EU advisors: Secure ISPs, form "cyber-NATO"
see also full report and workshop
Academic researchers tasked with making information-security recommendations to the European Union called for rules to force Internet service providers to clean up their networks, for the passage of a comprehensive breach-disclosure law, and for the formation of a group to manage and aid international investigations.
The fifteen recommendations, part of a report prepared by University of Cambridge researchers and funded by the European Network and Information Security Agency (ENISA), could form the basis of future rules governing EU members, said Tyler Moore, a researcher and PhD student at University of Cambridge, who presented the work on Thursday at the Workshop on the Economics of Information Security (WEIS) 2008. The recommendations call for collecting better data by passing comprehensive data-breach disclosure legislation and requiring the reporting of data losses to a central agency. In addition, the researchers proposed that ENISA publicly report the quantity of malicious data and spam flowing out of Internet service providers' networks as well as punish ISPs that do not block compromised machines.
"The good ISPs react very quickly," Moore said. "The bad ones don't, because it is expensive. The desire to clean up their networks is not that strong, so other measures are needed."
The European Union has already requested the aid of Internet service providers in reducing cybercrime. In April, the Council of Europe called for ISPs to share more attack information and speed responses to government data requests. In the United States, the Federal Bureau of Investigation has asked ISPs to retain data for longer periods.
The recommendations called for EU to put pressure on the 15 nations that have not passed the Council of Europe Convention on Cybercrime treaty and to create a law enforcement group -- based on the model of the North Atlantic Treaty Organization (NATO) -- to help expedite investigations into cybercrimes that cross national borders.
Software vendors did not escape scrutiny. The report advised that the government to enforce standards that require network-attached devices to be secure-by-default, to adopt early vulnerability disclosure to force software makers to quickly patch their products, and to mandate that security fixes be distributed for free and not as part of a feature update.
A more in-depth version of the report will be published by ENISA later this year, Moore said.