The role of information security in the modern world
By information security, we mean a set of organizational and technical measures to ensure the protection, integrity, accessibility and manageability of data arrays. Information security provides the interaction of all system elements within the general concept of state security. The structural elements of information security at international and national levels include:
- Protection of state or commercial secrets.
- Protection of servers of state institutions and life support systems.
- Protection of data security as hardware and software sets that ensure the safety of information from unauthorized access, inaccessibility, destruction and reprogramming.
- Informational and psychological block which implies the implementation of measures aimed at protecting a subject of attack against a targeted information impact, psychological state or reputation on the international arena.
To protect all components, it is required to develop methodology and build infrastructure. Information security tasks may be challenging because the information space has no boundaries. Specific features of the Internet and wireless connection create the preconditions for uncontrolled and unhindered transfer across state borders of large data volumes, often containing information whose circulation is prohibited or restricted in the world or in individual countries
Cyber-attack technologies are developing faster than protection technologies, that’s why even government databases can be prone to risk. The most advanced technologies are used to protect state secrets. However, state secrets fall in the risk zone as soon as they leave the most protected perimeter and become the object of interaction of state institutions with commercial or public establishments which have a lower protection level.
However, the state protective measures are also imperfect, as indicated by the growing number of attacks at government servers in different countries. In 2012, during the presidential election in Russia, polling stations used a webcast system to record violations of election laws. That day, within 24 hours the system was attacked 1.2 million times. In the same year, hackers attacked Israeli state information networks 44 million times, Iran – 28 million time, and the United States – 12 million times.
The problem is even more complex because most often hackers do not fall under the jurisdiction of the state that was cyberattacked. Criminals are either foreigners or people without citizenship, or global citizens. All this forces to seek a global consensus in the fight against threats and to create a common system of information security. Governments conduct negotiations to explore the possibility of criminalizing cyber-attacks and equating them to armed attacks when aimed at state institutions.
Five years ago, US Secretary of Defense Leon Panetta proposed to equate cyber-attacks to armed attacks. The politician compared the consequences of hacking into computers in chemical and nuclear enterprises and life support systems of cities with the consequences of a nuclear explosion. The United States Congress supported the minister’s idea, but the initiative has not been legalized.
A rare example when the norms in the information security field were systematized is the government agreement concluded in 2013 between Russia and the United States on cooperation in scientific research and development in the nuclear and energy sectors. The document also listed confidence-building measures and ways to combat cyber war, and declared the creation of a common information security system. However, in 2016 the agreement was suspended.
Another argument which confirms the need to create an international regulatory framework for combating cyber threats is the reputational risk. The use of information technology in political competition has become commonplace, and the damage from cyber-attacks against a competing state is seen not only as reputational, but also as financial losses. Information security and the protection of the state's reputation should become one of the tools in geopolitical confrontation.
All this reinforces the idea to concentrate the world efforts on building a system of preventive measures. One of them can be the criminalization of offences in the information security field to the fullest extent. Such an approach will be more useful in the fight against cybercrime than mitigating the consequences of incidents.
The problems and threats of information security at the international level
According to the US Center for Strategic and International Studies, the annual damage from crimes related to the theft of computer information exceeds $ 440 billion worldwide.
Not only hackers threaten information of corporations, banks and government organizations. Security threats also include:
- System failures for various reasons, including due to accidental errors or the introduction of an invalid code into the software.
- Technical malfunctions of hardware caused by disruptions in the power supply system, including intentional sabotage, design problems or user actions.
- Viruses that are constantly improved and modified. At the beginning of 2017, large international companies and government agencies were attacked by NotPetya and WannaCry viruses. The number of WannaCry victims exceeded 200,000 in 150 countries.
- Employee actions aimed at destroying security systems, deliberate sabotage.
- Intrusion of unauthorized users that can reprogram computers or steal important information.
- Data theft by any means, including the theft of physical storage media for any purposes.
At the national level, in addition to the strategy for combating threats, governments develop offensive cyber-attacks. Offensive cyber-attacks are committed by government agencies to damage networks of competing states in order to steal or damage critical information. For example, already by 2014, in the United States, the authorities controlled almost all of the entire industry of spyware (programs for theft and redirecting data from the computers of users) and adware (programs that generate viral advertising).
Other tools for attacking government, corporate and personal devices include:
Ransomware. When you launch the program, the computer or mobile device becomes unavailable for various reasons. You need to pay hackers to regain access. The feature of the attacks using the new wave ransomware is that attackers demand a ransom in crypto currency, the turnover of which is in the shadow zone, and it is extremely difficult to track its recipient.
Rogue security software. The version of the Trojan programs. The user voluntarily installs malware on the computer that either disables PC and requires payment, or helps other viruses to infiltrate the system.
Madware. Aimed at damaging mobile software.
Cyberbullying is the use of information attacks for psychological influence on victims.
Both personal computers, that randomly relate to the protection of personal data, and thoroughly protected databases of international corporations are under constant threat. Companies in the US and the European Union are ready to pay for a hacker attack and data steal from competitors from $ 3 to $ 12 million. The price is five times higher if the attack is aimed at a military or industrial facility.
International standards of IS certification
Political sphere has not yet developed common international norms outlining the main areas to combat information security threats. On the contrary, the sphere of standardization and security systems has not only developed the norms but also successfully applies them. These are the standards on production and commercial turnover which refer to the ISO/IEC 27000 system.
The double abbreviation ISO/IEC means that these standards are the result of the collaboration between the International Commission for Standardization (ISO), whose regulations determine the quality of production and management processes and the International Electrotechnical Commission (IEC). ISO/IEC 27000 contains a number of recommendations and practical suggestions for implementing the Information Security Management System (ISMS). In addition to the ISO/IEC 27000 series, European countries develop and implement their own regulatory documents that define the requirements for ensuring information security. Often national standards of one country are applied by other states. This is the case of Practical rules of information security management BS 7799, developed in the UK.
Establishment of ISMS in accordance with standards
Companies that care about data protection and that certify goods and services under ISO 9001 should strive to establish their own information security management system (ISMS) based on ISO/IEC 27000-2016 or earlier versions (if ISMS was introduced before the standard edition).
According to the ISO 9001 management model, the process of creating and implementing the system includes four stages designated as PDCA:
|PLAN||The Plan stage involves the development of internal regulatory documentation, audit systems, inventory of risk-prone or critical assets, and the elaboration of technical measures.|
|DO||The Do stage involves the implementation of the developed system and tools to assess the effectiveness of measures taken.|
|CHECK||At the Check stage, the quality of the system's performance is assessed. The assessment should be purpose-oriented and regular.|
|ACT||At the Act stage, the identified shortcomings are refined and eliminated.|
If implemented through PDCA, the system will meet the requirements of international certification standards.
ISMS has several advantages compared to traditional protection systems:
- ISMS is transparent for both company management and employees. Certified methods allow streamlining many processes, making their result more predictable, and eliminating recurrent and duplicate elements which reduces the cost of information protection.
- ISMS allows streamlining the staff engaged in information protection, reducing the requirements for the number and qualifications of specialists through the implementation of standard processes.
- ISMS is easily scalable to other divisions and branches of the company.
When building ISMS, it is important to remember that the provision of information security at the international, state and corporate level is firstly based on the regulatory framework, standards, forecasts and preventive measures, and only then – on the practical implementation of the ISMS strategies. In this case, the society (if it is the state level) and employees (if it is the corporate level) are expected to understand the degree of danger and support initiatives for ensuring information security.