At Issue: Who’s to Blame for Shoddy Security (Opinion)

Porous security at institutions we trust points to a systemic flaw in the Internet’s design, and within the industry that protects us.

by / July 2, 2012

Last week two security firms announced that a coordinated cyberattack dubbed "Operation High Roller" appears to have hacked into 60 different banks. Believed to have originated in Russia, the hack scored approximately $78 million.

This brazen theft has left a number of unanswered questions in its trail. One may loom above all others: If banks are the gold standard for security, where does that leave the rest of us?

The short answer is we’re all in trouble.

No one needs to be reminded of the long litany of cybersecurity attacks, disruptions, thefts and exposures carried out during the past few years. Most anyone who owns a computer that's connected to the Internet — even with the newest operating system upgrades, patches ad infinitum, the latest security software, firewalls and bulletproof passwords — has had some malware bring down a system or at least cause major inconvenience.

"Looking back, the first 20 years in the war between hackers and security defenders was pretty laid back for both sides," said Kevin Poulsen in a 2009 Wired article. "The hackers were tricky, sometimes even ingenious, but rarely organized. A wealthy anti-virus industry rose on the simple counter-measure of checking computer files for signatures of known attacks. Hackers and security researchers mixed amiably at DefCon every year, seamlessly switching sides without anyone really caring. From now on, it's serious," he warned. "In the future, there won't be many amateurs."

Poulsen was right. Attacks have become more sophisticated and numerous, creating real economic damage as Americans spend more time and money online. Earlier this month, researchers reported that the Flame malware can even hijack the Microsoft patch update mechanism to spread by the very method designed to protect against attacks. The cost is high and rising. Consumer Reports said that in 2010, malware cost Americans $2.3 billion.

Government is also feeling the threat. According to a 2011 report from the U.S. Government Accountability Office, "Weaknesses in information security policies and practices at 24 major federal agencies continue to place the confidentiality, integrity, and availability of sensitive information and information systems at risk. Consistent with this risk, reports of security incidents from federal agencies are on the rise, increasing 650 percent over the past 5 years."

Attacks have cracked banks, destroyed electrical generators and disarmed nuclear plant safety features. They have the ability to bring down a country's electrical grid; the smart grid will add additional vulnerability.

It might be time to stop swatting at mosquitos and seriously consider draining the swamp — doing something very different to eliminate the threats and the vulnerabilities. But are there any incentives to do that? The security industry is big business and without attackers to fight, nobody needs an antidote. As Poulsen said, the hackers and security researchers mix and change sides. A successful attack might earn the perpetrator a good job with a security firm. It's black hats vs. white hats, and computer users are the pawns, the losers, the suckers.

What would happen if “malwar” peace broke out? Would productivity soar, lifting the economy, or would the economy crash with news that the robust cybersecurity market segment was kaput?

And if the incentives were there, is a complete solution to cybersecurity even possible? Internet pioneer Vint Cerf, in a 2009 presentation said that if he were to do the Internet over, he would put much stronger emphasis on authentication and accountability in the architecture, even though, as he said, the idea has "tension with anonymity." So is stronger authentication the answer, and is it possible to add it on at this late date?

There are all kinds of reasons given for our porous security. We tend to blame users for weak passwords, for using memory sticks, for downloading free software and apps, for using unsecured Wi-Fi hot spots — all the things that are convenient and useful.

Maybe it’s time to start faulting the overall design of the Web, and the malware makers, and also to begin demanding better solutions from security firms who can't seem to stop these increasingly serious intrusions.

At Issue: Are we destined to an eternity of "Whack-a-Mole" security, or is there some real solution we are overlooking?

Wayne Hanson

Wayne E. Hanson served as a writer and editor with e.Republic from 1989 to 2013, having worked for several business units including Government Technology magazine, the Center for Digital Government, Governing, and Digital Communities. Hanson was a juror from 1999 to 2004 with the Stockholm Challenge and Global Junior Challenge competitions in information technology and education.