We are now all familiar with the appearance of worms and viruses which circulate on the Internet. This malware is generally illegal and can cause varying degrees of harm - from the manageable to the serious. It can also be costly to respond to and to repair.
Impact to Business
There is also the realization that security is not just technology, but must include processes and people as well. One size does not fit all, and all three have to be applied holistically to achieve security in all environments.
In the US, President George W. Bush created the President's Critical Infrastructure Board in response to September 11th. Since its inception, the Board has examined issues related to cybersecurity. On February 17, 2003, the White House released its Cybersecurity Plan, and the Department of Homeland Security has been working to implement the recommendations.
Among other issues, the Plan urges computer users to create holistic approaches to security, and properly deploy technology, processes and people. It also suggests public-private dialogue to share information, best practices and keep current on new security approaches and challenges. The plan also encourages users to plan for and practice security response and recovery.
Public-private partnerships have increased their work on best practices and information sharing. For example, the National Cybersecurity Partnership (NCSP) created five cross-sector working groups. It also issued reports on awareness for home and small business users, early warning systems, technical standards and common criteria, software development and corporate governance.
During 2004, the National Infrastructure Advisory Council (NIAC) to the President issued four substantive reports containing recommendations for improving security. The reports cover the role of government, cross sector interdependencies, information sharing and analysis and a vulnerability disclosure framework.
The National Cyber Security Alliance (NCSA) published its Top 10 tips for home, small business and education users and during 2004 launched a nationwide awareness campaign to Stay Safe online.
The National Institute of Standards and Technology (NIST) continues its work on voluntary best practices and guidelines, including its guide to a holistic approach to security: the NIST Guide for the Security Certification and Accreditation of Federal Information Systems, NIST 800-37.
The OECD published its Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security in 2002. The Guidelines constitute a foundation for working towards a culture of security throughout societies.
In 2004, the European Commission (EC) created the European Information and Network Security Agency (ENISA). ENISA is a pan-European "center of excellence" for security. It serves as the lead organization for public-private partnerships and information sharing throughout the EU on security best practices and voluntary guidelines.
In Asia, the Asia-Pacific Economic Cooperation (APEC)'s E-Security Task Force created a Cybersecurity Strategy to help deployment of best practices in the APEC economies.
It is now recognized that most cyber incidents are crimes. Law enforcement agencies have stepped-up the prosecution of these crimes at home and, in cooperation with others, abroad. As criminals attempt to use the network for theft, fraud, misrepresentation, extortion, vandalism and other crimes, more and more countries are ensuring that just as their laws make this activity illegal in the off-line world, their laws make this activity illegal in the on-line world and the laws must be enforced.
Significantly, security technology continues to innovate: networks are moving from passive to active and from point-products to system-wide, end-to-end approaches to security recognition, containment and quarantine. Further, Internet Service Providers (ISPs) are competing on security and consumer ISPs have begun to offer security as part of their service.
As of January 2005