cau
ghts
0 10 20 30 40 50 60
0,1
0,2
0,3
0,4
0,5
0,6
1 2 3 41
2 34 1
23
41
23
4
1
23
4
1
23
4
1
2
4
Picture 2. Percentage of Cyber crime caughts to Number of cyber crimes
The simulations concluded that involvement of three systems (system market, system science and system authority) can bring cyber security, as system innovation, to achieve its peak performance i.e. low cyber crimes, high percentage of cyber crime caughts and higher profit for companies related to computer networks.
Time
Ven
dors
_Eco
mm
erce
_Pro
fit
0 10 20 30 40 50 600
3.000.000
6.000.000
9.000.000
1 2 3 4 1 2 3 4 1 23
4
1 2
3
4
1 2
3
12
1
2
Picture 3. Amount of ecommerce profit
These simulation results inline with Bruijn (2004) that a system innovation will likely to have best performances if three systems involved in a system innovation. This a mandatory pre-requisite for potential system innovation. It is difficult to realize a system innovation that in touch with legal/law issues (system authority), market/benefit possibilities (system market) or scientific challenges.
IV. The Further Steps In compromising of this paper – as theory view, and the practice of cyber security, It will be our mandatory to investigate further on implementing this theory to the real world. In the simple way, we can explore recently our cyber security world to find whether the opinion on this paper can be a sustainable solution in governing a cyber security.
Another important challenge is to compute benefits of a system innovation, together in point of money with societal values and society safety. Indeed a system innovation might benefit on public safety (safe to transact via internet, for example), societal values (confidence to each other parties) and high potential economic development.
We can also view the cyber security in the theme of insitutional characteristics i.e transaction cost. The higher level of governance a cyber security, the lower transaction cost will be. According to many literatures, the transaction cost of information, monitoring, coordination and negotiation. In theme of cyber security governance, the transaction costs will include cost to manage / govern cyber security like monitoring cyber transactions, handling cyber’s negative effects (i.e cyber crimes) and coordinating cyber security acts (including cyber’s negative effects).
The Literatures.
Bruijn, Hans de., Voort, Haiko cs. 2004. Creating System Innovation. Bakelma Publishers.
CERT.org., some statistics on Cybercrime Cases.
Charney, Scott., Rethinking the Cyber Threat A Framework and Path Forward © 2009 Microsoft Corp. All rights reserved.
Deloitte., The People Dimension of Security and Privacy: Eight training and awareness habits of highly effective organizations
Koch, P., Cunningham, P., Schwabsky, N. and Hauknes, J. Innovation in the Public Sector- Summary and policy recommendations Publin Report No. D24 Published by NIFU STEP Studies in Innovation, Research and Education http://www.step.no/publin/reports/d24-summary-final.pdf
Norton’s Cybercrime Report.
Radianti, Jaziar.,. Gonzalez, Jose. J., A preliminary model of the vulnerability black market. Submitted to the 25th International System Dynamics Conference Boston, USA 29 July-2 August 2007
The Large View of Model
Software_Quality
Vendors_Ecommerce_Profit
Increased_Profit_Rate
Known_Vulnerabilities_type_2
Unknown_Vulnerabilities
Known_Vulnerabilities_type_1
normal_profit_rate_growth
Number_Cyber_CrimesDelay_Info_CyberCrimes
CyberCrime_Rate
normal_growth_findings_type_1
Software_Quality
Unknown_Vulneb_Rate
delay_effect_system_science
Cyber_Crime_CaughtsNumber_Cyber_Crimes
growth_of_unknown_vulnerabilites
Reduced_Profit_Rate
effect_system_market
delay_effect_system_market
normal_growth_finding_type_2
delay_effect_sof_qual_vulnebty
effect_software_quality_to_vulnerabilities
Effect_Cyber_Crime_to_White_Black_Hat_Hackers
Software_Quality
Software_Improvement
effect_known_vulnerabilities_type_2_on_soft_improvement
Effect_Software_Quality_to_Ecommerce_Profits
switch_system_science
efficiency_of_cyberlaws
Percentage_Cybercrime_Caughts
Findings_by_Black_Hat_Hackers
Findings_by_White_Hat_Hackers
switch_system_market
switch_system_science
Number_CyberCrimes_Prosecuted
efficiency_of_system_science
effeciency_research_fundingeffect_system_science_to_finding_rate_type2
Effect_Cyber_Crimes_to_Vendors_Ecommerce_Profit
normal_reduced_rate
Effect_Cyber_Laws_to_CyberCrime
Number_Cyber_Crimes
normal_growth_cybercrime_rateDelay_Effect_CyberLaws_to_Cybercrime_Caughts
normal_growth_crime_caughts
switch_law
The equations
init Known_Vulnerabilities_type_1 = 50 flow Known_Vulnerabilities_type_1 = +dt*Findings_by_Black_Hat_Hackers init Known_Vulnerabilities_type_2 = 50 flow Known_Vulnerabilities_type_2 = +dt*Findings_by_White_Hat_Hackers init Number_Cyber_Crimes = 100 flow Number_Cyber_Crimes = -dt*Cyber_Crime_Caughts
+dt*CyberCrime_Rate init Number_CyberCrimes_Prosecuted = 5 flow Number_CyberCrimes_Prosecuted = +dt*Cyber_Crime_Caughts init Software_Quality = 0.5 flow Software_Quality = +dt*Software_Improvement init Unknown_Vulnerabilities = 1000 flow Unknown_Vulnerabilities = +dt*Unknown_Vulneb_Rate
-dt*Findings_by_Black_Hat_Hackers -dt*Findings_by_White_Hat_Hackers
init Vendors_Ecommerce_Profit = 100000 flow Vendors_Ecommerce_Profit = -dt*Reduced_Profit_Rate
+dt*Increased_Profit_Rate aux Cyber_Crime_Caughts = Number_Cyber_Crimes*Delay_Effect_CyberLaws_to_Cybercrime_Caughts aux CyberCrime_Rate = Known_Vulnerabilities_type_1*normal_growth_cybercrime_rate aux Findings_by_Black_Hat_Hackers = IF(Unknown_Vulnerabilities>2,Unknown_Vulnerabilities*normal_growth_findings_type_1*Effect_Cyber_Crime_to_White_Black_Hat_Hackers,0) aux Findings_by_White_Hat_Hackers = IF(Unknown_Vulnerabilities>2,Unknown_Vulnerabilities*delay_effect_system_science*delay_effect_system_market,0) doc Findings_by_White_Hat_Hackers = Unknown_Vulnerabilities*delay_effect_system_science*delay_effect_system_market aux Increased_Profit_Rate = Vendors_Ecommerce_Profit*Effect_Software_Quality_to_Ecommerce_Profits aux Reduced_Profit_Rate = Vendors_Ecommerce_Profit*Effect_Cyber_Crimes_to_Vendors_Ecommerce_Profit aux Software_Improvement = Known_Vulnerabilities_type_2/5*effect_known_vulnerabilities_type_2_on_soft_improvement/5000 aux Unknown_Vulneb_Rate = Unknown_Vulnerabilities*growth_of_unknown_vulnerabilites*delay_effect_sof_qual_vulnebty aux Delay_Effect_CyberLaws_to_Cybercrime_Caughts = DELAYINF(Effect_Cyber_Laws_to_CyberCrime,2,1,Effect_Cyber_Laws_to_CyberCrime) aux delay_effect_sof_qual_vulnebty = DELAYMTR(effect_software_quality_to_vulnerabilities,5,1,effect_software_quality_to_vulnerabilities) aux delay_effect_system_market = DELAYINF(effect_system_market,5,1,effect_system_market) aux delay_effect_system_science = DELAYINF(effect_system_science_to_finding_rate_type2,5,1,effect_system_science_to_finding_rate_type2) aux Delay_Info_CyberCrimes = DELAYINF(Number_Cyber_Crimes, 2,Number_Cyber_Crimes) aux Effect_Cyber_Crime_to_White_Black_Hat_Hackers = IF(Delay_Info_CyberCrimes>200,Delay_Info_CyberCrimes/200,1) aux Effect_Cyber_Crimes_to_Vendors_Ecommerce_Profit = Number_Cyber_Crimes/1000*normal_reduced_rate aux Effect_Cyber_Laws_to_CyberCrime = (efficiency_of_cyberlaws*normal_growth_crime_caughts)*switch_law+(normal_growth_crime_caughts)*(1-switch_law) aux Effect_Software_Quality_to_Ecommerce_Profits = IF(Software_Quality>1,Software_Quality/1,1)*normal_profit_rate_growth aux effect_software_quality_to_vulnerabilities = IF(Software_Quality>=0.5,1,1.5) aux effect_system_market = switch_system_market*effeciency_research_funding+(1-switch_system_market) aux effect_system_science_to_finding_rate_type2 = switch_system_science*(normal_growth_finding_type_2*efficiency_of_system_science)+(1-switch_system_science)*(normal_growth_finding_type_2)
aux efficiency_of_cyberlaws = IF(switch_system_science=1,1.75,1.5) aux Percentage_Cybercrime_Caughts = Number_CyberCrimes_Prosecuted/Number_Cyber_Crimes const effeciency_research_funding = 1.5 const effect_known_vulnerabilities_type_2_on_soft_improvement = 1.1 const efficiency_of_system_science = 1.5 const growth_of_unknown_vulnerabilites = 0.2 const normal_growth_crime_caughts = 0.01 const normal_growth_cybercrime_rate = 0.1 const normal_growth_finding_type_2 = 0.1 const normal_growth_findings_type_1 = 0.2 const normal_profit_rate_growth = 0.15 const normal_reduced_rate = 0.05 const switch_law = 1 const switch_system_market = 1 const switch_system_science = 1