Cyber-security Issues in International Development Environments
Transcript of the Q&A session...
Question by Emily Frye
On the issue of anonymity I used to be a fan of anonymity but in the world that Jody described and that I have become more aware of, I am no longer convinced that anonymity is a right that people have online. The reason is that if you cannot identify the perpetrators, then you cannot effectively combat cyber-crime… Are there nuances in the right to anonymity?
Response by Jim Dempsey
Due to the very design of this technology, we create and leave behind footprints. Assembling those requires effort, but to mandate some kind of uniform authentication process or uniform traceability requirement to be built into the technology will have lots of unintended consequences for policies that we favor (whistleblowers, various kinds of online health inquiries, access to information). Look at a country like China and the huge efforts it’s putting into control the technology, and tracking down democracy advocates. Also think about it from a security standpoint and how hackers might well be able to use things that are designed for traceability and identification purposes.
The relative anonymity that the Internet offers serves a number of important policy goals, separate from privacy goals. This is similar to the ability to walk into a store and buy a newspaper without identifying ourselves.
Lots of technical measures can be taken by network operators to authenticate packets. These are generally not regulatory steps. Egress filtering provides the ability to identify packets coming out of a server and identify whether they’re authentic. It provides an increased ability to identify the source of an attack on a network. End to end authentication for all packets would have adverse impacts. It’s a trade off. You can’t find everybody every time, but the price of finding everybody every time comes at the expense of other social policies we favor. A technique that may be perfectly good in the hands of the US Dept. of Justice may not be so desirable in the hands of the government of China.
Response by Richard Downing
Counter solutions, end-to-end traceability isn’t the only idea. There are levels of anonymity. I am largely unconvinced by the argument about whistleblowers. There are ways to make sure that whistleblowers can be protected.
_____________________________
Question by Stephen Tournas
When we encourage developing countries to use technology to stimulate their economic growth, are we leading them down a dangerous path of dependence on technology and its dark sides? Is the use and applications of IT creating more vulnerabilities. What kinds of redundancies can be built in?
Response by Jim Dempsey
It’s very hard to have development today without IT. We’re not selling the importance of IT to developing countries – they already believe it is important. We’re selling a little bit of expertise in how to make it happen. Every country in the world is part of the global market and they have to be connected. What they need, however, is to be aware of the dark side of the internet and the risks and to build this awareness into their strategies.
Response by Jody Westby
It’s a legitimate consideration but it’s at the bottom of the list. It’s to our own national economic and security interest to make sure other countries are aware of cyber security and moving along the right path. People in developing countries don’t worry too much about cyber-security. They worry about jobs, economic opportunities, etc….
Response by Jonathan Metzger
It’s 99% good and 1% bad…When we talk about cyber-security, we’re trying to address the 1% that is bad because the costs of that 1% can be very high.
______________________________
Question by Michel Maechler
This question relates to the role of the private sector. In developed countries, lots of security solutions are driven by the private sector. In your experience, how is the private sector involved in these efforts in developing countries. What’s the difference between developing and developed countries in terms of private sector involvement?
Response by Jonathan Metzger
It’s critical for the private sector to be delivering security solutions. Some private sector ISPs are not necessarily making money from their ISP business but they are making money from their security solutions business. The private sector is the core to everything. What may be needed, though, is better dialogue between government and the private sector. USAID can help bridge that dialogue.
____________________________
Question from a member of the audience
With regards to privacy, what is the impact of the Patriot Act? Are we sending the wrong kinds of messages to developing countries with the Patriot Act?
Response from Jim Dempsey
The Patriot Act is not as bad as you think, at least on the surveillance side. Both domestically and internationally the Patriot Act has been over-read. It has become a symbol for government overreaction. In some developing countries, people don’t recognize it for the symbol that it is.
From a civil liberties perspective, there isn’t a single power in the Patriot act that I would deny the government. What are lacking are the checks and balances.
On the other hand, the overall US approach to terrorism post 9/11 has undercut our leadership role internationally. In the context of developing countries what we’re trying to promote is that the principles of the rule of law (transparency, accountability) are still values we adhere to in the United States and that we need to bring overseas.
________________________________
Question by Susan Abbott
Who has the most impact on policy reforms? Is it essentially a donor-led agenda?
Response by Jody Westby
US is the clear leader. We have ceased the stage. In developing countries, it’s a mix. Donor organizations try their best in some countries. In some countries, the private sector is a strong advocate and in other countries, the USAID activities have had a major impact.
Response by Jonathan Metzger
Cyber-security is generally not on the top of people’s agendas in developing countries. It often takes a virus or a major crisis to wake up people.
_______________________________
Question by Brian King
Over the presentations, there was a strong orientation towards network security and attacks that would be coming form outside. Could you speak to the issue of malicious attacks that could come from inside organizations?
Response by Jim Dempsey
The number one threat is indeed the insider threat. It requires auditing, training, enforcement of policies. Companies that outsource demand sound internal policies and a very strict and demanding oversight of employees.
For Further Information
Please contact:
Sarah Tisch, dot-GOV
Barbara Fillip, DOT-COM,
|