Internet security: perceptions and solutions.
* one of your favourite family-owned Canadian bookstores will fly books to you across the country
* E-bay is auctioning a beautiful homemade quilt that you can bid on in the blink of a credit card Are you ready?
According to a report, The Emerging Digital Economy, by the US Department of Commerce, the electronic marketplace is mushrooming, consumer transactions over the Internet are especially rapidly growing. The adoption rate for Internet technology already exceeds the adoption rate that North America experienced with the television or radio. In 1992, when the World Wide Web was in its infancy, there were 50 web sites, but a 1997 Internet Survey by Forrester Research and Cowles/Simba reported that just five years later 65,000 sites were being added every hour. Forrester Research also report that Internet commerce will grow to approximately $US 3.2 trillion by the year 2003. They predict that Canada will begin to experience hyper-growth in Internet commerce beginning in the second quarter of the year 2001.
Such rapid growth has potential to improve consumer choice and purchasing power. However, the rapid adoption of new technologies also increases our dependence on computer systems and creates new vulnerabilities and security risks -- both real and perceived.
One does not have to look very hard to discover stories about malicious computer hackers, destructive email viruses, cyber-terrorism, and other computer crimes. Recently, a man was arrested and charged with originating and unleashing the destructive Melissa email virus, and now faces criminal charges that carry a maximum penalty of 40 years in prison and a US$480,000 fine. This summer, computer crackers overwhelmed the FBI's Internet site in an electronic attack that forced the FBI to shut the site down. The attack was apparently in retaliation against FBI raids that were carried out as part of an investigation into computer crimes. The lead story in July's edition of the Crypto-Gram illustrates the various methods that clever hackers use to overcome even the most secure and sophisticated computer security systems. Some articles have even compared computer threats to a cyber-battlefield -- "... a place where computers are used instead of guns, data packets instead of bullets, and firewalls are used instead of barbed wire" (Cybercrime, Cyberterroism, Cyberwarfare: Averting an Electronic Waterloo, 1998).
The Economist addressed the issue of security and privacy in our increasingly computer-driven age. The author of the article made one particularly interesting statement: "Policing the rising tide of data collection and trading is probably beyond the capability of any government without a crackdown so massive that it could stop the new information economy in its tracks." The author of the Economist article, like many, believes that the ability to control the collection or use of personal information is impossible without serious restrictions to information services such as e-commerce. In fact, many computer articles emphasis that hacking, cracking, and the spread of computer viruses will never be completely eliminated.
Despite that, it is also true that technological advances in security protection coupled with balanced government intervention have already laid the proper foundation to combat security threats. Information security issues are a vital concern for developing electronic commerce, and a number of private sector and government initiatives are already underway to ensure that businesses and consumers can engage in secure and reliable electronic communications and transactions (Joint OECD-Private Sector Workshop on Electronic Authentication, 1999).
Although we routinely use Automated Teller Machines and bank-cards with little concern about security, the same cannot be said of transactions over the Internet. "The fact is, fears about security in the Internet have little to do with technical reality; they are based on the perception that the Internet is insecure" (Calgary Herald, 1997).
A number of standard technological and operational precautions make it almost impossible for a security breach to occur. Firewall software over virtual private networks allows companies to monitor and prevent traffic from entering the network and server. Secure electronic transactions can be provided through the use of encryption technologies and certification authorities that bind parties to their respective digital signatures, and provide authentication as to the identity of the parties in the transaction. Cryptographic technologies and digital signatures also provide for the integrity and confidentiality of the messages that are exchanged, and provide strong evidence to help ensure that neither party to the transaction can deny its participation in the exchange of information. The creation and implementation of privacy and security policies, including pass-card access and token ID cards with pin numbers for employees' remote access, greatly reduce the network's vulnerability to malicious break-ins.
While properly implemented technological and management solutions offer effective protection against Internet security threats, most computer security articles focus on external threats or the rare cases where an attack is successful. The reality is that most industrial computer crimes and security breaches are internal problems. "Most security breaches happen inside a company. When companies think about doing business over the Internet, they should have a security policy in place -- but most don't" (Calgary Herald, 1997).
In Canada, the federal government has also taken steps to facilitate consumer trust for Internet commerce. Government efforts compliment the technological and management security solutions already developed by industry. The federal government introduced Bill C-54: Personal Information and Electronic Documents Act to facilitate e-commerce in Canada by enabling the use of electronic documents and electronic signatures. The proposed legislation is technology-neutral in that it accommodates a wide array of electronic authentication technologies to protect e-transactions with the federal government.
Additionally, the Canadian government announced its cryptography policy prior to last year's Organisation for Economic Cooperation and Development (OECD) Ministerial e-commerce conference held in Ottawa in October 1998. The cryptography policy provides greater certainty for the business community, more confidence for consumers and support for law enforcement and national security. The policy has recognized that any restrictions placed upon the use of encryption by Canadians would weaken the emerging framework for e-commerce, and jeopardize the growth of world-leading Canadian firms who have carved out a strong position in the global marketplace. Canada's encryption policy enables Canadians to freely use security products for commercial transactions and the protection of their private information. Canada does not restrict the freedom of choice of individuals or businesses to import or use cryptography. Users are free to determine what kinds of authentication and encryption products and services they need.
The OECD is also playing a critical role. The OECD Working Party on Information Security and Privacy is comprised of government and private sector representatives from OECD Member countries. It has conducted work related to authentication for a number of years. Both the 1992 OECD Guidelines for the Security of Information Systems and the 1997 OECD Guidelines on Cryptography Policy note the importance of data integrity and security in information and communications networks and systems. The OECD Inventory of Approaches to Authentication and Certification in a Global Networked Society surveys activities in OECD Member countries related to authentication and certification on global networks, including laws, policies, and initiatives in the public and private sectors, and at both the national and international level. A Declaration on Authentication for Electronic Commerce adopted by Ministers at the Ottawa Ministerial Conference in October 1998 recognises the importance of authentication for electronic commerce and outlines a number of actions to promote the development and use of authentication technologies and mechanisms, including continuing work at the international level, together with business, industry, and user representatives. Ministers declared their determination not to discriminate against the authentication approaches taken by other countries and to amend, where appropriate, the technology or media specific requirements in their countries' current laws or policies that might impede electronic commerce.
The benefits of technologies such as the use of strong cryptography for electronic commerce, privacy protection and crime prevention are clear. Much can be done in order to improve privacy and security on-line. In particular, strong encryption matched with voluntary industry standards and a light-handed government regulatory structure will work in harmony to discourage most, if not all hackers from invading our electronic commerce transactions. Perhaps most important, there is a definite need to educate Netizens as to the nature of security and the options users possess to ensure their information is kept private.
|Printer friendly Cite/link Email Feedback|
|Date:||Oct 1, 1999|
|Previous Article:||Storytelling: law and a human tradition.|
|Next Article:||Practical steps to protect your privacy in the Internet age.|