U.S. talks cybersecurity at UN Conference

The U.S.’s Bush administration took its cybersecurity message to the world this month, urging increased cooperation on cybercrime prevention and the ironing out of legal guidelines.

Speaking in New York to an audience of 150 diplomats from 22 nations, Paul Kurtz, senior director for national security for the President’s Critical Infrastructure Protection Board, said that the lessons of Sept. 11 affect the information security realm and that the world must do more to cooperate and coordinate its anti-cybercrime efforts.

“We need to expand sharing of information on watch and warning of imminent threats,” Kurtz told a packed United Nations conference session at the Global InfoSec 2002 conference. Kurtz called the recent increase in the prevalence and sophistication of cyberattacks a “case for action,” adding that current statistics indicate that as many as 110,000 serious security incidents will occur by the end of this year.

“The world’s economy is increasingly dependent on IT,” said Kurtz. “This is more than e-commerce and more than e-mail, and it’s more than buying a book online.” He added that the “worst-case scenario can happen,” with infrastructure attacks leading to devastating economic consequences.

While Kurtz underscored the need for a public/private partnership to provide for the common defense of cyberspace, he also urged the world community to take action on global legal cooperation.

“We would like to see countries accede to the Council of Europe treaty or adopt laws that are similar,” Kurtz told attendees. The Council of Europe Convention on Cybercrime is aimed at developing a common criminal policy for international crimes committed online. However, the treaty is non-binding until individual nations ratify it.

“International coordination is insufficient,” particularly in the realm of tracking down those responsible for global IT security events, such as the “I Love You” virus, said Thomas Longstaff, manager of survivable network technology at the Software Engineering Institute at Carnegie Mellon University.

But Kurtz praised the “culture of security” created by the Organisation for Economic Co-operation and Development, a group of 30 nations that has drawn up new guidelines for information and network security cooperation in the wake of last year’s Sept. 11 terrorist attacks.

International cooperation could be enhanced with a single point of contact if other nations were to appoint cybersecurity czars, similar to the position now held in the U.S. by Richard Clarke, said Kurtz.

A senior Bush administration official involved in setting technology policy said that from a legal perspective, it’s critical that other countries adopt laws that are compatible with the Council of Europe treaty because current agreements have too many loopholes. “Even if we have a law enforcement cooperation agreement with them, the agreements might not apply unless there is a violation of their domestic law,” said the administration official, who asked not to be identified.