Guidelines to start with

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. REUTERS/Kacper Pempel/Files

‘The Group of Seven industrial powers on Tuesday said they had agreed on guidelines for protecting the global financial sector from cyber attacks following a series of cross-border bank thefts by hackers.

Policymakers have grown more worried about financial cyber security in the wake of numerous hacks of SWIFT, the global financial messaging system, including an $81 million theft in February from the Bangladeshi central bank’s account at the New York Federal Reserve.’

Source: Reuters

There are things in these guidelines that make a lot of sense, such as governments sharing information on breaches with each other. Actually just that requirement would suffice to make my day. The ‘what’ and ‘how’ still matters but this is definitely a good start. Simply because admitting that you are vulnerable or have been a victim is the first stepping stone of development.

I was talking to a bank’s cyber security professionals about information sharing the other day. They said it was pretty demotivating when, in an attempt to take the matter in hand, they have come forward and admitted in a meeting between banks within closed doors that they have been hacked, only for the other participating banks to sit there united in silence.

The next level is of course sharing information about incidents, hacking events, attacking techniques and best practices for protection. Sadly enough, the laws and regulations of some countries do not even allow data to flow between financial organizations in the questionable belief of protecting the transparency of their economy and the privacy of their citizens. So encouraging the sharing of this valuable information is a long way from around the corner.

So the G7 guidelines can help a lot in that regard. What I would hope for less of is the notion of instructing “governments to ensure that they police their own cyber-security readiness as well as that of companies they regulate”. What is cyber-security readiness anyway? It is the misleading reassurance of “everything is going to be just alright” for the foot soldiers in the battlefield. And how it can be measured and enforced on private organizations?

Readiness sounds exactly like an expression intelligent people come up with to explain how things should work under “normal” conditions in theory. This has been tried before numerous times and failed. Which is why cyberspace today looks like the wild west at its best. Governments are simply too slow to keep up with cybersecurity challenges and regulation is their worst set of guns to fire in the field.

I would suggest that we give more freedom to governments when they are actively engaged in battles in cyberspace, and similarly to the freedom of law enforcement or real soldiers when they directly confront a crime or enemy. It is time for decision makers and the public to realize that although invisible, cyber threats require more action and less or much more flexible regulation.