In Depth

Freedom of the Cyber Seas

How lessons from the U.S. government's response to pirates in the early 1800s can help the next president of the United States improve information security

By Aaron Turner & Michael Assante

As was the case in the late 18th century on the high seas, significant segments of the Internet have suffered from a power vacuum, within which criminals have found a safe haven to conduct illegal activities. Compare the protection payments extorted by Barbary pirates to the losses suffered by U.S. financial institutions today through Internet-enabled credit card fraud committed by organized crime rings in other countries. Unfortunately, there is not an extensive amount of public information available relating to Internet-enabled financial fraud, because most financial institutions keep the numbers private. One of the few institutions to publish comprehensive fraud statistics is the Banque de France, which in its "Statistiques de Fraude pour 2006" report details how international credit card fraud has ranged between three and six percent of all international transactions from 2002 to 2006--representing billions of euros of losses for the bank. Combine the Banque de France information with the latest data on "card-not-present" or CNP fraud (fraudulent transactions via Internet or phone), which show a 16 percent year-over-year increase from 2005 to 2006, and these criminal enterprises begin to approach the scale of Barbary pirate extortion.

Similarly, in many ways, current U.S. policy on the security of electronic commerce is similar to Adams' appeasement approach to the Barbary pirates. The U.S. government's inability to dictate a consistent cyber commerce protection policy is creating a financial burden on the U.S. private sector to maintain a status quo, when those resources could be used to mount a more-effective Internet-focused defense. In the case of financial fraud on the Internet, the costs associated with fraudulent transactions are currently borne by private companies, which then have to pass those costs on to their customers. This basically creates a system in which the financial institutions are paying a type of "tribute" to the cyber criminals, just as Adams did to the Barbary pirates.

The analogy can be extended further. The data flowing through global networks is the equivalent of maritime shipping lanes in international waters, and the networking, computing and logical assets owned by organizations are the ports from which the information flows "sail" onto the "international cyber seas." These concepts can be counter-intuitive to enforcing any rule of law, as the jurisdictional complexities have not been fully developed. The ambiguity of Internet sovereignty causes law enforcement to err on the side of inaction to avoid violating any laws themselves.

With this in mind, one can see how a new approach could be forged that would maintain and respect sovereignty. The nation can consider using political pressure, and by extension proactive actions, to protect the "cyber sea lanes" from well-organized and significant threats. We are not advocating the use of malicious applications to shut down servers. Under this model, there are other actions the United States can take to isolate and undermine threats, while staying within the framework of international law. The efforts of the United States to disrupt the illegal drug trade provide examples of how we can work with other countries, respecting their sovereignty, while working to undermine the drug cartels and interdict threats before they arrive in U.S. ports.

• Email
• Print
• Comments
• Digg This
• SlashDot

• 4 Things the Roman Aqueducts Can Teach Us About Securing the Power Grid
• Information Security Defense In Depth Lessons (from a Bronze-Age Fort)