Dangerous Liaisons
High-profile data breaches are tipping the balance between connecting and protecting people.
High-profile data breaches are tipping the balance between connecting and protecting people.
Let's start with the fundamental lapse that started this mess-the Defense Department designed the underpinnings of the Internet to make information easy to swap, not easy to secure. Now, efforts to add protections often complicate information sharing. For instance, in an effort to prevent another WikiLeaks-like episode, where an employee sends confidential information to a public website, the White House issued guidelines instructing federal workers on how to spot and report turncoats. Such drastic reactions have created a climate of mistrust among departments that used to exchange data freely.
So, there's the major problem. Securing the Internet is a constant battle between connecting people and protecting people. Blocking unauthorized access to networks, the goal of cybersecurity, aims to strike the right balance between the two imperatives.
Threats that could tip the equilibrium are constantly evolving. Malicious software is becoming more sophisticated, and more bad actors and insecure devices are connecting to the Internet. Federal and corporate networks are constantly hacked, but most organizations are loath to admit weaknesses, so the public rarely hears about stolen or exposed data.
This year has seen reports of a number of high-profile cyber events largely because attackers want their acts known and victimized companies are sick of paying for incident cleanup.
Computer security firm RSA, which supplies network login devices to governments and firms, divulged in March that unknown intruders had excised information about its SecurID identification verification technology. In June, the company disclosed that unidentified perpetrators leveraged those secrets to access Lockheed Martin Corp.'s network, but the defense contractor was able to contain the breach. RSA then felt compelled to offer its customers tens of millions of replacement tokens, as well as transaction monitoring services.
After hackers compromised personal information belonging to 360,000 North American credit card customers, Citigroup had to reissue cards for 217,657 account holders and reportedly cover $2.7 million in losses resulting from financial fraud.
Meanwhile, hacktivists infiltrating networks to poke fun at lax cybersecurity and make political statements defaced popular websites and published sensitive data belonging to corporations and governments. One loosely organized group posted a story on PBS.org about deceased rappers Tupac Shakur and Biggie Smalls being found alive and well in New Zealand. The hacker community also says it broke into more than a million user accounts on SonyPictures.com. Next, internal sensitive records from Arizona's law enforcement database appeared on a public site-in protest of alleged corruption among officers patrolling the Mexico border.
Cybersecurity has no international or public-private boundaries, and thus no easy regulatory, behavioral or technological fix. The government is dealing with this huge challenge through several tactics-new legislation, a push for international standards, public awareness campaigns and heightened surveillance.
The White House has sent Congress draft legislation to regulate private sector networks that could wipe out communications, banking and other vital services if compromised. But many technology companies insist this recommendation would create a new government bureaucracy that could unintentionally open systems to attack. The proposal, which Congress is expected to mold into law within the next year, also would dispense harsher punishments for cyber theft and outfit federal systems with round-the-clock monitoring technology to detect vulnerabilities.
Most countries using the World Wide Web seem to agree that the best cyber defenses are multilateral agreements that define unacceptable uses of the Internet. Perhaps, countries consent to the tenet that blacking out another nation's cities with malicious code would not be tolerated under any circumstances other than war, for example. The Obama administration is encouraging global partners to join the 2001 Budapest convention on cybercrime, a binding pact signed by 30 countries. The White House also recently distributed a voluntary international strategy for cybersecurity that aims to promote the free flow of information while simultaneously preventing free dissemination of intellectual property through "norms of responsible behavior."
But such ideas face resistance from uncooperative countries, namely China, which stands accused of sponsoring cyber espionage against the U.S. military, and Russia, alleged to have cut off Estonia's Internet connectivity. In addition, there's the accountability hang-up-due to the anonymous nature of the Internet, it's hard to detect who or what is responsible for outages, leaked information or online porn rings.
The National Institute of Standards and Technology has become the nation's cybersecurity teacher. Its National Initiative for Cybersecurity Education is training the public on safe cyber practices, and NIST's National Strategy for Trusted Identities in Cyberspace is guiding industry on the development of a credential that would prove you are who you say you are on the Internet.
The ID strategy is intended to evolve into a system that allows authorized users to log on to virtually any website with one password, without needing to enter personal information. NICE collaborates with partner agencies, like the Homeland Security Department, on increasing cybersecurity awareness and strengthening students' science, technology, engineering and math skills to cultivate future cyber warriors.
Homeland Security Secretary Janet Napolitano likes to reiterate that she is very happy the department recently was granted direct-hiring authority to bring on 1,000 additional information security professionals. DHS' cyber staff almost tripled in 2009, nearly doubled again in 2010 and now totals 260.
By some estimates the nation needs a cyber workforce anywhere between 10,000 and 30,000 experts to effectively operate in cyberspace. But there is much debate over what those experts would specialize in. Should they be whizzes at ensuring networks have the most up-to-date protections-or should they be lawful hackers paid to penetrate networks to expose vulnerabilities?
Through a messaging strategy known as "Stop, Think, Connect," Homeland Security is spreading the word on how to safeguard personal information and online communications. Studies show that next to hackers, insiders are the greatest cybersecurity threat.
Whether intentionally or unintentionally, authorized users often are guilty of spreading viruses, exposing personal data and compromising private accounts. Unaware employees accidentally download malicious attachments that log their key strokes, send Social Security numbers in unencrypted emails, and use weak passwords. In contrast, malevolent employees with legitimate access rights smuggle out sensitive data on removable USB drives to commit identify theft or espionage. Or they manipulate computer records so that illegal immigrants show up as naturalized citizens in databases, for instance.
Leading by example, the administration has begun installing new tools on agency computers and networks to detect threats like massive file transfers in near real time. To promote unfettered Internet access in oppressive regimes, the State Department is supporting the development of technology that lets citizens circumvent Internet censors. And the FBI is uniting with international law enforcement agencies to take down the financial backers of spam-spewing servers, bogus e-retailers and other cybercrime cartels.
Still, the only sure way to block un-authorized access is to do the very thing that freedom-loving people everywhere fear the most -- hit the kill switch.
NEXT STORY: Justice Delayed