August 9, 2014 /
After Russian hackers breach 1.2 billion records: Where is cybercrime going next?
More cyberdefense action is needed, but many people seem content to hit the snooze button for now. Meanwhile, Black Hat speakers offer some policy advice to help, while smart Americans change passwords - again.
Enough is enough. Or, maybe not.
Where and when will this cybercrime trend possibly end? That is the question that millions of people around the world are asking this weekend.
Yes, there are several global crisis situations going on right now. But one morning last week when the US was back fighting and providing humanitarian aid in Iraq, the global Ebola outbreak was declared to be a public health emergency and the ceasefire between Israel and Hamas ended, the Washington Post still ran this article as their top editorial board story:
Here’s their opening excerpt:
THE SCALE of cybercrime continues to astonish. The latest eye-opener is a Milwaukee security firm’s claim that Russian hackers stole 1.2 billion usernames and related passwords. This must be one of the biggest hauls of all time, and while it is not clear what the hackers intend to do with their stolen data, the report should serve as another wake-up call to Congress and the American people to break out of their long period of complacency.
Too many wake-up calls?
And while this new hacker focus is no doubt raising more eyebrows, one trouble is that America seems to have become immune to this constant crisis mentality. I’m sure these other top news stories, not to mention primary elections, the Ukrainian civil war or other world news headlines, cause some of the sense of futility.
No doubt, cybercrime has worked its way to the top of the global agenda, but have Americans received too many wake-calls? Have we become accustomed to hitting the snooze button? Has cybersecurity become (or remained) a problem that Americans just expect someone else from Silicon Valley or Washington D.C. to fix?
I think so.
The call for new cyber legislation has been an ongoing battle for years. But the privacy versus security battles and distrust of government and even Internet companies after Edward Snowden’s revelations seem to have stalled near-term progress on a united strategy to fight cybercrime. Note: I am still somewhat hopeful that cyber legislation might pass during the lame duck session of Congress after the November 2014 elections.
The bad guys sure aren’t waiting, and we seem to hear about new online troubles daily. Meanwhile, big cyber events like Black Hat and Defcon display our online vulnerabilities to the world.
Dan Geer’s way forward from Black Hat: Mandatory reporting and... misrepresentation?
So where can we turns for potential answers and direction? This week, attention turned to Black Hat in Las Vegas.
Dan Geer, the well-known chief information security officer of the non-profit investment firm In-Q-Tel, offered his way forward for the information security community as the opening keynote at Black Hat. Geer’s ten commandments of modern cybersecurity, started with: “Create a mandatory reporting system for severe breaches, similar to how the United States Centers for Disease Control has a mandatory reporting system for medical diseases. If the breaches are less severe, then reporting should be voluntary.”
While I agree with most of Mr. Geer’s ten suggestions (they are definitely not commandments), I disagree with #7:
Uphold people's right to be forgotten and operate autonomously, even as a connected society makes this increasingly more difficult, and give people the ability to misrepresent themselves online under certain circumstances to confound those who would "watch" them digitally.
Why do I disagree? Because when people misrepresent themselves it makes the online identity management crisis even worse than it is today.
While I can see some benefits to a limited use of the right to be forgotten, we should not give further encouragement for people to misrepresent themselves on the Internet and further undermine online trust of data.
I ask Mr. Geer this question: If we encourage lying about who we are, what information will we be able to trust in cyberspace?
This is a slippery slope. It begs questions like: Who are you really? Why (and when) should I believe you? This policy is further opening Pandora’s Box and accelerating the downward spiral towards increased online deception.
While “right to be forgotten’ does create concerns about inadequate information on historic events and the public’s right to know, encouraging misrepresentation (let’s just call it by the historical name of lying) actually changes what is true to what is false – which is a further, and fundamentally flawed, step in the wrong online direction. This encouraging deception trend will further accelerate cybercrime and create even more shades of gray in cyberspace.
One alternative is anonymity, which has its own set of online problems. However, anonymity is, at least, not violating one of the original Ten Commandments in cyberspace.
Stakes are getting higher with IoT
But back to the original question. What is clear to me is that the stakes are only getting higher with the Internet of Things (IoT). Our global hacking trends will eventually reach a tipping point – and the snooze button will no longer be an option. No, I don’t know when that will be, but it is likely in the next 3-5 years.
One possible hint comes from this Black Hat story: Security experts take aim at the Internet of (unsafe) Things:
"In about a minute to an hour, I can reliably unlock the door on a car," said Silvio Cesare, an Australian researcher for security firm Qualys. He presented his findings on Thursday.
This is no idle concern. On Wednesday the National Insurance Crime Bureau reported that thieves are using high-tech electronic devices to break keyless-entry systems that lock modern cars….
He and others have created a grassroots group called I Am the Cavalry. They work on issues in which computer security intersects with public safety and human life, because, as they put it, "the cavalry isn't coming" to save us.
In my opinion, the tipping point will come when hacking starts to affect much more than people’s identities or their credit histories being stolen. I know that some people have faced serious problems as a result of cybercrime, but most passwords, credit cards or social security numbers that are stolen still result in only a minor impact on the average consumer – since banks and others often pick up the tab. Simply stated, we can fix your credit history.
But a time is coming when hacking will affect cars, pacemakers, murder trials and more. The stakes will get much higher.
Side Prediction: The first murder that occurs via hacking, that comes with a high-profile courtroom conviction that is covered by the mainstream media, may be the straw that breaks the cyber camel’s back – and result in the wakeup call being answered.
But what can you do this week?
One more time - correct.
Bottom line: We definitely don’t know where this hacking will end.
Perhaps we should probably be asking: Where is cybercrime going next?