The danger of cybersecurity ‘ghettos’

Ghettos are not good, whether they are at the local, state or national level. They tend to breed unrest, dysfunction and crime that can extend well beyond their borders, undermining the health of an entire society.

[5 implementation principles for a global information security strategy]

And the high-tech version of that should worry the world IT community, according to Allan Friedman, a fellow and research director at the Brookings Institution Center for Technology Innovation.

Friedman warns in a research paper for Brookings titled, “Cybersecurity and Trade: National Policies, Global and Local Consequences,” that a lack of coordination and cooperation regarding cybersecurity among nation states could create “cyber security ghettos,” and undermine the security of the global cyber environment.

Friedman also issued that warning at a forum last month at Brookings that he moderated, titled “Implications of cybersecurity regulations and international trade.” While the major focus of the discussion was “non-tariff barriers to trade” and the impact that a hodge-podge of security standards could have on the world economy, Friedman also warned of the potential security risks of nation-state “ghettos.”

“As rich countries get better at protecting themselves, the threats and bad actors will more and more find refuge in the infrastructure and systems of poor countries that don’t have the resources to protect themselves,” he said, adding that, “in a networked world, it’s not just enough to defend yourself. If your neighbor’s insecure, that poses a threat to you.”

Friedman was on vacation this week and unavailable for comment. But other security experts said there is merit to his concern. Asked if such “ghetto” states already exist, Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, said they do if they are defined as, “places that harbor criminals, like Eastern Europe, Russia, or Nigeria today, or … a place with bad standards that is picked on by others. Both are bad and yes, we have both today,” he said.

“Though as with real ghettos, they can go from bad to really, really ugly if you’re not careful. As I’ve put it in other contexts, cyberspace is the Wild West today, but if we keep on with current policies it could become Somalia tomorrow,” he said.

[3 reasons why America’s security model is broken]

Friedman offered several recommendations to avoid or ameliorate the ghetto problem. One is that wealthier countries should help poorer countries to improve their security. “Beyond their own borders, developed countries should promote global cybersecurity capacity building. Cybersecurity is a global problem. If developing countries do not have the capacity to defend their networks, it puts the world’s systems at risk,” he wrote.

He also called for, “international or harmonized security standards. Shared standards enable security without erecting barriers to trade,” he said, “(but) at the same time, we should(not expect a single, global standard for all IT.”

[South Korea blames North Korea for cyberattacks]

It could be politically tricky for the international community to help poorer countries improve their cybersecurity capacity, for a number of reasons. One potential problem could be that developing countries, some of which are hostile to the West in general and to the U.S. in particular, might simply use that improved expertise to attack their more developed neighbors.

Healey doesn’t see that as a major risk. “I’m sure we’d not aid some of the nations we least trust,” he said, but added that, “many of the technologies are truly defensive, or the economic gains of development far outweigh any potential national security risk.”

It could be even trickier politically, however, to “harmonize” security standards around the world, especially given the recent revelations by former National Security Agency (NSA) contractor Edward Snowden, about the agency spying on other countries and its own citizens.

Jacob Olcott, principal at Good Harbor Consulting and a former cyber policy adviser to the U.S. Congress, said he believes those revelations, “will have a real, damaging economic impact to the U.S. IT industry, and to U.S. diplomatic efforts in cybersecurity.

“In recent years, the U.S. government and the U.S. IT industry have fought hard against country-specific security standards, arguing instead for the adoption of U.S.-led international standards. The Snowden leaks seriously undermine this argument because it creates distrust in the international standard,” he said.

“International governments that believe there is a special relationship between the NSA and the U.S. IT industry will be more likely to adopt their own restrictive standards.”

Healey agreed. “Cooperation is built on trust, so any progress will be much harder now,” he said. “If the US is seen as circumventing security, with things like Flame or encryption, then there may be suspicion of U.S.-backed standards. Of course, they don’t have to be tied together, but any countries or companies that wanted reasons not to cooperate now have more than enough reason.”

[If confirmed, DHS nominee to continue with cybersecurity initiatives]

And Paul Rosenzweig, founder of Red Branch Law & Consulting and a former deputy assistant secretary for policy at the Department of Homeland Security, said he is, “deeply skeptical that non-Western nations will agree to harmonization.”

He added, “I suspect in the end that the network will fractionate somewhat into two networks – a ‘Free West’ one and an ‘Unfreeze Everywhere Else’ one – and that is not a good thing.”

So far, however, even though the Internet has been a commercial fact of life for more than 25 years, this kind of dystopian fragmentation is apparently not established. John Miller, senior counsel and policy strategist on global public policy for Intel Corp., said at the recent Brookings forum that the current global digital economy has been “a successful model.”

[How to secure a company’s Chinese development, part one]

But he said he is concerned that disjointed security policies and regulations will impede the evolution and functioning of that market. “Costly barriers to cross border commerce,” he said, would lead to, “a balkanized system, that threatens continued advancement of both technology interoperability and innovation.”

One possible reason that balkanization has not already occurred is that, as Healey put it, “most of the undeveloped countries aren’t really that connected. (But) now that Africa is increasingly connected, this may change.”

And experts are somewhat dubious that the political will and cooperation exists to create the kind of harmonization Friedman advocates.

One problem is that developed countries might fear they would lose control of their own cybersecurity standards if they are required to abide by a world standard. Rosenzweig said “of course” countries like the U.S. and U.K. would lose a measure of control. “Depending on whether that results in a diminution of standards or a uniformity of standards, it could be good or bad,” he said.

Healey said he suspects any international agreement, “would allow more strict application by more-advanced nations.”

The more intractable problem, however, is that of competing national interests. “Different nations – China and the U.S. – and different companies like Facebook are already driving us towards partial Balkanization,” Healey said, “and that was before the scope of NSA collection became clear. Now even like-minded nations are increasingly wary of U.S. intentions in cyberspace.”

“I’m not sure anything can avoid it (balkanization),” Rosenzweig said. “It isn’t in some nations’ interests to avoid, so they probably won’t. From a Chinese perspective, for example, cutting off from the West is the optimal result.”

[How to secure a company’s Chinese development, part two]

That, according to Miller, will damage both economic growth and security. “Having to comply with 40, 50, who knows how many sets of technical standards, requirements and local certification and testing requirements, etc. … [means that] security technologies won’t be able to get to the places that they need to get to and consumers will suffer by having worse security, and it in fact will mean higher prices in the technology they buy,” he said.