The problems caused by the ILOVEYOU computer virus which swept computer systems worldwide in early May, the cases of distributed denial of service attacks on e-commerce sites in the United States and Europe earlier this year, and the alteration of government Web sites in Japan in January, have highlighted the need for a more resilient and secure Internet.

While these recent attacks did not result in disclosure of sensitive customer data or long-term damage to Web sites, they did, in some instances do substantial damage to user/company files, and they have caused inconvenience and frustration for millions of Internet users and increased concerns about the trustworthiness of the Internet. The open, interconnected nature of the Internet, which makes it such a useful and powerful medium, also makes it vulnerable to a variety of attacks. Furthermore, because robust authentication technologies are not widely deployed in the Internet today, it is relatively easy for hackers to gain unauthorized access to systems or to propagate computer worms or viruses. Fortunately, Internet stakeholders - including leading companies in the private sector -- are very motivated to develop ways to prevent and rapidly respond to such attacks. Many of the members of the Global Internet Project (GIP) are active participants in private sector-led initiatives to improve the reliability of the Internet and reduce its vulnerability to cyber-attacks or cyber-terrorism.

In recent years, there have been a variety of types of cyber-attacks. In general, they fall into five general categories:

1. Denial of service attacks which flood Web sites or Internet Service Providers (ISPs) with millions of bogus but apparently legitimate electronic messages that block access to networks and servers. Although these attacks do not involve directly breaking into the servers run by the targeted Web site or ISP, they often are launched from hundreds of surrogate computers, each of which has been hacked in order to render them responsive to the commands of the perpetrator.
2. Computer break-ins by malicious hackers who violate the confidentiality and integrity of data and systems by exploiting security holes or poor procedures. By this means, they eavesdrop on legitimate traffic, gain access to computer systems and deface Web sites, re-route traffic, steal credit card numbers, or in some cases, corrupt or erase critical data files.
3. Internal attacks, often by disgruntled employees. Incidents involving this type of hacker are increasing significantly, and cost Internet stakeholders billions of dollars annually. Since employees usually already have access to their companies' systems, these kind of "insider attacks" are easier, more frequent, and often more damaging than external ones.
4. Development and proliferation of destructive viruses like the ILOVEYOU or the "Melissa" virus.
5. Physical attacks in which criminals or terrorists damage or unplug computers and network equipment in order to disrupt a company's operations.

These different types of attacks necessitate various counter-measures. The GIP believes that improving the security of the Internet will require that businesses and organizations around the globe (that have not already done so) do the following:

1. Identify and disseminate information about security holes in computer systems (cf. CERT, www.cert.org, and the FBI National Infrastructure Protection Center, www.fbi.gov/nipc/).
2. Perform security audits and determine how best to protect their systems from both external and internal threats.
3. Cooperate with law enforcement or other authorized government agencies or relevant bodies in order to detect and mitigate attacks.
4. Improve the physical security of mission-critical systems, particularly systems like the domain name servers and the root servers.
5. Guarantee that the security tools already being shipped and implemented are appropriately installed with sufficiently robust settings, and strongly encourage system administrators and users to be adequately trained in their use.
6. Make sure that employees, and especially general managers, understand that security is part of their normal responsibilities, and that there is as much focus on protecting the infrastructure from internal attacks as there is on external attacks.
7. Institute specific company policies that require updating anti-virus software on a regular basis and having all employees actually use password protection systems that are available; also encouraging vendors, suppliers, and professional associates to activate appropriate security technology.
8. Advise governments on how to better protect government computer systems and how better to track down and apprehend malicious hackers (cf., the Japanese government's Commission on Critical Infrastructure Protection -- supported by IFTECH, the Institute for Future Technology; the U.S. President's Commission on Critical Infrastructure Protection in the United States at www.pccip.gov; and the recently-created U.S. Federal Trade Commission's Advisory Committee on Internet Security and Privacy (www.ftc.gov)).
9. Invest in research on new techniques for reducing the vulnerability of the Internet and the computers that use it.
10. Take all the necessary steps to secure networks including the filtering out of incorrect routing information from customers and peer networks and sources of spam. Stakeholders should also deny unauthorized access to their network equipment, disseminate security alerts, educate customers on how to secure their networks, and provide network security services.
11. Support outreach programs designed to instill a strong code of cyber ethics in the next generation of cybercitizens (cf. The Information Technology Association of America/U.S. Department of Justice's "Cybercitizen Partnership").
12. Encourage the deployment of IPsec and IPv6 (which will make it easier to deploy better Internet security technologies). It is important to emphasize, however, that the new standards will only offer such protection if they are promptly and properly implemented. (cf. The Internet Engineering Task Force's Working Group on IP Security and many other IETF activities described at www.ietf.org/html.charters/wg-dir.html#Security_Area).
13. Encourage and develop the deployment of better authentication systems, including public key infrastructures (PKIs) and certificate authorities (CAs).

While national governments are understandably concerned about the recent cases of cyber-attacks, and wish to take action to ensure that the Internet is robust, reliable, and secure enough to support the full range of e-commerce, electronic government, and other applications, they should resist the temptation to propose regulatory measures to address this problem.

The private sector, not governments, must take the lead in making the Internet more secure for a number reasons, including:

1. Internet technology is advancing so quickly that government-imposed solutions or requirements are likely to quickly become obsolete and counter-productive, actually hindering the development and deployment of new, better Internet security technologies, and, through uniformity, potentially creating much greater exposures.
2. Governments and the regulations they impose are national, while the Internet is a global medium. Finding effective global solutions would require international, inter-governmental action, a slow and difficult process at best.
3. Different situations and on-line services will require varying levels of security. It is hard to imagine any set of regulatory requirements that would be flexible enough to deal with the wide range of customized solutions developing in the commercial marketplace today.

Rather than trying to dictate levels of security or impose standards, we strongly encourage governments to work with the private sector to increase cooperation and information sharing in this area. We recommend that governments consider the following steps:

1. Lead by example. Governments should ensure that their computer systems and networks are secure and run in accordance with best information security practices.
2. Arrest and prosecute computer criminals. Governments need to clarify laws regarding malicious hacking and denial of service, and ensure that such laws are vigorously enforced. This will often require effective international cooperation among different law enforcement agencies, which has increased substantially over the last 2-3- years.
3. Foster information sharing. Governments can play an important role in facilitating international information exchange among industries.(i) In the aviation industry, a private-sector initiative exists that enables airline pilots and others to report aviation mishaps in full confidentiality, without having to worry that the reports will result in recrimination or bad publicity. Similar models in other countries might be used to collect and disseminate information about cyber-attacks and countermeasures, without compromising proprietary corporate information or embarrassing companies that are victims of cyber-attacks.
4. Promote the use of open standards. The very openness of open standards means that they will be scrutinized before adoption/implementation, and as they are modified. Through this process, vulnerabilities will be more readily identified and corrected.
5. Remove the remaining controls on civilian encryption technologies. Encryption is a powerful tool for protection of data transmitted over the Internet or stored on computer systems connected to it. Government restrictions on the use or export of encryption technologies hinder the uses of this technology and reduce the security of the Internet.
6. Provide better threat assessments. National governments, particularly intelligence agencies, have done assessments of the vulnerabilities of networks and computer systems and the threats posed by cyber-terrorism and malicious hackers. More details of these assessments could be shared with the private sector, either in a non-classified or classified setting, so that they are better able to prepare for, and respond to, the threats posed by cyber-attacks.
7. Support pre-competitive research on Internet security. Since the inception of the Internet, governments have played an important role in funding the pre-competitive research that led to the development of key Internet technology. The original ARPANET, the NSFNET, the World Wide Web, and the first graphical Web browser were all made possible by government research grants. Governments need to continue funding research on Internet security.
8. Fund the education and training of information security experts. One reason government R&D funding is so critical is because government grants support the training of the next generation of computer scientists and engineers. In addition, if there is a shortage of necessary skills, those available are likely to gravitate to the private sector, leaving a greater shortage of these skills in the public sector.
9. Encourage and support efforts by the private sector to teach children and teenagers how to behave ethically in a virtual world.

Without effective Internet security it will be impossible to provide Internet users with on-line privacy. GIP member companies have been leaders in promoting industry practices to protect their customers' privacy. However, strong, effective corporate policies on privacy protection are only useful if they are properly implemented - and that requires strong, effective computer security.

Nor will it be possible, without effective Internet security, to protect the intellectual property of companies that seek to use the Internet. Users -- whether governmental, academic, corporate, or individual - will be reluctant to use the full range of Internet applications if they do not trust the technology. The benefits of this transforming and enabling technology are enormous, but they will not be realized if user trust is undermined or derailed. Trust, like corporate goodwill, takes a long time to be built up, but can be very quickly eroded.

The companies represented by the GIP and other leaders of the Internet Economy are strongly motivated to address the problem of Internet security. We believe that with effective cooperation between the private sector and relevant government agencies, the secure nature of the Internet and e-commerce can be significantly enhanced. It will not happen overnight; but effective measures must be taken in order to realize the full potential of the Internet.

The Global Internet Project

The Global Internet Project (GIP) is an international group of senior executives committed to fostering continued growth of the Internet. Members come from leading Internet-centric companies representing the telecommunications, software, financial services, and content sectors. GIP participants are well-known leaders in the Internet Revolution and represent companies based in Asia, Europe, and North America. Dr. James Clark, former chairman of Netscape Communications Corporation, founded the group. John Patrick, Vice President for Internet Technology at IBM, is the current chairman of the GIP.

GIP participants believe that to ensure continued growth and innovation, the Internet must be kept free of unnecessary international regulations and national laws that impede or inhibit its growth. Old, outdated, national regulatory models should not be applied to the Internet. Instead, new international and non-governmental approaches to policy must be developed, that will be flexible enough to keep pace with the rapid evolution of technology and the marketplace. Often these approaches will rely upon market mechanisms for self-regulation, rather than government regulation.

The GIP also is committed to "connecting the unconnected" - increasing Internet access in developing countries by encouraging governments to adopt policies that foster innovation, liberalization, investment, and free market competition.

For more details, visit the GIP Web site at http://www.gip.org or contact GIP Executive Director Allen Miller at: amiller@itaa.org

- Examples include the U.S. Network Reliability and Interoperability Council (www.fcc.gov/oet/nric), and the U.S. National Security Telecommunications Advisory Council (www.nstac.gov), segments of the telephone and telecommunications industry.

Note to users: All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.
1997 GIP (Global Internet Project) All rights reserved.