To make digital communication more secure, we need to tighten up the legal frameworks and identify the biggest cyber threats.
Digital technology features more and more in the lives of citizens and consumers, and in the functioning of companies and the government. Cyber security, the guarantee of security in the use of digital technologies, is therefore becoming increasingly important. Not only technological, but also organisational, economic, legal and administrative aspects have a prominent role. It is unimaginable what could happen if malicious hackers managed to get into systems of critical infrastructures, such as Schiphol or the Port of Rotterdam. Leiden University senior lecturer Bibi van den Berg conducts research on the security of Dutch and international digital communication and possible ways to improve that security.
One of the main focuses in Van den Berg’s research is the division of responsibilities in the area of cyber security between governments, national and international institutions, companies and end users themselves.
For this purpose, she reassesses current theories in the field of regulation and ICT by applying them to this new domain. She also evaluates existing regulation strategies, such as the application of law and other rules or the use of economic incentives, in the light of problems that arise in relation to cyber security.
Wat is cyber security?
Van den Berg first researches the fundamental questions: What exactly is cyber security, and how big would the problem be if digital security was breached? “We still know far too little about the concept,” she says. “Firstly, because the parties concerned all have a different focus of attention. When you mention cyber security to private individuals, they think about the protection of banking details. If you ask the police, they will say that their cyber security focuses on hackers and terrorists. Ask the army, and they will say that it’s about cyber warfare (waging war by digital means). When you speak to politicians about this topic, they think of privacy problems and also of national security. This makes it very difficult for governments to decide what the focus of cyber security policy should be.”
Cyber Pearl Harbour
As well as uncertainty about the definition, not much can be said about the actual threat in the area of cyber security. “Curt Weldon, the chairman of a subcommittee of the National Security Committee in the United States said a few years ago that it was just a matter of time before there was a cyber Pearl Harbour (in America), but in fact nothing has happened yet. There have been no cyber attacks resulting in large-scale disruption, and we have very few figures to interpret.”
One of the sectors where cyber incidents could have the greatest impact, says Van den Berg, is in the domain known as ‘critical infrastructures’, such as ports, power stations, dykes, airports, and so on. If elements of those critical infrastructures are hacked, this could have major consequences, not only in terms of economic damage but also in terms of the physical safety of citizens. Protection of those systems is not just a matter of purely technical maintenance; it also involves monitoring the interaction between users and technologies. “Hackers look for ways to use systems for their own purposes, for ways to exploit technological possibilities and to get around technological impossibilities. Sometimes a system becomes vulnerable because it is ‘accidentally’ used by people in the wrong way. Think of users who share vast quantities of sensitive data by mistake, or put a malware-infected USB stick into a computer containing commercially sensitive information.”
Another part of Van den Berg’s research focuses on raising public awareness about the use of digital media. “Do you know exactly what happens when you open a website or upload a photo? A lot of people don’t realise what they’re doing when they’re on the internet, although they really should be aware of it. At the same time, of course, organisations also have a responsibility to provide the public with proper assistance and information concerning the use of sites. I research the best ways to help citizens with internet communication, and how their behaviour is regulated, by means of both the law and digital signposting and barriers.”
What are specific examples of digital barriers? “They include the use of filters and blocking of child porn on the internet. Or preventing access to peer-to-peer networks for file sharing. But also the use of parental controls by parents who don’t want their children to see YouTube content that’s unsuitable for their age. These are all measures that make it technically impossible (or at least very difficult) to engage in certain behaviours on the internet. Measures of this kind are used on a large scale, by both the private sector and the government, but there’s very little knowledge about them, let alone public debate. For example, about their ethical and legal limits.”
Shortage of professionals
Together with other experts in the research field and the private sector, Bibi van den Berg is a member of the Cyber Security Council, which advises the government on policy in the area of cyber security. A recent recommendation was to invest in the teaching of cyber security. “The Netherlands has only a handful of experts, and they don’t have enough time to train people. There’s a shortage of lecturers and instructors, while companies and governments are desperate for professionals who can help with digital security.”