Internet Security and Public Interest
Internet security is often essentially an individual problem. But large-scale incidents affect the public interest nonetheless.
Large-scale outbreaks of viruses, or large numbers of account theft incidents, often result in inconvenience to the general public, or significant financial losses. According to the US National Institute of Standards and Technology, in 2002 software glitches, a large proportion stemming from security problems like viruses and worms, resulted in a loss of US$59.5 billion.
In addition, as more and more critical infrastructure systems grow increasingly reliant on commercial systems like Windows and the Internet, these systems risk severe disruption in the event of Internet security incidents. For instance, the great blackout in the summer of 2003 in the United States affected over 50 million people. Although the official report denied any link to computer security problems, security experts still suggest that the event may have been related to a contemporaneous Internet worm outbreak.
Therefore I think when designing IT systems for critical infrastructure, more analysis should be done on the advantages and disadvantages in utilizing Internet and commercial systems, along with any repercussions on the public interest.
A Case Concerning Account and Authentication Security
Here I present a case study on user account security. Over the last few years, online banking and online gaming have faced many challenges in this field. It is easy to understand why online banking should be a target, but less obvious why online gaming is affected.
In fact, although I have not seen industry-wide statistics, since 2004 organized and systematic account theft crimes targeting online games have had a major impact on gamers. As online games are often a pastime spread over several months or more, the theft of an account or of virtual properties can have a profound emotional impact on the gamer, and can often cause significant financial losses. The programmable nature of the Internet enables the rapid replication of these crimes. It is not unusual for a crime organization to steal tens of thousands of accounts.
From 2005, many online gaming providers and government institutions in China launched initiatives to provide better security to online gamers. Our experience shows that one specific approach was particularly successful, that is the so-called "Two Factor Authentication" mechanism.
In 2005, both Shanda and NetEase launched One-Time Password (OTP) hardware tokens.
These devices generate one-time passwords that change every minute, thus effectively reducing the dependency of security on static passwords. This mechanism requires that the users not only "know the static passwords", but also prove that they "physically have the tokens". During the last three years, NetEase has deployed more than 7 million tokens. I think this success story could be replicated in other areas such as e-commerce.
Let me sum up. We have discussed multiple Internet security problems, all connected by the malware issue. Therefore the key question is whether a reduction in malware prevalence can be achieved. In the more electronic, networked society that we all live in, Internet security has become a vital part of the public interest as it affects critical infrastructure as well as individuals. Lastly, using mechanisms like Two-Factor Authentication, we have the capacity to provide a successful solution to the account security challenge.
Thank you.
(China.org.cn November 8, 2008)