When it comes to victims of recent cyber-attacks, their misfortune raises a few critical questions:
- Is anything really safe?
- Do the security recommendations of experts actually matter?
- Or do we wait for our turn to be victimized, possibly by an attack so enormous that it shuts down the entire data-driven infrastructure at the heart of our lives today?
As the Executive Director of the Information Security Forum (ISF), an organization dedicated to cyber security, my own response is that major disruptive attacks are indeed possible, however, they are not inevitable. A future in which we can enjoy the benefits of cyber technology in relative safety is within our reach.
Nevertheless, unless we recognize and apply the same dynamics which have constructively channeled other disruptive technologies, the rate and severity of cyber attacks could easily grow.
It may seem surprising, particularly in light of the tremendous technological achievement represented by the Internet and digital technology generally, that further advances in technology – which are both desirable and inevitable – may be the least important of the forces taming cybercrime. Progress in the fields of encryption and related security measures will inevitably continue. And they will just as inevitably be followed by progress in developing countermeasures. Some of those countermeasures will be the creations of technically savvy individuals – even teenage whiz kids, born in the digital age, to whom every security regimen is simply another challenge to their hacking skills.
Over time, the contours of cybercriminal enterprise have grown to become specialized, like that of mainstream business, operating out of conventional office spaces, providing a combination of customer support, marketing programs, product development, and other trappings of the traditional business world. Some organizations develop and sell malware to would-be hackers, often including adolescents and those with relatively little computer skill of their own. Others acquire and use those tools to break into corporate networks, harvesting their information for sale or ransoming it back to its owners. Still others wholesale those stolen data files to smaller operators who either resell them or try using them to siphon money from their owners’ accounts.
Artificial intelligence using advanced analytics could offer a significant, if temporary advance in thwarting potential attackers. IBM, for example, is teaching its Watson system the argot of cyber security, which could, at least in principle, help it to recognize and block threats before they cause significant harm. But technological advances tend to be a cat and mouse game, with hackers in close pursuit of security workers. And security workers themselves can be compromised to bring their best tools over to the dark side.
Still, having even modest security technology in place can slow the pace of malicious hacking. By making it more time-consuming for someone to hack into a digital device, an attacker is less likely to try. Yet many Internet-enabled consumer devices – elements of the so-called Internet of Things, or IoT, are largely unprotected, exposing them, among other risks, to becoming unwilling robots in a vast network of slave devices engaged in denial of service attacks.
That’s not inevitable; it’s a manufacturer’s choice, driven by economics. The fact is that security can be expensive, and these devices were never designed with security in mind. They were created from the outset to provide and process information at the lowest possible cost. But by maintaining an open connection to the individual’s home computer – a device which may, in turn, be connected to an employer’s network – it offers intruders a portal to inflicting damage that goes well beyond the owner’s home thermostat or voice-driven speaker device. Securing them may become an appropriate topic for government regulation.
Although no one is feeling nostalgic about it, there was a time, not terribly long ago, when conducting cyber mischief was a personal enterprise, often a lonely teen operating out of their home basement or bedroom. But today, in the eyes of institutions eager to secure sensitive digital files, the solitary teenage hacker is less a problem than a nuisance.
What has largely taken his place – and the overwhelming majority of hackers are male – are well organized, highly resourced criminal enterprises, many of which are based overseas, with the ability to monetize stolen data on a scale rarely if ever achieved by the bedroom-based hacker. The most persistent of them – and the hardest to defend against – are state-sponsored. But it is among young people that cyber-culture, including its more malevolent forms, is spread and nourished. And they don’t need to be thugs to participate.
Last year alone, the value of cyber theft was estimated to have reached into the hundreds of billions of dollars, and it’s growing. But unlike bank robberies of years past, cyber-theft bypasses the need to confront victims with threats of harm to coerce them to hand over money. In fact, at the end of 2013, the British Bankers Association reported that “traditional” strong-arm bank robberies had dropped by 90 percent since 2003.
Instead, with just a few keystrokes – often entered from thousands of miles away – the larcenous acts themselves, which produce neither injury nor fear, seem almost harmless. And, at least in the eyes of adolescent perpetrators – eyes which are frequently hidden behind a mantle of anonymity and under the influence of lawless virtual worlds that populate immersive online games – the slope leading from cyber mischief into cyber crime is very gradual and hard to discern.
Other hackers have different motives – some feel challenged to probe and test the security of an institution’s firewalls; others to shame, expose, or seek revenge on an acquaintance, and a few posturing as highly principled whistleblowers unmasking an organization’s most sensitive secrets. But even the most traditional notions of privacy and secrecy have themselves undergone something of a metamorphosis lately.
Examples are legion:
- Earlier this year, as I was flying from Chicago to New York, I couldn’t help but overhear the gentleman on the opposite side of the aisle telling his seatmate – a complete stranger – all about his recent prostate surgery.
- Attractive and aspiring celebrities regularly leak – actually, a better term for it might be that they release – videos of the most intimate moments they’ve had with recent lovers.
- Daytime TV are shows in which a host gleefully exploits the private family dysfunctions of his guests have become a programming staple.
- People working for extremely sensitive government organizations self-righteously hand over the nation’s most confidential data files to be posted online, purportedly to serve the public interest.
A Seismic Shift
There’s a common thread running through each of these examples. It’s that conventional notions of privacy and appropriate information sharing have changed dramatically. It is a shift which is particularly apparent in the way younger people use the Internet in their private lives, which frequently includes the exchange of highly personal information and images.
However, for their employers, whose electronic files typically contain sensitive personnel, financial and trade information, that behavior is not only a security concern, it is a journey into treacherous legal territory. And it is a journey which knows no jurisdictional lines. Different national cultures exert a powerful influence on their citizens’ online behavior. What are considered harmless pranks and cyber horseplay and among young people in Iraq would be seen as hostile cyber attacks in the U.S.
What we find perplexing is not so much a rapid advance in technology as a profound cultural shift – a sea change that needs to be recognized, shaped and ultimately accommodated to support appropriate and lawful use of these powerful cyber tools. That shift has a direct impact on the workplace. While an employee’s online behavior can certainly damage the organization, those acts are rarely deliberate. In fact, the greater risk comes with behaving too trustfully – opening suspicious emails, clicking on links and uploading files which inadvertently create access to the organization’s network. From there, a malicious attack can move in any direction, creating massive damage.
A New Sheriff?
The heady combination of cyber whiz kids, seismic cultural change, anomic virtual realities, sophisticated criminal gangs, state-sponsored attacks and a vigorous, web-enabled marketplace for all sorts of contraband has produced a kind of Wild West on steroids – something like the early days of automobiles, only this time on a global scale with major incidents reported almost daily.
At the same time, however, even the Wild West brought on by the motor car was eventually tamed, or at least absorbed into the mainstream of commerce and culture. That transformation was achieved through a trifecta of improved technology for both vehicles and infrastructure, more comprehensive laws coupled with better law enforcement, and a gradual shift in driving culture affecting the perceptions and behavior of motorists.
In the cyber world, much the same dynamic applies. Improvements in technology will continue making private data more secure. A more encompassing regimen of laws and treaties affecting users and suppliers of equipment as well as service providers will help codify the public’s requirements for security. The European Union’s recently adopted General Data Protection Regulation (GDPR), which gives back control of citizens’ personal data while unifying regulation within the EU, is an encouraging example. And more imaginative forms of cyber education to strengthen the culture by supporting appropriate uses of the technology – some of which are already underway in elementary and high school classrooms – will help to crystalize public expectations and inform behavior for the next generation of cyber citizens.
About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
Source: infosec island