Melissa Hathaway writes about online consumer protection: "The bottom line is that the on-line industry will find ways to pass the costs of cybercrime through to consumers, which means that it really is every man (or woman) for themselves."
"Five Myths About Cybersecurity"
December 21, 2009
Author: Melissa Hathaway, Senior Advisor, Cyber Security Project
Belfer Center Programs or Projects: Explorations in Cyber International Relations
The Internet is the global communications and information infrastructure that provides the medium for communication and computation that facilitates the provisioning of numerous applications and infrastructure services, including e-mail, on-line banking, data storage, and quantum computing power. It brings with it promises of economic development and prosperity, scientific discovery, increased political participation, and ever changing social networks through which we are connected in ways once unimaginable. While many understand the opportunities created through this shared global infrastructure, known as cyberspace, few Americans understand the threats presented in cyberspace, which regularly arise at individual, organizational and state (or societal) levels. And these are not small threats: a paper presented earlier this year at the World Economic Forum in Davos Switzerland estimated the total losses associated with cybercrime in 2008 exceeded one trillion dollars and the FBI has declared cybercrime to be its highest criminal priority. This threat is silent and stealthy and must be addressed now lest it introduce more fragility of trust in our global economy that, if left unchecked, will challenge our way of life. The cybersecurity problem is growing faster than the solution, and in order to address the problem, we have to move rapidly along the continuum from denial to acceptance and dispel a few myths along the way.
Myth 1: Consumer protection exists in cyberspace
False. On-line holiday shoppers beware, you are your own protection. On November 30th - or Cyber Monday as on-line retailers have dubbed the Monday after Thanksgiving - the FBI warned consumers of some of the threats presented in cyberspace, including scams intended to trick us into downloading malware or divulging sensitive information. Web browsers and anti-virus software are not necessarily going to protect us. Why? Because in any given day there can be tens of thousands newly introduced viruses or malware that have a shelf life of 24 hours. Today's software simply cannot keep up. And that is not all. Some botnets, such as the Storm botnet, are used to hide phishing and malicious web sites behind an ever-changing network of compromised hosts acting as proxies. And what happens? Well, the average person holds approximately 20 online accounts for banking, internet-based mail, and social networking like MySpace or LinkedIn. The perpetrators obtain credit card data, bank-accounts, passwords and identities with which they then steal and spend your hard earned cash to support their business activities. Are consumers protected? Many companies claim that they are, but have you noticed that your credit card interest rate recently increased by five percent or more? Is this a way to pass the cost of fraud onto consumers? Further, some banks are considering making their customers responsible for protecting their smart phones and computers from becoming infected so that they cannot be used to hijack their accounts. The bottom line is that the on-line industry will find ways to pass the costs of cybercrime through to consumers, which means that it really is every man (or woman) for themselves.
Myth 2: Firewalls and virus scanners protect my computer and my enterprise
False. A recent report by the Ponemon Institute noted that 82% of C-level executives report that their organization has experienced a data breach and many are not confident that they can prevent future breaches. The bad guys are casing our networks to research and discover vulnerabilities in our software and hardware that they can then easily exploit. For instance, the United States intelligence community notes that commercially available virus scanners only clean roughly 35% of malicious code. As we race to embrace, buy, and integrate the newest technology into our lives and businesses do we really understand the vulnerabilities, exposure points, and subsequent risk that is bundled in that purchase? Attackers are exploiting these seams and are becoming more subtle in their methods. For example, multi-media devices like a thumb drive or I-Pod are often used as a delivery mechanism for malware that embeds in our computer or network and later beacons or "phones home" for orders. Sometimes that homing device asks for a map of the computer or network topology and sometimes it sends specific files to its master-controller. Few software programs protect us from the insider threat or socially engineered attacks that are susceptible to human error (like opening an attachment). What should we do? We need to stop buying point solutions or "band-aids" and demand enterprise wide secure solutions. We must increase security testing of networks to lower our operational risk. We must encourage industry to develop more secure software and force its product strengths and weaknesses to be a part of their brand integrity. Why? Our reputation, price-point, quality of service and overall business health depend on it.
Myth 3: My government has the solution and will protect me
Not really. Although the government has a role to play, and President Obama announced his personal commitment to a new comprehensive approach to securing cyberspace in his May 29, 2009 speech on this subject, this problem cannot be solved without active involvement and shared responsibility by both the private sector and other nations around the world. As I prepared the Cyberspace Policy Review for President Obama earlier this year, it became clear that the interdependencies that are shared nation to nation and company to company are not well understood. Further, details on vulnerabilities of and security threats to our infrastructures and information assets tend to be closely held secrets. It is time to knock the complacency out of the system and hold both governments and the private sector accountable for providing a secure and resilient cyberspace. What is this going to take? It takes a commitment to solve the problem followed by resources, new policies, and laws. The world is expecting leadership from the United States. As the original innovators of the Internet, the United States should use our position of strength to build out the security framework and drive the necessary change. For example, we could provide assistance to nations that ratify the Council of Europe's Cyber Crime Convention to curb the expansion of organized cyber crime. We could lean on the private sector and require all entities that provide managed information services to the federal government or providers of critical infrastructure to abide by minimum standards of care. Further, we could urge the urge the G-8 or G-20 to create a Cyber Action Task Force along the lines of the Financial Action Task Force to promote the development of sustainable information communications technology (ICT) and to combat attacks against the security and resiliency of information systems. Finally, we must find ways to create a private-public partnership to facilitate information sharing and recovery strategies that truly underpin the availability, confidentiality, integrity and resiliency of cyberspace.
Myth 4: Physical assets are more valuable than information
False. While it is true that physical assets have a quantifiable value that can be depreciated over time, information is where the real value lies. As firms continue to embrace information technology to enable efficiency, productivity, and global connectivity, the value of information increases concomitantly and the medium by which it transits or resides matters less and less. Privacy Rights Clearinghouse, which tracks reported data breaches, reports that since 2005, more than 341,742,628 records containing sensitive personal information were involved in security breaches in the United States. Many experts believe that the rate of corporate data breaches may be at or approaching an epidemic level, even though many of those breach are never reported. After all, there is a disincentive for reporting because by the very fact of reporting the breach, it can undermine customer confidence, brand reputation, price point - all of which can lead to cancelled contracts, fines, and law suits, not to mention downward pressure on stock prices. Attacks to corporate information systems (data and infrastructure) are increasing operational risk and revenue risk but few organizations understand the linkage between IT insecurity and enterprise risk management. Corporations need to prepare for technical glitches, outages and security breaches and be able to measure, monitor, control losses. An IT disruption can paralyze a company's ability to produce or deliver its services, connect with its customers, or in simple terms operate. There are at least two bills that have been introduced in Congress this year that would establish standards for developing and implementing safeguards to protect the security of sensitive personally identifiable information (PII). Those bills are laudable for what they seek to achieve, but why limit the reporting to PII and not include breaches that result in the loss of sensitive corporate intellectual property like our next generation weapon systems or IT product lines too? Are they not just as important? We need to create a safe vehicle and then increase reporting of data breaches so as to shine a light on the problem and so that we can bring to bear all of the ingenuity and capabilities of the United States to solve the problem. Barring that, we run the risk that the world just very well may hold us accountable to Article 12 of the Council of Europe's Convention on Cyber Crime, which holds companies civilly, administratively, or criminally liable for acts committed for their benefit either by an executive or as a result of lack of supervision by the executive.
Myth 5: Laws are keeping pace with technological innovation
False. Cyberspace is evolving faster than our understanding of its opportunities and risks. Laws in the United States and around the globe are not keeping pace with the cross sector, multi-jurisdictional, multi-geographic nature of the infrastructure and services delivered through cyberspace. Laws overlap and create conflict as opposed to cooperation, even when our interests are aligned. For example, Europe's definition of data privacy and protection is much different than here in the United States. They have determined that an Internet Protocol (IP) address is private information, whereas in the United States we do not treat that as such. This is important because it limits our ability to share and store this information across borders-even when it will lead to finding a perpetrator or attack strategy. Data ownership, data handling, data protection and privacy, evidence gathering, incident handling, monitoring and traceability, and the rights and obligations related to data breach, data transfers, access to data by law enforcement or intelligence services all need to be addressed by new laws written for the 21st digital century. For example, neither the Electronic Communications and Privacy Act nor the Stored Communications Act have been updated for Internet communications or e-services that are exponentially increasing due to IT innovations. The stringent requirements under current law for search warrants in cyberspace slow down law enforcement's ability to pursue on-line malicious activities and protect our citizens. This is important because a good portion of the world's cyber attacks are emanating from the United States. In the Cyberspace Policy Review, we identified scores of legal issues that must be addressed in order to facilitate a more secure future. Laws have not kept pace, but if we tap into the strong talent of our law schools to analyze and publish ideas on how best to modernize these out-of-date laws, we just might begin to catch up with the speed of technological innovation.
These are just five of the many myths about cybersecurity. To get past the rhetoric and start making progress, we must first recognize our vulnerabilities and then take steps to address the threats in cyberspace. And just as those threats arise at individual, organizational and state (or societal) levels, the responsibility for addressing them arise at each level too. Working together, as citizens, industries, and nations, we can build a pathway to a safe, secure, and resilient infrastructure that will continue to support our daily lives, our national security, and the global economy. We just need to move from denial to acceptance and bury all of the myths along the way.
To download this article, click here
Melissa Hathaway is President of Hathaway Global Strategies, LLC and Senior Advisor at Harvard Kennedy School's Belfer Center. Previously she served as Senior Advisor to the Director of National Intelligence and Cyber Coordination Executive during the administration of President George W. Bush, and as Acting Senior Director for Cyberspace for the National Security Council during the administration of President Barack Obama.
For more information about this publication please contact the Belfer Center Communications Office at 617-495-9858.
For Academic Citation: