The danger of cybersecurity 'ghettos'

Ghettos are not good, whether they are at the local, state or national level. They tend to breed unrest, dysfunction and crime that can extend well beyond their borders, undermining the health of an entire society.

Ghettos are not good, whether they are at the local, state or national level. They tend to breed unrest, dysfunction and crime that can extend well beyond their borders, undermining the health of an entire society.

[5 implementation principles for a global information security strategy]

And the high-tech version of that should worry the world IT community, according to Allan Friedman, a fellow and research director at the Brookings Institution Center for Technology Innovation.

Friedman warns in a research paper for Brookings titled, "Cybersecurity and Trade: National Policies, Global and Local Consequences," that a lack of coordination and cooperation regarding cybersecurity among nation states could create "cyber security ghettos," and undermine the security of the global cyber environment.

Friedman also issued that warning at a forum last month at Brookings that he moderated, titled "Implications of cybersecurity regulations and international trade." While the major focus of the discussion was "non-tariff barriers to trade" and the impact that a hodge-podge of security standards could have on the world economy, Friedman also warned of the potential security risks of nation-state "ghettos."

"As rich countries get better at protecting themselves, the threats and bad actors will more and more find refuge in the infrastructure and systems of poor countries that don't have the resources to protect themselves," he said, adding that, "in a networked world, it's not just enough to defend yourself. If your neighbor's insecure, that poses a threat to you."

Friedman was on vacation this week and unavailable for comment. But other security experts said there is merit to his concern. Asked if such "ghetto" states already exist, Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, said they do if they are defined as, "places that harbor criminals, like Eastern Europe, Russia, or Nigeria today, or ... a place with bad standards that is picked on by others. Both are bad and yes, we have both today," he said.

"Though as with real ghettos, they can go from bad to really, really ugly if you're not careful. As I've put it in other contexts, cyberspace is the Wild West today, but if we keep on with current policies it could become Somalia tomorrow," he said.

[3 reasons why America's security model is broken]

Friedman offered several recommendations to avoid or ameliorate the ghetto problem. One is that wealthier countries should help poorer countries to improve their security. "Beyond their own borders, developed countries should promote global cybersecurity capacity building. Cybersecurity is a global problem. If developing countries do not have the capacity to defend their networks, it puts the world's systems at risk," he wrote.

He also called for, "international or harmonized security standards. Shared standards enable security without erecting barriers to trade," he said, "(but) at the same time, we should(not expect a single, global standard for all IT."

[South Korea blames North Korea for cyberattacks]

It could be politically tricky for the international community to help poorer countries improve their cybersecurity capacity, for a number of reasons. One potential problem could be that developing countries, some of which are hostile to the West in general and to the U.S. in particular, might simply use that improved expertise to attack their more developed neighbors.

Healey doesn't see that as a major risk. "I'm sure we'd not aid some of the nations we least trust," he said, but added that, "many of the technologies are truly defensive, or the economic gains of development far outweigh any potential national security risk."

It could be even trickier politically, however, to "harmonize" security standards around the world, especially given the recent revelations by former National Security Agency (NSA) contractor Edward Snowden, about the agency spying on other countries and its own citizens.

Jacob Olcott, principal at Good Harbor Consulting and a former cyber policy adviser to the U.S. Congress, said he believes those revelations, "will have a real, damaging economic impact to the U.S. IT industry, and to U.S. diplomatic efforts in cybersecurity.

"In recent years, the U.S. government and the U.S. IT industry have fought hard against country-specific security standards, arguing instead for the adoption of U.S.-led international standards. The Snowden leaks seriously undermine this argument because it creates distrust in the international standard," he said.

"International governments that believe there is a special relationship between the NSA and the U.S. IT industry will be more likely to adopt their own restrictive standards."

Healey agreed. "Cooperation is built on trust, so any progress will be much harder now," he said. "If the US is seen as circumventing security, with things like Flame or encryption, then there may be suspicion of U.S.-backed standards. Of course, they don't have to be tied together, but any countries or companies that wanted reasons not to cooperate now have more than enough reason."

[If confirmed, DHS nominee to continue with cybersecurity initiatives]

And Paul Rosenzweig, founder of Red Branch Law & Consulting and a former deputy assistant secretary for policy at the Department of Homeland Security, said he is, "deeply skeptical that non-Western nations will agree to harmonization."

He added, "I suspect in the end that the network will fractionate somewhat into two networks -- a 'Free West' one and an 'Unfreeze Everywhere Else' one -- and that is not a good thing."

So far, however, even though the Internet has been a commercial fact of life for more than 25 years, this kind of dystopian fragmentation is apparently not established. John Miller, senior counsel and policy strategist on global public policy for Intel Corp., said at the recent Brookings forum that the current global digital economy has been "a successful model."

[How to secure a company's Chinese development, part one]

But he said he is concerned that disjointed security policies and regulations will impede the evolution and functioning of that market. "Costly barriers to cross border commerce," he said, would lead to, "a balkanized system, that threatens continued advancement of both technology interoperability and innovation."

One possible reason that balkanization has not already occurred is that, as Healey put it, "most of the undeveloped countries aren't really that connected. (But) now that Africa is increasingly connected, this may change."

And experts are somewhat dubious that the political will and cooperation exists to create the kind of harmonization Friedman advocates.

One problem is that developed countries might fear they would lose control of their own cybersecurity standards if they are required to abide by a world standard. Rosenzweig said "of course" countries like the U.S. and U.K. would lose a measure of control. "Depending on whether that results in a diminution of standards or a uniformity of standards, it could be good or bad," he said.

Healey said he suspects any international agreement, "would allow more strict application by more-advanced nations."

The more intractable problem, however, is that of competing national interests. "Different nations -- China and the U.S. -- and different companies like Facebook are already driving us towards partial Balkanization," Healey said, "and that was before the scope of NSA collection became clear. Now even like-minded nations are increasingly wary of U.S. intentions in cyberspace."

"I'm not sure anything can avoid it (balkanization)," Rosenzweig said. "It isn't in some nations' interests to avoid, so they probably won't. From a Chinese perspective, for example, cutting off from the West is the optimal result."

[How to secure a company's Chinese development, part two]

That, according to Miller, will damage both economic growth and security. "Having to comply with 40, 50, who knows how many sets of technical standards, requirements and local certification and testing requirements, etc. ... [means that] security technologies won't be able to get to the places that they need to get to and consumers will suffer by having worse security, and it in fact will mean higher prices in the technology they buy," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about FacebookIntelNational Security AgencyNSATechnologyWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place