6 Tips for Protecting Against Ransomware

The Internet Society has been closely monitoring the ransomware cyber-attacks that have been occurring over the last couple of days. The malware, which has gone by multiple names, including WannaCry, WannaDecryptor, and WannaCrypt, exploits a flaw in Microsoft Windows that was first reportedly discovered by the National Security Agency (NSA). A group of hackers leaked the code for exploiting this vulnerability earlier this year, and a fix or patch was available as far back as March 2017. Since Friday, 200,000 computers in 150 countries have been compromised using this exploit. The numbers are expected to grow exponentially as people settle back into their work routines and regular use of computer systems this week. As part of our continuing work in online trust and security, there are some key takeaways from this incident that we want to leave with our community.

Firstly, we want to highlight the extremely negative effects which government stockpiling of vulnerabilities and zero day attacks has on the overall security of the Internet. With over 60 countries known to be developing growing arsenals of cyber weapons, and with many of these exploits leaking into the public domain, the potential for widespread damage is a massive cause for concern. The impact is not only economic in terms of financial loss, but social in terms of how it impacts end user trust, and most importantly human in terms of loss of life (especially given that ransomware attacks have been focusing on hospitals). And with critical infrastructure like power plants, dams, and transportation systems being targeted in nation state cyber offensives, the threat to human life increases exponentially.

Secondly, it would appear that some hospitals are easy targets for ransomware attackers. Their systems house data that is critical to patient care and management, and many of these institutions don’t have the IT resources to support critical process areas like vulnerability management, patch management, business continuity management, etc. In general, hospitals are also now adapting to digital realities and a number of them are playing catchup with regards to cyber readiness. However, the aforementioned challenges are not unique to hospitals, and are faced by many small and medium enterprises (SMEs), and in several instances, large corporations. Individual users are also targeted based on their generally poor Internet hygiene or lack of security awareness.

We want to take this opportunity to emphasize the importance of good online security practices when accessing the Internet. So here are 6 basic tips for protecting against ransomware:

1. Employ strong, multi-layered endpoint security – Using endpoint security that can protect web browsing, control outbound traffic, protect system settings, proactively stop phishing attacks and continuously monitor for anomalous system behavior will allow for better protection of servers, laptops, tablets, and mobile devices.

2. Maintain regular backups of your critical data – Backups can help you to protect your data from more than just ransomware. Other risk events such as malware, theft, fire, flood or accidental deletion can all render your data unavailable. Be certain to encrypt your backed-up data so it can be effectively restored. Backups should also be stored at an offsite location isolated from the local network.

3. Do not open unsolicited emails or messages from unknown senders – Many ransomware variants are distributed through phishing attacks or email attachments. Increased mindfulness when handling ‘suspect’ emails can be effective in combating ransomware.

4. Patch your systems regularly – Patching your systems for vulnerabilities reduces the opportunities for hackers to infect you with ransomware. The fact that a patch was available for the WannaCrypt vulnerability since March highlights the somewhat lax attitude by organizations and individuals to keeping their system patches up to date. That being said, patch management is a complex activity and can impact the availability of key systems. Hence, thorough testing must be conducted to avoid unplanned downtime.

5. Disable macros if possible – Many forms of ransomware are distributed in Microsoft Office documents that attempt to trick users into enabling macros. There are a number of tools available that can limit to functionality of macros my preventing them from being enabled on files downloaded from the Internet.

6. Be aware and vigilant – For individuals, don’t assume that only techies need to know about all the recent malware and trends in online attacks. Subscribe to mailing lists that provide information on common vulnerabilities and exposures. In the case of organizations, developing an information security awareness program is an integral part of improving overall security posture.

Finally, we want to touch on the important work being done by the Online Trust Alliance (OTA), the Internet Society’s newest initiative. The OTA’s mission is to enhance online trust, user empowerment and innovation through convening multi-stakeholder initiatives, developing and promoting best practices, ethical privacy practices and data stewardship. With regards to preventing ransomware attacks, OTA has developed a number of industry best practices that address key threat areas such as email authentication and incident response. These are as follows:

Email Authentication: https://otalliance.org/resources/email-security

Domain-based Message Authentication, Reporting & Conformance (DMARC):https://otalliance.org/dmarc

Cyber Incident & Breach Response: https://otalliance.org/resources/cyber-incident-breach-response

Additional OTA best practices, resources and guidance to help enhance online safety, data security, privacy and brand protection can be found here.

The Spam Toolkit developed by the Internet Society also provides some guidance on addressing online threats.

The Internet Society is committed to the enhancement of online trust, and our work along this vein spans multiple areas. Our goal is to continue to provide our individual members, organizational members, chapters, partners, and other constituents with timely and relevant information and resources that equip and empower them to act.

My original blog article was published on the Internet Society website at: http://bit.ly/2qMuQ4U

8 Reasons Why Cybersecurity Strategy and Business Operations are Inseparable

In modern society, there is one fact that is unquestionable: The hyper-connectivity of the digital economy is inescapable. A financial institution without an online presence or omni-channel strategy will cease to be competitive. Universities (for-profit or non-profit) must develop and continuously evolve their online learning capabilities if they are to stay relevant. Online retailers are quickly outpacing and rendering their ‘brick-and-mortar’ counterparts irrelevant. Travel agents have been largely relegated to dinosaur status in this era of online travel search aggregators and booking portals. A payments ecosystem mostly dominated by major card networks and processors now includes closed loop systems such as Apple Pay, Google Wallet and others. When we add the Internet of Things (IoT), robotics and artificial intelligence (AI) to the mix, the networked society has become a monolith that we simply cannot ignore.

What is most concerning about the ubiquity of technology is the multitude of cyber threats which organizations and individuals have to contend with. While the risks to individuals are relatively high as it relates to invasion of privacy, identity theft and financial loss, cyber-attacks can have a particularly critical impact on businesses. Depending on market and jurisdictional realities, the consequences can include heavy regulatory penalties, plummeting stock prices, lawsuits or mass layoffs — The effect on a company’s bottom line can be catastrophic.

But how are corporations responding to this ever-evolving threat landscape? The resulting strategies fall mostly into the following categories. There are the large organizations which employ the ‘3 lines of defense’ approach where an IT department owns and manages cyber risks, the operational risk and/or compliance departments specialize in risk management (including cyber), and the internal audit function provides independent assurance that cyber risks are being effectively managed. This approach is resource intensive and demands highly specialized (and costly) personnel. There are the generally under-staffed companies that limp along from day-to-day reacting to cyber-attack after cyber-attack, many of them not even aware that their systems and networks have been compromised. And finally, there are the SMEs that basically stick their heads in the sand and pretend that their operation is too small or insignificant to be the target of cyber criminals.

More often than not, business leaders across the board fail to recognize that cybersecurity is no longer the domain of the IT organization. Cybersecurity strategy is now business strategy, and the response to cyber threats is the responsibility of every individual that works for or runs a company. And here are 8 key reasons why this is undeniably the case:

  1. Corporate governance – A 2016 survey by Goldsmiths that included responses from 1,530 non-executive directors and C-level executives in the United States, United Kingdom, Germany, Japan and Nordic countries showed that 90% of respondents admitted to not being able to read a cybersecurity report and were not prepared to respond to a major attack. Even more worrisome was the fact that over 40% of executives did not feel that cybersecurity or protection of customer data was their responsibility. Let that sink in for a moment. This is why ensuring that cybersecurity is a running topic at executive and board level meetings is imperative for organizations. Even more, greater ownership should be ascribed to all levels of personnel for cyber risks. Cybersecurity culture is a collective effort that starts at the top and works its way down through the organization.
  2. Regulatory and legal compliance – Certain industries like banking, healthcare and energy are subjected to heavy regulatory burdens. And many of these regulations include requirements pertaining to privacy, data protection, and network security. In the US there are HIPAA, Gramm-Leach-Bliley, and FISMA. The EU has the NIS Directive and the GDPR. To address cross-border data flows between the EU and the US, there is Privacy Shield. To comply with this multitude of regulations, deep cyber and risk management capabilities must be embedded across organizations. Failure to do so can affect a company’s ability to stay in business. Period.
  3. Competitive advantage – Developing robust and effective internal controls to safeguard against cyber-attacks can equate to market leadership, brand strengthening, and product / service differentiation. For example, as more businesses look to AI, IoT and robotics to streamline processes and improve business performance, ensuring that these technologies are secure can increase revenues and drive bottom-line performance. In this respect, shareholders must not only expect cyber excellence, they should demand it.
  4. Financial management – There is clearly a direct correlation between cyber-related risk events (e.g. reputation damage, business disruption, fines, etc.) and financial loss. The severity and impact of such risks can be mitigated by integrating business strategy with cybersecurity strategy. The importance here is even more pronounced given the global economic downturn and depressed profits being experienced by several businesses.
  5. Public safety – An increasing number of companies are delivering products/services in the areas of smart grids, smart cities, automated public transit, power installations, autonomous vehicles, etc. Possessing core expertise in the alignment of cybersecurity and business operations will set these organizations apart in their respective market environments in terms of public safety. There are also distinct national security implications when we think of these technologies in the context of potential threats to human life.
  6. Business development – In 2004, the global cybersecurity market was valued at $3.5 billion. In 2017, it is now estimated to be worth $120 billion. But this value is primarily based on the number of products and services delivered. And while there is huge growth potential within the existing paradigm, there is a massive economic opportunity in fostering a commercial ecosystem built on online trust. Take for example the growing popularity of global trust audit and scoring offerings. Increasingly, more and more organizations are developing solutions to combat the proliferation of fake news. As it relates to IoT, consortiums are being formed to fill the security gaps in product design (i.e. Existing markets can be strengthened through collaboration and coordination). And these are just a few examples of the emergent market for Trust-as-a-Service (TaaS).
  7. Corporate social responsibility – There are numerous benefits to CSR programs, ranging from enhancing brand loyalty to securing and retaining investors to attracting/retaining engaged and productive employees. So along that vein, social responsibility investment in cyber-related areas such as child online protection, secure coding for women, hackathons and cybersecurity research is a savvy approach to cementing market position. As a result, companies can promote good security as a selling point for their products and services, create a pipeline for the best cybersecurity talent, and leverage their cyber-specific supply chains to build consumer trust.
  8. Mergers & acquisitions – Businesses must recognize the importance of cybersecurity due diligence in the M&A process. Due to a low standard for due diligence, several corporations find out about major cyber incidents only after an acquisition deal has gone through. In actuality, serious cybersecurity issues around compliance, data breaches, poor security architecture or the absence of incident response processes should be uncovered before finalizing a transaction. In the case of Verizon’s acquisition of Yahoo!, the final offer was cut by almost $400 million due to revelations about cybersecurity incidents. A 2016 survey by the NYSE indicated that over 50% of respondents regarded major security vulnerabilities as a ‘show stopper’ for a merger or acquisition.

Considering that end users are generally regarded as the weakest points in cyber defenses, logic dictates that cybersecurity should begin with the individual. Every single employee must be engaged and involved in defending the organization from online threats. It is they who most often access enterprise applications, networks and devices, and will undoubtedly serve as the first line of protection against hackers. Executives and board members are targeted due to their access to key digital assets; and because of the traditional fortification of the network perimeter, line workers are the focus of threat agents seeking to gain entry into the network or escalate their privileges to access sensitive information. Indeed, both executives and employees represent vectors to the same ultimate objective – the compromise of internal systems and access to critical data. Hence, development of an effective cybersecurity strategy must involve tight coupling of security practices with business operations to bolster an organization’s overall security posture. The most damaging misstep organizations can make – and often do – is relegating this function to an understaffed and underfunded IT department.

ICT PULSE: Cyber threats and security in the Caribbean 2017 update – Interview with Niel Harper

ICT Pulse: Niel, give us a quick recap of what have been the most prevalent types of incidents in Barbados and/or in the Caribbean region over the past year or so? How has the threat landscape changed?

Niel Harper: Michele, it’s always difficult to quantify or qualify the number and types of cyber incidents that occur in the Caribbean because there are no mandatory breach notifications or transparency obligations in the various jurisdictions across the region. As such, public and private sector organizations do not notify the general public or individual data subjects when networks or personal data stores are compromised (yes I have said this a number of times, but it is still relevant and quite important). That being said, ransomware attacks have been quite prevalent across the region, and particularly targeting hospitals, educational institutions, government systems, financial services, and small-to-medium enterprises with insufficient resources to adequately respond to cyber threats.

ICTP: Over the past year, ransomware incidents appeared to have been quite plentiful across the region. Are they still as huge a threat?

NH: On a regional (and global) scale, ransomware has continued to be the most persistent business model for cybercriminals. One of the key reasons that ransomware has remained a major threat is because the tools used to initiate attacks are being continuously evolved and improved. For example, there was an over 150% increase in new ransomware variants in the first half of 2016. Moreover, cybercriminals are now operating Ransomware-as-a-Service (RaaS) with lower buy-in costs that allow less tech-savvy perpetrators to distribute ransomware. And the success of ransomware attacks is high because related exploit kits have been popping up more and more on legitimate websites.

ICTP: What are some of the new and emerging threats of which we should be more aware? And are there any particular areas of concern that you have for Caribbean organizations?

NH: One of my biggest concerns with regards to new and emerging threats is that nation states are increasingly developing offensive cyber capabilities, essentially weaponizing exploits and actively eroding trust online through disproportionate mass surveillance, targeted attacks, and information manipulation (fake news). On the other hand, threat actors are ramping up attacks against hardware and firmware vulnerabilities in processors, DRAM technologies, BIOS, and in firmware on devices such as USB, chargers, and external hard drives. IoT malware is on the rise and threatening individual privacy via regular household appliances and consumer devices. In 2017, ransomware continues to grow, and malware authors are focusing their efforts on mobile devices — attacking data repositories both on devices and in the cloud. ‘Dronejacking’ has become a growing threat with a noticeable increase in attacks due to consumer drones shipping with weak protection mechanisms. While not necessarily a new or emerging threats, the pervasive insecurity of IoT devices is fueling the perpetual threat of DDoS attacks, especially against ISPs with unsecured services such as DNS and BGP. All of these threat areas should be of concern to Caribbean organizations and individuals due to increased use of Internet-enabled devices at home and in the workplace.

ICTP: At the CARICOM/regional level, there has been a growing awareness of cybercrime and cybersecurity, and calls by leaders for something be done. In your opinion, has there been any improvement in the cybersecurity-associated resources or support structures in Barbados, and/or perhaps regionally? What might still be missing?

NH: I think the challenges with regards to cybercrime and cybersecurity are pretty constant across the Caribbean region — so I won’t just focus on Barbados. While I think that awareness is increasing, I am deeply concerned that the response to these issues across CARICOM and the broader region is (still) severely lacking. For one, the vast majority of the countries in the Caribbean do not have a national cyber crime strategy. This includes legislative reform (e.g. computer misuse, data protection, privacy, e-commerce, etc.), incident response capabilities, threat intelligence sharing, cybersecurity education & training, and other important elements. The HIPCAR project to harmonize regional cyber legislation ended around 2012, and most countries have still not updated their national laws. That being said, this may actually be an opportunity as the final outputs from the project were largely inadequate, and regional leaders should now be looking towards options like signing on to the Budapest Convention and/or modeling new data protection laws on the EU’s General Data Protection Regulations (GDPR).

ICTP: Does it even make sense for small companies to send their network administrators to security training courses when security is not their full-time job, and given the pace at which the security landscape is changing? Or should such companies just accept the fact that they need to outsource this function?

NH: This is a very good question. A network administrator is employed to oversee the smooth and effective running of the company’s system environment. However, this individual cannot successfully meet the demands of their job if the environment is not adequately secured. Hence, in my opinion, a top-tier network administrator should be trained on security to properly round off his/her capabilities and deliver real value to the organization. However, the tricky aspect is that small businesses generally can’t afford to hire network administrators with such a diverse skill set or to finance security-related training, so outsourcing then becomes the only viable alternative. But then outsourcing of such a sensitive role may not be cost-effective and bring with it an entire new set of risks. It’s somewhat of a Catch 22.

ICTP: Do you agree that user naiveté is the number one security threat facing organizations? If not, what do you think is the most significant threat?

NH: I strongly contend that end users remain one of the biggest threats to online security due to their lack of awareness, poor judgement and carelessness with password management, sharing devices with others, accessing unprotected and open public networks, downloading files and apps from untrusted sources, visiting unknown websites and clicking on fraudulent links. However… An increasingly connected society, coupled with a highly complex and constantly evolving threat environment, makes it extremely difficult for an inexperienced end user not to be the weakest link in the chain of trust. This is why end user awareness and training programs are so critical in combating cyber threats.

ICTP: Should any organization still be using tapes for data backup purposes?

NH: I totally understand why this question would be asked, especially given the widespread availability and popularity of alternatives like cloud backups, disk-to-disk backups, low-cost NAS backups, and others. However, I still think that tape backups should be used for a number of reasons. Firstly, newer LTO technologies are allowing for higher capacity, greater transfer rates, and lower total cost of ownership — SMEs generally can’t afford the large Internet pipes or expensive hardware/software required to support cloud and disk-to-disk backups. Tapes also have better reliability (error-rate) and longevity than disks. Additionally, tapes are highly portable with regards to moving them offsite to support disaster recovery. Tapes can also be combined with disk-to-disk or cloud backups to increase the robustness of disaster recover solutions (e.g. when Internet connectivity is unavailable or data center locations are inaccessible due to a major incidents). Other areas where tapes are superior to disks are scalability and backward compatibility.

ICTP: And finally, what are the top three (3) things businesses should be doing this year to improve their network/IT security?

NH: An important undertaking for organizations in 2017 should be to hire someone who has a strong skill set in the area of risk evaluation and management — an expert who can take a holistic look at the business to identify and qualify/quantify risk exposures and impacts, decide which risks can be accepted, and develop mitigating actions for those that can’t.

Secondly, businesses need to implement a toolset that provides them with greater visibility into security events and information throughout their IT environment. This should include logs and events from firewalls, intrusion detection/prevention systems, endpoint security, operating systems, network devices, databases, file integrity checkers, and data loss prevention or digital rights management solutions. IT personnel need to be able to identify anomalies across the organization, and proactively address intrusions before they occur or effectively detect and respond to those that have already happened.

Thirdly, businesses should rationalize and implement a cloud strategy (if they haven’t done so already). Cloud-based solutions provide a more affordable solution to traditional on-premise systems. And while they have their own distinct set of associated risks, cloud-based services have become increasingly more secure and reliable over the last couple of years. To ensure that they are well protected when migrating to cloud services, business must focus concerted attention on the service level requirements which their cloud partners must adhere to. Key areas such as jurisdiction, data ownership, security standards, availability, performance, data portability, right to audit, exit clauses, change management and problem management should not be neglected. A robust service level agreement (SLA) is pretty much an insurance policy when entering into a cloud services partnership.

The original interview can be found on the ICT Pulse website at: http://bit.ly/2oCxMzM

From Fragmentation to Integration to Harmonization: Outlining the Requirements for Effective Cyber Legislation Approach Across CARICOM States

internet-law

The Caribbean Community (CARICOM) is comprised of 15 Member States. Its chief purposes are to promote economic integration and cooperation among its members, to ensure that the benefits of integration are equitably shared, and to coordinate foreign policy. As it relates to cybersecurity, there are several programmatic deficiencies and significant fragmentation of efforts across Members states, primarily with regards to legislation.

There has been limited research exploring the regional harmonization of cyber laws across CARICOM. For example, some authors have touched on cyber-readiness at a high level, examining the cyber response capabilities of a few countries in the Caribbean region. However, these academic works have not provided an in-depth analysis of cyber legislation or enunciated the key requirements for legal reform. Others have broadened the scope of their cyber-readiness research to include Latin America and the Caribbean. However, lumping the Caribbean together with Latin America with regards to harmonized cyber legislation can be problematic due to factors such as history, language, traditionally weak political and commercial ties, size of countries, and disparate economic scenarios. In general, it must also be mentioned that cyber-readiness indicators don’t actually translate into a successful legislative framework or adequate protections against threat actors. Studies also fall short in articulating why harmonization is necessary for CARICOM Member States, and how the region compares to the likes of Europe, Asia-Pacific, and Africa with regards to a harmonized cybersecurity legal framework.

The scholarly justification for this paper is to challenge the effectiveness of the existing fragmented approach by first explaining why a harmonized cybersecurity legislative framework is important. I will then discuss some of the legal challenges associated with such an undertaking. Next, I will perform a comparative legal analysis with other regions that have taken similar steps, and use this as a lead-in to a SWOT analysis of CARICOM’s present cybersecurity posture. And finally, I will propose a legal framework that enables stakeholders in CARICOM Members States to more capably respond to transnational cybercrime.

Keywords: Cybersecurity, Cybercrime, Harmonization, Fragmentation, Integration, Cooperation, Cyber legislation

Read the full academic paper at: http://bit.ly/2mu30IT

The Role of Governments in Ensuring a Consistent Legal Framework for Internet Governance

multi

The Internet is not an ethereal or otherworldly thing, and existing laws in the offline world are applicable to “cyberspace”. The Internet is for all intents and purposes a tool for making data available and for accessing it. But unfortunately, it is a tool that can be used by individuals and groups to conduct illegal activities. Similar to the offline world, governments have a social responsibility to develop laws that address criminal and illegal behaviors online. Hence, ensuring that an adequate and effective legal framework exists is an important role for governments.

Data protection and privacy

Data protection and privacy are high on top of the list of important legal issues, especially given that people are increasingly storing more of their data online and large amounts of data are collected, searched and manipulated electronically. In the EU, the Data Protection Directive 95/46/EC was established to provide a regulatory framework to guarantee secure and free movement of personal data across the national borders of the EU member countries, in addition to setting a baseline of security around personal information wherever it is stored, transmitted or processed.[1] However, although these laws conform to the Directive in terms of basic concepts and principles, they tend to be slightly different in many relevant details. The differences in the way that each Member State implemented the law have led to inconsistencies, which create complexity, legal uncertainty and administrative costs. This affects the trust and confidence of individuals and the competitiveness of the EU economy.

In January 2012, the European Commission (“the Commission”) presented a proposal for a General Data Protection Regulation (GDPR) to replace Directive 95/46/EC.[2] On 21 December 2015, the European Parliament and Council reached agreement on the data protection reform proposed by the Commission. The Regulation updates and modernizes the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights. It focuses on reinforcing individuals’ rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards.

Responses to the reforms haven’t been all positive. Bird & Bird lawyer Gabriel Voisin strongly maintained that, “The text adopted at today’s plenary session of the European Parliament is over-prescriptive. It will hamper Europe’s ability to take advantage of new ways of using data. This will put Europe at a disadvantage to other parts of the world that are embracing the new technologies”.[3] Christian Toon, Head of Information Risk at Iron Mountain, told SCMagazineUK.com that,“While consumers will welcome the fact that the European Parliament has voted through the EU’s first major overhaul of data protection legislation since 1995, many European businesses will be feeling nervous… The reality is that many remain underprepared… Businesses that fail to address the issue now not only run the risk of significant financial penalties in the near future, but may also risk serious reputational damage that will make customer retention more complicated.”[4]A number of other subject matter experts had similar comments.

Whether these criticisms are real or perceived, they represent a failed attempt at consensus between the European political establishment and its stakeholders. This has happened due to the fact that the GDPR was agreed to without adequate consideration of the 4000 amendments tabled by stakeholders, and the lack of political agreement among Member States in the European Council.[5] Consensus building is a critical aspect of Internet governance. The input of committed and informed stakeholders in decision-making processes, in their substantive roles and responsibilities, is imperative to verifying that outcomes are both effective and accepted. It also guarantees that diverse stakeholders can directly contribute to activities and are privy to their results. Consensus essentially facilitates solutions that meet the diverse needs of the Internet ecosystem, and moves the governance structure from top down to bottom up.

International Cooperation

The Internet is a cross-border platform and many of its legal and enforcement mechanisms necessitate international cooperation. The specific challenge posed by the cross-border aspect of the Internet is that activities that are legal in one country maybe illegal in another. Governments need to promote bilateral and inter-governmental agreements that support enforcement of the law. However, this is also the case in the offline world, where law enforcement can be bolstered through international cooperation between agencies. Governments have a responsibility to its citizens to cooperatively work together through international organizations such as the WTO, WIPO, Interpol and others in order to successfully combat illegal activity online.

A significant amount of international efforts have gone into the development of model laws for international cooperation and harmonization of cyber crime legislation. One example is the Council of Europe’s Convention on Cyber Crime.[6] The first of its kind, and the only effective global treaty on cybercrime, it was developed to address Internet and computer crime by harmonizing national laws, improving investigative techniques, and fostering international cooperation among nations. It tackles broad subject matter, dealing with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures, such as the search of computer networks and interception. There have been other attempts at creating model laws such as the Commonwealth Model Law on Cyber Crime and the Three ITU Model Laws – HIPCAR (Caribbean), ICB4PAC (Pacific Islands), and HIPSSA (Sub-Sahara Africa).[7] The Commonwealth Model Law was not widely adopted by many States, but the fact that much of its framework has been integrated into the ITU model laws has subsequently resulted in many of its requirements being applied to legislation in African, Caribbean, and Pacific (ACP) states.

Attempts at international harmonization of laws can be rife with challenges. In several instances, the omission of necessary provisions, defective language, fragmented drafting, integration of obscure and unsafe offenses and their variance away from and contradiction with established best practices inflict great damage to the objective of enhancing international cooperation against cyber crime. In many developing countries, the main challenge has been the unavailability of subject matter expertise in drafting legislation and regulations on cybercrime and electronic evidence. To solve this, government should look at broadening the communities with which they engage. Inviting the private sector and academia to participate in developing model laws can drastically improve the quality of legislative outputs. Additionally, seeking technical assistance from international organizations can also yield substantial benefits.

Conclusion

Internet governance, and the multistakeholder model it employs, is a reflection of the open and inclusive nature of the global Internet and has been an integral reason behind its amazing growth and success. Many governments have realized that deeper stakeholder engagement — including governments, businesses, civil society, the technical community and academic institutions — is the optimal approach to sharing knowledge, experience, competences and best practices when developing policies to address new opportunities and respond to emerging challenges.

Traditional models of governance that would institutionalize control over the Internet by governments and inter-governmental bodies cannot achieve these goals. Such rigid decision-making processes are unable to maintain pace with rapidly changing technological advancements that characterize the Internet, and the ever-evolving requirements of Internet users. Any attempts to superimpose traditional models would dampen innovation and constrain realization of the limitless benefits of an open Internet. It would risk stifling the dynamism that has allowed the Internet to deliver so many benefits and opportunities for economic growth and social welfare.

A revisionist approach to governments’ involvement in Internet governance should focus on overhauling the rules of engagement. These new rules would allow government officials to participate in architecting a new ‘distributed global governance framework’, with defined restrictions and in their macro-level role as public policymakers for Internet-specific matters. Notably, this function should not undermine the globally accepted norms and principles of Internet governance. Within a multistakeholder environment, all concerned parties could contribute to building a platform for further public policy elaboration. This could set the stage for the transformation of Internet governance into a truly international policy-making process. But in order for that to occur, we need visionary leaders, a change in mindset from control to collaboration, and strong political will.

 

Does ICANN’s UDRP Preserve Free Speech and Allow Room for Criticism?

dot-sucks-600x400

Introduction

The phenomenal growth of the Internet has resulted in a proliferation of domain names. The explosion of ‘.com’ registrations coincided with an increase in domain name disputes, and with it the legal branch of intellectual property devolved into virtual mayhem. ICANN’s Uniform Domain-Name Dispute-Resolution Policy (UDRP) was created to allow for trademark holders to challenge domain owners, bring the respondents into binding arbitration, and possibly gain control of the domain name in question. The UDRP was brought into force in October 1999, and it can be said that it has contributed handily to the resolution of domain name disputes. However, deeper investigation into the UDRP paints a different picture.

The fair use of domain names relative to non-commercial negative or critical statements is the subject of many UDRP grievances. Nonetheless, panelists still express divergent views as to whether this constitutes ‘fair use’. The evaluation of fair use hangs on the importance a panel attributes to the registrant’s right to freedom of expression in each case. In some cases, free speech is not viewed as a legitimate right under the UDRP to register a domain that is ‘indistinguishable’ from a complainant’s trademark for the purpose of criticism, even in the absence of commercial intent. An opposing view is also taken, where it is argued that non-commercial free speech is the justifiable fair use of a domain name to criticize a trademark owner. As such, a major complaint about the UDRP is that it is unconstitutional with respect to the protection of free speech.

‘Sucks’-Type Cases

A problematic feature of UDRP cases regarding free speech, and one that is linked to the ‘WIPO Overview Majority View’ is where ‘sucks’-type domain names are deemed as confusingly similar to complainant trademarks.

For example, in Walmart Stores, Inc. v Richard MacLeod, the panel explained that its decision to transfer wal-martsucks.com to the complainant was based on its belief that “the phrase ‘identical or confusingly similar’ [is] greater than the sum of its parts”. The panel also concluded that their process does not examine if “the domain name causes confusion as to source… but instead whether the mark and domain name, when directly compared, have confusing similarity”. Taking into account that the respondent admitted that his original intention in registering the name was to sell it for profit, there was a strong argument for ruling in favor of the complainant based on the third element of the UDRP, which refers to a domain being used in bad faith. Moreover, the precedent established in Bally Total Fitness Holding Corp. v Faber should have been considered whereby it was held that the addition of “sucks” prevents any reasonable user from confusing that website with an official website.

In Royal Bank of Scotland Group plc v Pedro Lopez, the domain name <natwestbanksucks.com> was registered by the respondent, along with some other domain names that included the complainant’s mark. They all resolved to a site that incorporated criticisms of the complainant. Even though the domain name in question included ‘sucks’ after the mark, which could serve as a distinguishing factor, the panelist held that the use of a confusingly similar mark could not be determined as a legitimate non-commercial or fair use.

Another example is Chubb Security Australia Pty Ltd v Mr. Shahim Tahmasebi, where the respondent (a former employee of the complainant) utilized the <chubbsux.com> domain name for a website that detailed the complainant’s poor employee relations practices. Acknowledging that the parties had no relationship to the U.S., the panelist adhered to other decisions that adopted the majority view and resolved that a ‘gripe’ site does not automatically endow any right or legitimate interest in a domain name. The panelist ultimately ruled against the respondent, concluding that “it is not in this panel’s view legitimate to use the complainant’s own trademark as a platform for criticizing the complainant itself.”

The cases above represent the majority view, and demonstrate that a large number of panelists have, with minimal analysis, applied the argument of the complainant in Wal-Mart Stores, that appending a ‘sucks’ or similar term to a trademark is not sufficient to eliminate confusion. One could easily surmise that the confusion test under the UDRP requires only the slightest degree of confusion, somewhat comparable to the ‘initial interest confusion’ doctrine under U.S. trademark law. A deeper investigation into the UDRP suggests that its original goals were to limit occurrences of classic or unfair competition cybersquatting. It was not developed with the intention to obstruct the use of domain names for reasonable criticisms of trademark owners. As the UDRP does not grant preemptive rights to trademark owners over the use of all variations of their mark in domain names, it can be ascertained that an authentic ‘sucks’-type website equates to a legitimate interest on the part of the registrant. As such, the WIPO majority view can be seen as restricting free speech and stifling criticism on the Internet.

Panel and Jurisdictional Issues

Another shortcoming of the UDRP is that it doesn’t specify which local laws should apply in domain name disputes. Inconsistencies transpire when panelists apply dissimilar precedents to similar factual themes, apply different local laws to cases with similar issues, or disregard local laws altogether. Furthermore, the panelists that review UDRP cases come from all corners of the globe. Consequently, the panelists, who ostensibly possess expertise is trademark law to start with, are likely to apply the laws that they are familiar with to the cases they are tasked with arbitrating. What this does is introduce jurisdictional bias into the decision-making process. While this issue is pretty much expected, it is exacerbated by the fact that complainants engage in forum shopping to prejudice results in their favor.

Concerns regarding panel and jurisdictional bias in fair use and free speech cases involving U.S. panelists and respondents have thus emerged. For instance, it has been discovered that panelists from the U.S. are more predisposed than those from other nations to rule in favor of respondents in fair use and criticism-related cases. Additionally, it was found that the chances of respondents from the U.S. succeeding in a fair use defense are higher than those originating from other countries. This means that, under the UDRP, respondents from the U.S. enjoy greater speech protections than those from other countries, and that arbitrators from the U.S. are more sympathetic to speech interests than arbitrators from other countries.

There are a few explanations for this. For one, the largest percentage of panelists originates from the U.S., making up 24% of all WIPO panelists. The next four countries with the greatest share of panelists are the UK (10%), Australia (6%), France (5%), and Switzerland (5%). Additionally, U.S. panels are deciding nearly 50% of all fair use cases. Finally, U.S. trademark law allows for uses of marks to criticize or comment on them, either under the fair use defense or a parody defense. Still, as previously mentioned, to the extent that a fair use defense exists in the UDRP rules, it tends to be ignored by panelists. This has the effect of creating a strong bias for trademark holders at the expense of guarantees over freedom of speech.

The Spanish Constitution includes explicit provisions that protect freedom of speech. Section 20 of the Spanish Constitution confers broad protections for the dissemination of information. This section ensures protection for “the right to freely express and spread thoughts, ideas, and opinions through words, in writing, or by any other means of reproduction.” In the past, this provision has been used in ruling that a statute that criminalized denials of genocide was unconstitutional. In reaching this decision, the Court argued that freedom of expression was essential to a democratic society. The exercising of the principle of free dissemination of ideas and opinions incorporates freedom to criticize. That freedom applies to all opinions, whether they are considered erroneous or dangerous or challenge the democratic system itself. As previously discussed, UDRP panels are inclined to ignore the rights of domain registrants to criticize trademark holders. Such criticism would likely constitute protected expression under the Spanish Constitutional Court’s jurisprudence, and the UDRP would violate the country’s free speech protections.

For domain disputes heard in Ireland, country-specific supplemental UDRP rules known as the ieDRP are used. However, the ieDRP prescriptions are quite similar to the UDRP rules. Unfortunately, similar concerns for freedom of speech exist with the ieDRP. Article 40 of the Constitution of Ireland protects the right to free speech and guarantees the “right of the citizens to express freely their convictions and opinions.” The UDRP represents an insular view of the right to free speech, highlighted by its liberal interpretation of the term “confusingly similar” and its confined view of the respondent’s “rights or legitimate interests in the domain name.” As such, it is in diametric opposition to the constitutional free speech protections of Ireland.

As is presently the case in the U.S., Spain, Ireland, and other countries, the UDRP violates constitutional protections over freedom of expression. And they aren’t simply technical violations, but actually indicators that the process is void of the fairness that such provisions were devised to safeguard. Moreover, the UDRP creates problems of legitimacy given its foundation in U.S. public law, the fact that it regularly conflicts with domestic law, and the absence of input from other nations.

Free Speech Issues with New gTLDs

With ICANN’s new gTLD system, trademark owners are expected to be proactive in either registering new gTLDs similar to their own marks, or at a minimum blocking registrations of such gTLDs by others. While trademark owners possess legitimate rights to protect their valuable commercial brands within the new gTLD space, either of these possibilities – registration or defensive objection to registration – has the potential to impact negatively on free speech. In the new gTLD program, successful applicants may choose to run their gTLD registry as open or closed registries; registrations within a closed registry would be available only to a specific type and a limited number of users.

For example, in early 2015, ICANN’s new gTLD Program Committee set a policy that limited registrations in the .doctor name space to strictly ‘medical practitioners’. This decision to summarily exclude various lawful users of the word, including persons who are Ph.D’s, DBAs, or Juris doctors, is a serious violation of free expression. In what could be viewed as a preventative measure for such occurrences, ICANN’s community set out to embed certain protections for freedom of expression in the new gTLD program via core principles in the GNSO’s final approved new gTLD policy. Take for instance Principle G in the new policy: “The string evaluation process must not infringe the applicant’s freedom of expression rights that are protected under internationally recognized principles of law.” Sadly, these provisions were replaced by so-called “Public Interest Commitments”, which ran contrary to the clauses that were designed to preserve Internet users’ free expression rights.

Another example of free speech violations in new gTLDs is where the American Bible Society (ABS), acting as registry for the .bible domain space, prohibited any content that they deemed unsuitable. In their published Acceptable Use Policy, the following was stated: Pointing to any content that, as determined in ABS’s sole discretion, espouses or promotes a religious, secular or other worldview that is antithetical to New Testament principles, including but not limited to the promotion of a non-Christian religion or set of religious beliefs.” This is clearly a form of censorship and suppression of freedom of speech.

But what do these examples have to do with the UDRP and free speech? The uniform adoption of the UDRP by all ICANN-accredited Registrars means that its use and application are geographically widespread. Failure to reform the UDRP and resolve major issues such as the narrow view of the term “confusingly similar”, forum shopping, disregard for local laws, and inconsistent use of precedence coupled with the increasing prevalence of closed registries, will lead to greater violations of fair use and free speech in domain disputes.

Conclusion

Given the phenomenal growth of the Internet, and the launch of new gTLDs, domain name disputes will increase in frequency. With this increase, we should expect trademark owners to continue to employ any and all means to protect their marks. However, this unbridled enthusiasm must not be permitted to deny domain registrants of their legitimate rights. In its present manifestation, the UDRP broadly violates the constitutions of the U.S., Spain, Ireland and numerous other countries. By disregarding protections over free speech, the UDRP weakens the fundamental concepts of fairness that these provisions were created to safeguard. A number of changes need to be made to the UDRP to formulate a more balanced framework between trademarks and free speech on the Internet.

One clear option would be to reform the UDRP thereby scaling back trademark infringement rulings, so they are restricted to scenarios where there is authentic consumer confusion as opposed to initial interest confusion. Furthermore, trademark dilution actions should seldom, if at all, be available in cases involving parody and critical commentary. The prevailing opinion should be that such occurrences are non-commercial, fair use and fall under the protections afforded to free speech. Also, the UDRP should be limited to cases of evident cybersquatting and bad-faith and not be extended to circumstances related to cybergripe or parody sites.

Finally, I believe it is imperative that ICANN completes its transition to an international multistakeholder body. This type of governance structure with underlying self-regulating constitutional principles can guarantee that free speech rights are protected while retaining much of the features that have made the UDRP attractive. Such an arrangement would appeal to nations on the legal and policy levels, and to trademark owners and registrants on an individual basis. It would drive policy uniformity, improve the consistency of decisions, legitimize the UDRP process, and increase accuracy in arbitrations. The UDRP would remain as an efficient apparatus for handling cybersquatting, and simultaneously ensure that dispute adjudication is fair and precise.