POLCYB, the Society for the Policing Cyber Space, describes itself as a non-profit organisation focusing on “international partnerships among public and private professionals to prevent and combat crimes in cyberspace.”
Established in 1999 and based in Canada, it brings together experts from different sectors, including cyber defence and law enforcement communities around the world, to exchange ideas and practices to prevent and address cybercrime, including making the Internet a safer environment, especially where Internet activities cross geopolitical boundaries.
Under the leadership of Executive Director Bessie Pang of Canada, POLCYB provides a valuable exchange of ideas, models and best practices for corporations and government agencies trying to manage the risks and damage resulting from cybercrimes.
In other areas of activity, international environments of this sort are—and have long been—well regulated. The UK national cyber security policy points out that we enjoy the benefits of the maritime and air environments because they are safe, reliable and regulated.
It points out that the maritime environment was secured in the 19th century, the airspace in the 20th. And it urges that we collectively find a way to secure cyberspace in the 21st century.
I attended the most recent POLCYB conference, the 9th Annual POLCYB International Summit, held in Kuala Lumpur 21-24 February, and shared some thoughts with the group on approaches to securing cyberspace—again, to paraphrase the language of the UK national cyber security policy, to make the use of the Internet safe, secure and resilient.
In my view, this is an extremely urgent task. While it may have taken decades to secure the seas or the airspace, we don’t have decades to wait before we improve the security of cyber space.
We need action now. Virtually all parts of modern life are dependent on it and its use, and risks and problems caused by the lack of serious regulation and hygiene increase daily, in some cases at almost an exponential rate.
New malware is produced each year, and the level of sophistication of these attacks is increasing as well. The problem is severe; the risks are increasing fast, and the situation is likely only growing worse.
It is true that the Internet is an artificial environment created, operated and owned by numerous entities, while the seas and airspace are obviously natural and open environments. This is a critical difference that will be reflected in the kinds of structures, authorities and processes that are developed to make the Internet safer, and such measures will differ in some regards from the equivalent actions in the maritime or airspace environments.
But the Internet has become such a vital framework for almost any activity that is based on information—sharing, developing, processing or protecting information—that is, nearly any aspect of modern life, that we must regard it as a ubiquitous medium through which all these other activities are established and facilitated.
As with the maritime and airspace environments, this medium must now be subjected to regulation and structure in order to protect the myriad critical activities running through it.There are some critical issues here as to what should and should NOT be regulated, in my view, and I will discuss those in future postings.
In coming instalments of this blog, I will provide much of the message I delivered at POLCYB, with some elaboration.
These instalments will deal with how to provide a basic framework for the problem, segmenting it into layers and assigning specific roles and authorities to each layer or segment; some observations on the processes, standards, laws and other structures that today make the airspace an environment that we trust within established, known and managed risk frameworks; examples of early steps to provide some of the kinds of layered segmentation of the problem of securing the Internet; and some thoughts on possible approaches to dealing with risks in the commercial infrastructure environment.
Posted by Dr. Prescott Winter, CTO Public Sector, ArcSight, an HP company