2009-02-02 11:39:30
By Tim Weber
Business editor, BBC News website, in Davos
The threat of cybercrime is rising sharply, experts have warned at the World Economic Forum in Davos.
They called for a new system to tackle well-organised gangs of cybercriminals.
Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves, they said.
The internet was vulnerable, they said, but as it was now part of society's central nervous system, attacks could threaten whole economies.
The past year had seen "more vulnerabilities, more cybercrime, more malicious software than ever before", more than had been seen in the past five years combined, one of the experts reported.
But does that really put "the internet at risk?", was the topic of session at the annual Davos meeting.
On the panel discussing the issue were Mozilla chairwoman Mitchell Baker (makers of the Firefox browser), McAfee chief executive Dave Dewalt, Harvard law professor and leading internet expert Jonathan Zittrain, Andre Kudelski of Kudelski group, which provides digital security solutions, and Tom Ilube, the boss of Garlik, a firm working on online web identity protection.
They were also joined by Microsoft's chief research officer, Craig Mundie.
To encourage frank debate, Davos rules do not allow the attribution of comments to individual panellists
Threat #1: Crime
The experts on the panel outlined a wide range of threats facing the internet.
There was traditional cybercrime: committing fraud or theft by stealing somebody's identity, their credit card details and other data, or tricking them into paying for services or goods that do not exist.
The majority of these crimes, one participant said, were not being committed by a youngster sitting in a basement at their computer.
Rather, they were executed by very large and very well-organised criminal gangs.
One panellist described the case of a lawyer who had realised that he could make more money though cybercrime.
He went on to assemble a gang of about 300 people with specialised roles - computer experts, lawyers, people harvesting the data etc.
Such criminals use viruses to take control of computers, combine thousands of them into so-called "botnets" that are used for concerted cyber attacks.
In the United States, a "virtual" group had managed to hijack and redirect the details of 25 million credit card transactions to Ukraine. The group used the data to buy a large number of goods, which were then sold on eBay.
This suggested organisation on a huge scale.
"This is not vandalism anymore, but organised criminality," a panellist said, while another added that "this is it is not about technology, but our economy".
Threat #2: the system
A much larger problem, though, are flaws in the set-up of the web itself.
It is organised around the principle of trust, which can have unexpected knock-on effects.
Nearly a year ago, Pakistan tried to ban a YouTube video that it deemed to be offensive to Islam.
The country's internet service providers (ISPs) were ordered to stop all YouTube traffic within Pakistan.
However, one ISP inadvertently managed to make YouTube inaccessible from anywhere in the world.
But in cyberspace, nobody is responsible for dealing with such incidents.
It fell to a loose group of volunteers to analyse the problem and distribute a patch globally within 90 minutes.
"Fortunately there was no Star Trek convention and they were all around," a panellist joked.
Threat #3: cyber warfare
Design flaws are one thing, cyber warfare is another.
Two years ago, a political dispute between Russia and Estonia escalated when the small Baltic country came under a sustained denial-of-service attack which disabled the country's banking industry and its utilities like the electricity network.
This was repeated last year, when Georgia's web infrastructure was brought down on its knees during its conflict with Russia.
"2008 was the year when cyber warfare began.. it showed that you can bring down a country within minutes," one panellist said.
"It was like cyber riot, Russia started it and then many hackers jumped on the bandwagon," said another.
This threat was now getting even greater because of the "multiplication of web-enabled devices" - from cars to fridges, from environmental sensors to digital television networks.
The panel discussed methods that terrorists could use to attack or undermine the whole internet, and posed the question whether the web would be able to survive such an assault.
The real problem, concluded one of the experts, was not the individual loss.
It was the systemic risk, where fraud and attacks undermine either trust in or the functionality of the system, to the point where it becomes unusable.
What solution?
"The problems are daunting, and it's getting worse," said one of the experts. "Do we need a true disaster to bring people together?," asked another.
One panellist noted that unlike the real world - where we know whether a certain neighbourhood is safe or not - cyberspace was still too new for most of us to make such judgements. This uncertainty created fear.
And as "the internet is a global network, it doesn't obey traditional boundaries, and traditional ways of policing don't work," one expert said.
Comparing virus-infected computers to people carrying highly infectious diseases like Sars, he proposed the creation of a World Health Organisation for the internet.
"If you have a highly communicable disease, you don't have any civil liberties at that point. We quarantine people."
"We can identify the machines that have been co-opted, that provide the energy to botnets, but right now we have no way to sequester them."
But several panellists worried about the heavy hand of government. The internet's strength was its open nature. Centralising it would be a huge threat to innovation, evolution and growth of the web.
"The amount of control required [to exclude all risk] is quite totalitarian," one of them warned.
Instead they suggested to foster the civic spirit of the web, similar to the open source software movement and the team that had sorted the YouTube problem.
"Would a formalised internet police following protocols have been able to find the [internet service provider] in Pakistan as quickly and deployed a fix that quickly?" one of them asked.