European Commissioner Malmström spoke at a conference of the increasing rate of “cybercrime” and how the Internet is increasingly insecure. As a result, she argues, the Europol must receive more resources, jail terms for “net-facilitated” crimes must be raised, and Sweden must join NATO.
An ignored fact in this statement is that the Internet was at its most insecure in 1988, when the Morris Worm changed the design philosophy radically, after the worm had taken out 10% of the connected systems. Year after year since, the net has become more secure. Today, systems are patched rapidly, automatically and efficiently. Nobility is always late to the party, it’s said, but being 23 years late to the party is stretching it quite a bit beyond what’s reasonable, even for a politician.
It could be argued that Microsoft-based systems are still unsecure. I would agree — Microsoft was late to the party, and partially changed its design philosophy as late as 2001-2002, through a company-wide effort. This means that every foundation written before this was not written with security in mind. That particularly includes Windows. However, they have done a decent — not good, but decent — effort in setting up automatic processes for closing security gaps as they are discovered. Therefore, the Microsoft argument is partly irrelevant.
Apart from being 23 years late to the party, Anna Troberg and Oscar Swartz do excellent jobs of dismantling Commissioner Malmström’s arguments, which appear to be based on Reason 2.0.
Reason 2.0 was a computer program introduced by Douglas Adams in his novel “Dirk Gently’s Holistic Detective Agency”. While most decision-support software was based on ordering arguments to help the operator come to a conclusion, Adams argued presciently, Reason 2.0 turned the tables and asked the operator first for the wanted conclusion, and then ordered the available arguments to undisputably arrive at that desired conclusion. In the book, the program was a smashing commercial success until the military bought everything lock, stock and barrel.
In this case, it appears that Commissioner Malmström is looking for arguments to give Europol more resources and for Sweden to join NATO, and failed spectacularly in presenting supporting arguments for that conclusion. However, that was only in the eyes of the public (see the comments) — at this political conference (Folk och Försvar, literally People and Defense), politicians and civil servants are accepting the alleged dangers as facts, quite possibly out of the aspiration that it may give them more budget in turn.
It’s quite sad to see the political nobility living in such a reality distortion bubble. It’s also worth reading Emma’s post on how this bubble turns into a War on Humanity by said nobility.
May I suggest that we ask Nato for help to protect us from Cenzilla?
Why do you call them nobility? You, just as well as I, know that they have made them self puppets, probably out of their desire to be seen as noble, but that does not make them noble. True nobility do not act as puppets, they are the puppeteers holding the strings.
This is so contrafactual that I don’t know where to start. A few keywords: Melissa, Slammer, Conficker, Zeus, Aurora, Stuxnet. Heard of any of those?
Yes, of course. Melissa and Slammer hit Microsoft systems before they were rewritten with security in mind, just as I describe. Stuxnet was not a mass weapon but something targeting seven-year-old (!) exploits, which would not have been possible with a modest modicum of patching. Et cetera.
[…] Nej, Malmströms prat om en total enighet om det hemska hotet från de diffusa cyberbrotten som tydligen hänger över oss alla som en mörk skugga ska man ta med en nya salt. Hon hör det hon vill höra och ignorerar glatt det andra. […]
Magnus, you do realise that part of the very essence of aristocracy is being a vassal of the king, right?
Yes, i know. I just made the nobility connection to the “king” and not aristocracy. I would not call aristocrats for nobility.
So, how about Conficker? Seven million infected computers? Many large organizations, including hospital, military and police networks, off-line for days.
Systems are, as a rule, NOT patched automatically and efficiently. The Internet has never been as hostile as it is today.
The main problem is lack of security in software (in this case windows) and bad security practices by the end users. Systems should be patched efficiently, that is fundamental computer administration task (and if you lack the “know-how” you can enable automatic updating, thats what it’s for). Any company that doesn’t patch their systems regularly should probably review their security policies.
That’s the problem, not lack of legislation or law enforcement resources.
If you keep your system up to date and don’t install software you don’t trust (and you can be quite liberal in that regard) you have eliminated 99% of all threats. I haven’t been exposed to a computer virus (detectable by standard anti-virus software at least) for at the last 10 years (although anti-virus software increasingly often report false positives and treat browser cookies as viruses etc. these days.)
People haven’t taken Internet seriously in the past and now suddenly they realize Internet is important and their systems are vulnerable and so they panic.
Malmström uses this panic to advocate NATO membership and increased resources to INTERPOL as well as an “internet taskforce” whose main priority no doubt will be illegal filesharing (something the US have been demanding from Sweden the last couple of years on behalf of it’s media industry.)
Can’t be sure if Malmström is just ignorant or if she’s corrupt but either way it’s pretty depressing.
sorry not INTERpol, EUROpol of course. 🙂
Well, in reality systems are simply not being patched. This is not something that will change in a hurry – it is a surprisingly complex problem. Moreover, patching systems is not enough, given the prevalence of 0days and the often sluggish response time of vendors, and given that many threats, like phishing, don’t involve software vulnerabilities at all.
The Internet will not become secure in the foreseeable future. This is something we have to accept and learn to live with. We need tools and methods to respond to the ever evolving threats, and *one* of those tools is better international law enforcement.
I’m currently involved in a case where unknown perpetrators, possibly Romanians, used a compromised Lithuanian system to exploit a misconfiguration in a web server in Spain and use it for a phishing attack on Greek bank customers.
I happen to believe that criminals like these should be brought to justice. Can you even imagine how complicated it would be in the current state of affairs to handle this through proper law enforcement channels? No, you probably can’t, because you haven’t tried to pull together a multi-national police investigation.
I have. It isn’t pretty.
“(…)No, you probably can’t, because you haven’t tried to pull together a multi-national police investigation.”
Then we need better cooperation, not mass survailance of the people?
Uhm, yes? Better cooperation is what is being discussed here.
I understand that must be very difficult, but if it is as you say then an european cybercrime unit wouldn’t change anything. For such a unit to be effective it would require global intergovermental cooperation, not just european. Much easier–and safer–to simply patch sensitive systems and learn not to give away your bank credentials to strangers or weird websites.