“round the clock Internet surveillance”?  30.9.11

African news outlet coastweek.com reports from the ongoing Internet Governance Forum:

According to International Telecommunications Union (ITU) Secretary General Hamadoun Toure, governments should put in place round the clock Internet surveillance to prevent cyber-crime.

Toure called for the need for governments and the private sector to enter into partnership to ensure measures to guard Internet users in order to realize the full benefits of information technology growth.

Has Touré really called for “round the clock Internet surveillance”?

Anyhow, the design of coastweek.com makes me feel 15 years younger.

The Geopolitics of Openness  30.9.11

Interesting argument by David Eaves regarding the Open Government Partnership:

The OGP is part of a 21st century containment policy. And I’d go further, it is a effort to forge a new axis around which America specifically, and a broader democratic camp more generally, may seek to organize allies and rally its camp. (…)

Who is being contained? [China, Iran, Russia, Saudi Arabia, Pakistan] (…)

It’s no trivial coincidence that on the day of the OGP launch the President announced the United States first fulfilled commitment would be its decision to join the Extractive Industries Transparency Initiative (EITI). (…)

This is America essentially signalling to African people and their leaders – do business with us, and we will help prevent corruption in your country. We will let you know if officials get paid off by our corporations.

More data would certainly help to substantiate the argument, which in its current state is absorbing, but not compelling.

It would be interesting to link strategic US foreign policy thinking to ‘openness’ in governance – I’m thinking of, e.g., Anne-Marie Slaughter’s recent Foreign Affairs article, in which she proposed for the U.S. to take the role of a central node in a highly networked and, governance-wise, deconstructed world. The OGP could be one element in the operationalisation of this strategy.

Symantec’s latest report on its beloved billion-dollar baby  29.9.11

431 million adults, $388 bn, marijuana, cocaine, heroin – cybercrime adds up to just an EFSF per year according to the folks at Symantec:

For the first time a Norton study calculates the cost of global cybercrime: $114 billion annually. Based on the value victims surveyed placed on time lost due to their cybercrime experiences, an additional $274 billion was lost. With 431 million adult victims globally in the past year and at an annual price of $388 billion globally based on financial losses and time lost, cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion).

The research methodology:

Findings are extrapolations based upon results from a survey conducted in 24 countries among adults 18-64. The financial cost of cybercrime in the last year ($114bn) is calculated as follows: Victims over past 12 months (per country) x average financial cost of cybercrime (per country in US currency).

Between February 6, 2011 and March 14, 2011, StrategyOne conducted interviews with 19,636 people and included 12,704 adults, aged 18 and over 4,553 children aged 8-17 years and 2,379 grade 1-11 teachers from 24 countries (Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, New Zealand, Spain, Sweden, United Kingdom, United States, Belgium, Denmark, Holland, Hong Kong, Mexico, South Africa, Singapore, Poland, Switzerland, United Arab Emirates).

20,000 interviews – interviews, not surveys – sounds impressive. With an interview lasting some 15 minutes, that’s 300,000 minutes or 5000 hrs or 625 days with an 8hrs day. You’d need a team of some 15 persons making telephone interviews for two months. Doable, just a few hundred thousand bucks going from Symantec to StrategyOne. But does such firepower help to dig out the truth™?

StrategyOne – Evidence-based communications:

As the strategic research partner of Edelman, the world’s leading independent PR firm, our heritage is in communications research. We understand that useful research informs strategy that engages, persuades, and moves products, minds, and media alike.

As to the methodology of the report, which is by the way not available as a PDF:

  • A list of questions asked is not attached.
  • Definition of cybercrime I: Cybercrime is, among others, defined as: “Computer viruses or Malware appeared on my computer”. (Chapter 7) So a malware attachment in your inbox qualifies as a single incident of cybercrime. No indication about the percentage of such cybercrime incidents vs., say, credit card fraud.
  • Definition of cybercrime II: Which kind of incidents have been reported as “another type of cybercrime on my computer”? What’s the percentage of this category?
  • Calculation of costs I: No indication whether different price bases are used e.g. for the U.S. and countries with substantial lower price indices, i.e. India, China.
  • Calculation of costs II: How are non-monetary incidents such as “malware or virus appeared on my computer”, “responding to a smishing message”, “approached by a sexual predator”, “Online Harassment” etc. are turned into monetary damages?

Can being exposed to such reports be subsumed under online harassment? We won’t have reliable, sound, unbiased figures on cybercrime and the costs associated with it until a major research endeavour with serious funding spanning institutes in different countries is set up.


SABMiller: Conficker virus cost us £7.2 million  29.9.11

More an more reports on the costs of Conficker have trickled in recently. Here’s another one from the CISO (you know that acronym, right?) of brewery giant SABMiller, producing delicious booze such as Foster’s, Miller, and Grolsch:

“Last April, I had to close down the Romanian operation for four hours because of the Conficker virus. It cost us £7.2 million [the revenue target lost, based on how much the breweries would have produced for sale during that time]”

He sold the halt of the beer production site to his board by arguing that

that the effect on the company’s market capitalisation would be far worse if SABMiller had manufactured and sold poisoned stock

Shouldn’t attack vectors for Conficker be barricaded by now? Of course, they could have their corporate network still running on old, un-patched Windows platforms. (Businesses have been strong supporters of the “never change a running system” mantra, though remaining IT vulnerabilities in aged gear challenges this stance.) But “poisoned stock”? Where should that come from? Do they run their beer SCADA systems on machines that would not discover a manipulation of its software stack? Where is the link between Conficker and “poisoned stock”?

DHS, DoC ask for anti-botnet policy input  28.9.11

Joint request by May, Strickling, Beers:

The U.S. Department of Commerce and U.S. Department of Homeland Security are requesting information on the requirements of, and possible approaches to creating, a voluntary industry code of conduct to address the detection, notification and mitigation of botnets. (…) The Departments seek public comment from all Internet stakeholders, including the commercial, academic, and civil society sectors, on potential models for detection, notification, prevention, and mitigation of botnets’ illicit use of computer equipment.

DHS asks for contributions in three segments: a) Practices To Help Prevent and Mitigate Botnet Infections, b) Effective Practices for Identifying Botnets, c) Reviewing Effectiveness of Consumer Notification, d) Incentives To Promote Voluntary Action To Notify Consumers.

I’ve seen similar public request for comments in other policy domains before in the political system of the US. Thus, I’m not sure whether this is as unique as it appears to be from my European perspective.

Currently, Microsoft – and not some state agency – seems to be the botnet take-downer du jour.

Update. Joel Harding with regard to Microsoft’s role in botnet response:

DHS does not have the resources to protect US citizens, US corporations or any other government infrastructure beyond the critical infrastructure. Yet it is their mission to provide Homeland Security. When will DHS step up to the plate and perform their mission? Do we need a Department of Microsoft instead?

Merkel’s Moment, a Schmittian emergency  28.9.11

Margarita Mathiopoulos is with her back to the wall because of her ongoing plagiarism investigation. I guess she’s first among the Transatlanticist wing of the German foreign policy elite to put it that bluntly:

If it fails, the blame will be on Germany. … All eyes are on Berlin. There is a strong, if silent, expectation in European capitals — as in Washington — that Germany will not forget its historic obligation to those who helped it rise out of the ashes of World War II and reunite.

… and pulls a Schmitt (Carl, that is):

First and foremost, Merkel and Sarkozy can and should declare that the euro zone is in a “state of emergency.” This would allow them (…) Although this would require revising the Lisbon Treaty, a state of emergency would make it possible to take action immediately.

…and asks to give the Germans some boots that are not made for walking:

Germany will only agree to the introduction of eurobonds to spread the responsibility for government debt across the euro zone if sinning countries can be punished.

The Digital Public Domain: Relevance and Regulation  28.9.11

Brief, informative literature review by Leonhard Dobusch on public domain, its conceptualisation, political regulation, and societal relevance. One of Leonhard’s arguments is that we have no systematic model about the real-world phenomena that can be categorised as public domain:

Empirically, however, a systematic ‘map’ of the public domain is still missing. We do not know yet, what public domain phenomena have the strongest practical relevance for actors in different fields. (p. 21)

This paper tried to provide a survey of our current scholarly knowledge on these issues, which might function as a starting point for further, particularly empirical investigations of the public domain. (p. 23)

Starting to fill these gaps was presumably one of the motivations for this paper. There is decent empirical research going on in that field, but indeed, we lack a systematic survey. The characteristics of public domain can also be found in empirical phenomena other than public domain or commons. Peer production – kind of a sibling of the aforementioned – might serve as an example.

Noteworthy is the locus dissertatii of this paper, the “1st Berlin Symposium on Internet and Society” hosted by Google’s German science proxy, the Internet & Society Institute at the Humboldt University Berlin, which is to be unleashed the day before.