Working towards a more trusted internet

The increasing potency of online threats ensures cybercrime is a clear and present danger to anyone surfing the net. And as we enter an age of omnipresent computing, that poses a great risk to most personal and business affairs

 

With billions of dollars in trade — and even national security — at stake, it is no surprise that the issue has progressed from a technology concern to a hot political issue. In the US and UK, high level governmental announcements have propelled cybercrime to the top of the policy agenda, and the EU is looking at ways to clamp down on crime and ramp up punishment.

Encouraging as this is, it’s an issue that cannot be tackled by national or even pan-regional governments alone. The nature and complexity of online crime, combined with a rapidly evolving threat landscape, demands global and collaborative solutions.

“Cybercrime is the main threat to the internet’s huge economic, social and governmental potential,” says Roger Halbheer, Microsoft’s chief security advisor Europe, Middle East and Africa. Building greater confidence in the internet specifically and ICT more generally, has been a long-standing strategic focus for the company dating back to the creation of the Trustworthy Computing (TwC) division in 2002. Whilst TwC’s initial remit was to take an engineering approach to making Microsoft’s products more secure, its focus has evolved to encompass a long-term, collaborative effort to deliver security, privacy and reliability which the company calls End to End Trust.

According to Microsoft, realising a more trusted online environment lies in four principal areas. The first is the adoption of basic security fundamentals – the use of antivirus and firewall technology for example, along with making sure that operating systems are maintained with up-to-date security patches.

The second principal is the establishment of an IT stack from hardware through to operating systems and applications in which security is the central engineering principal. Building on that collaborative challenge is the call for a claims based identity system where consumers have control over what personal information they divulge and only need to impart personal data relevant to the content or service they are seeking to access.
Finally, and perhaps the biggest challenge of all, Microsoft’s End-to-End Trust vision calls for collaboration to work towards social, economic and political IT alignment.

“For people to make trusted decisions they must trust the technology”, said Roger Halbheer, Security Chief Advisor, Microsoft EMEA. “They need trustworthiness in their operating system, applications and devices. They also need to trust people and data to be able to safely access resources while disclosing as little of their identity as possible. We believe that technology innovations are critical to build up a more trusted online environment and regain people’s trust”.

At the 2008 RSA Conference in the US, Microsoft’s Corporate Vice President for TwC, Scott Charney,  called for a broad dialogue with customers, governments and policy makers on the future of security and privacy on the internet — with the aim of galvanising the move to coordinated action. Charney argued that the vision can only be realised through cooperation, technology innovations and social, economic, political and IT alignment.

The need for this cross-stakeholder dialogue is underlined by the rapid re-targeting of criminal activity to where the most lucrative opportunities lie. Less than a decade ago, criminals exploited vulnerabilities in operating systems with viruses and worms, spyware and spam. Through Trustworthy Computing, Microsoft’s response was to place security as a principle engineering requirement. The company even delayed the launch of Windows Vista so that all its developers could undergo secure development training.

Hackers and other cyber criminals have not waved a white flag and gone home, but since the inception of TwC they have found versions of Windows to be increasingly harder targets. Malware infection rates on Windows Vista are over 60 per cent less than Windows XP. It is a lesson the company is carrying forward into its next generation of products, and the expectation is that Windows 7 will be more secure still. Good security is evidently good business.

However, as the number of technological vulnerabilities to exploit has gone down, human nature is now seen as the soft target. Criminals are using sophisticated confidence scams to deceive. We’ve all received emails informing us of lottery wins, or asking for help in extricating millions from a West African bank account.

Rogue security software, which masquerades as a defence when it’s actually the threat, is a growing problem and uses deception to obtain money or sensitive information from victims. Microsoft’s own research, published in its twice-yearly Security Intelligence Report, shows that criminal use of rogue security software increased significantly between July 2007 and December 2008. Three of the top 10 online threats detected worldwide in the second half of 2008 disseminated rogue security software.

Microsoft has for a long time explained that, whilst recognizing the pervasiveness of its technology means it has a responsibility it has to address the security issue, it cannot provide the answer on its own. Indeed, according to version six of the Security Intelligence Report, nearly 90 per cent of disclosed vulnerabilities in the second half of 2008 were in applications developed by third parties and not in Windows. This suggests that other players in the software industry could learn lessons from Microsoft – a point not lost on the Trustworthy Computing group which is increasingly offering secure development tools to external developers, along with guidance and training. 

Developing more secure software is one challenge, but governments, educators and law enforcement also have a vital role to play.

”The challenge for the IT industry is to make the entire cyber infrastructure, ranging from the Internet itself to the devices that people and businesses use to interact with it, as secure as it can be,” says Graham Titterington, principal analyst at Ovum. “However, no equipment can protect itself against being used carelessly, or being manipulated by people with evil or devious designs. Training and awareness will help here. Cybercrime is fundamentally crime. Criminals have to be hunted and prosecuted no matter which avenue they choose to follow. Governments have to pass laws, including ones to enable international co-operation, to make this possible.”

The industry is uniting to enhance trust. In May this year Gemalto, Microsoft, Nokia and Philips announced the ‘Trust in Digital Life’ initiative, with the aim of bringing European public and private stakeholders together to create an agenda for innovation and promote alignment of public and private policies. The SAFECode initiative is another partnership that pulls together global players, including Microsoft, Nokia, SAP AG and Symantec Corp. It is committed to increasing trust in ICT products by promoting ever-more effective software assurance methods.  These partnerships are combined with initiatives such as Microsoft’s Security Development Lifecycle, which helps independent software vendors to embed security at the design stage when building applications for Microsoft products.

“The ICT industry was able to find common agreements on general standards and frameworks. Internet protocol became a common standard for Network communication in less than 20 years. It is almost a common language,” explains Eric Domage, IDC’s Western European security expert. “The challenge now is to adopt a common security language understood by software developers, infrastructure architects, Trust and identity providers, and business users. Some pieces already exist, such as X509 and SAML, so the intention of creating this is real.”

Real world solutions for real people
Sadly, there will always be those who seek to profit from illegal activity, which is why there will always be threats to online security. It is clear that everyone — from governments to businesses to IT professionals to families using the internet at home — needs to have access to the latest protection in the fight against cybercriminals.

People want technology that solves real world problems such as ID theft, online fraud and child safety. But the growing threat of cyber crime is such a global and complex issue that it can’t be tackled by technology alone. Regulation, behavioural change and technology solutions must come together, because only a combination of these factors will deliver the End to End Trust as envisioned by Microsoft.