BOSTON (05/17/2000) - Governments and companies must take an international approach to contending with cyber crimes, the Global Internet Project (GIP) advised today in a set of recommendations released today at the G8 conference in Paris.
GIP has issued 13 recommendations for businesses and organizations to follow and nine measures for governments to consider.
The G8 conference, ending today, was called to promote dialogue between public authorities and the private sector on security on the Net. It was organized by the G8 group of nations (the seven most industrialized nations, plus Russia) and co-chaired by France and Japan. The other attending nations are Canada, Germany, Italy, the U.K. and the U.S. [See "France Makes a First Move at G8 Net Summit," May 16.]Government regulations are not, however, the answer, according to the GIP, a group of senior Internet executives that promotes industry actions aimed at curbing the need for regulation. The recommendations were outlined in a press conference with Vint Cerf, senior vice president for Internet Architecture and Technology at WorldCom Inc. and a GIP member.
"You simply can't keep up with the technology," Cerf said of Internet regulation, "so the laws won't apply."
At issue in particular are upcoming Internet advances, including video over the Net and wireless Net-based communications. Issues related to those should be thought of now, and measures should be taken to ensure safety of users and security, GIP officials said at the press conference.
With regard to industry, companies must do whatever they can to smooth security, in the view of GIP members, and some pointed comments were made regarding what members believe Microsoft Corp. should be doing to make its software less prone to attack by viruses and worms such as the recent "ILOVEYOU" threat.
Still, there was also acknowledgment that hackers reach new levels of sophistication with each new virus that is written, creating, in Cerf's words, a "cottage industry" of cyber criminals. Prevention alone won't work, so audit trails and other measures are needed on top of the preventative approach.
This is what GIP has recommended that businesses and organizations do:
-- Identify and disseminate information about computer systems security holes, with CERT (http://www.cert.org/) and the U.S. Federal Bureau of Investigation (FBI) National Infrastructure Protection Center (http://www.fbi.gov/nipc/) serving as clearing houses. CERT is the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University, in Pittsburgh.
-- Perform security audits and decide how to protect systems from external and internal threats. As Cerf noted, many attacks come from users with authorized access who bear a grudge.
-- Cooperate with law enforcement and other agencies to detect and alleviate attacks.
-- Improve physical security of critical systems, especially domain name and root servers.
-- Guarantee security tools being shipped and used are installed as they should be, and encourage administrators and users to be trained in how to use tools.
-- Make sure that workers know that security is part of their normal duties.
Focus on protecting infrastructure from internal and external attacks.
-- Establish policies that require regular updates of antivirus software, and require workers to use password protection systems. Vendors, suppliers and professional associates should be encouraged to use security technology.
-- Provide advice to governments on how to protect their computer systems and track down and arrest hackers.
-- Invest in research on how to reduce Internet security vulnerability and computers that are part of the Internet.
-- Take all needed steps to secure networks, such as filtering incorrect routing information and spam and denying unauthorized access. Security alerts should be distributed, and customers should be educated about how to secure networks and offer security services.
-- Support outreach programs that will convey a code of cyber ethics to youngsters.
-- Encourage deployment of IPsec and IPv6 protocol standards.
-- Encourage and develop better authentication systems, including PKI (public key infrastructure) and CA (certificate authority) schemes.
The GIP also issued these recommendations for governments:
-- Lead by example through making certain government computer systems and networks are secure and that the best information security measures are used.
-- Arrest and prosecute computer criminals.
-- Encourage information sharing.
-- Promote open standards.
-- Remove remaining controls on civilian encryption technologies.
-- Provide better threat assessment.
-- Support research on Internet security.
-- Fund education and training of information security experts.
-- Encourage and support private-sector efforts to teach youngsters how to behave ethically in cyberspace.
The GIP can be reached at http://www.gip.org/.
France and Japan. The other attending nations are Canada, Germany, Italy, the U.K. and the U.S