Why the Cyber Attacks on Sony May be a Game Changer
By Scott Shackelford
Published in the Washington Times
One of the biggest identity thefts in history took place during three days this past April. Cyber criminals penetrated Sony’s PlayStation and Entertainment Networks and made off with the personal information of more than 102 million Sony customers—a figure close to the population of Japan. Names, addresses, passwords and, possibly, credit card information were stolen.
This disaster has cost Sony 4 percent of its stock price and has led to calls for its CEO to resign. While the final cost is still being tallied, it is known that data breaches cost U.S. companies on average $204 per lost consumer record. That means Sony may be liable for an eye popping $20 billion in damages.
Few firms understand how widespread and dangerous cyber attacks have become. Over 75% of respondents to Symantec survey reported experiencing a cyber attack during the past year. Those attacks cost on average more than $2 million per organization.
Overall, identity theft costs consumers more than $5 billion and firms $48 billion per year according to the Federal Trade Commission. Fraud is also a huge problem, with more than 700,000 complaints and over $1.7 billion in claims in 2009. More than 60% of these cases are from email scams and Internet websites.
Victims of cyber attacks and breaches in cyber security in recent years have included the likes of AT&T, Bank of America, Citigroup, General Electric, Nikon, Starbucks, Wachovia, the University of Chicago, and the States of Florida and New York, to name a few. A single incident involving the theft of a laptop owned by the Veterans Administration led to the loss of 26 million social security numbers of retired and active duty military personnel resulting in a class action lawsuit claiming more than $26.5 billion in damages.
Although the significant damage caused by some of these cyber attacks has been well publicized, few companies have taken action. A recent Carnegie Mellon study involving interviews with board members of companies with revenues between $1 billion and $10 billion found that 56 percent considered improving financial risk management a top priority, but 0 percent considered improving computer and data security to be a priority.
But there is an effective tool to manage liabilities ranging from identity theft to cyber crime and even sophisticated State-sponsored industrial espionage—cyber risk insurance policies. These policies have been available for years. They are expensive—costing anywhere from $5,000 to $30,000 per year for $1 million in coverage—which probably explains why they have not been adopted in a big way.
Even so, more companies are turning to the insurance market. In a survey conducted last fall by Betterley Risk Consultants, 30 percent of respondents indicated they had cyber insurance. Among respondents from companies with $250 million to $500 million in revenue, the number is 80 percent. Another 25 percent said they plan to buy it in the next 18 months.
Cyber risk insurance is a prudent move, but it is not necessarily the most productive business strategy. The costs are passed off to customers. This reduces the incentive to improve cyber security—leaving that challenge more in government hands.
Perhaps the Sony attack will be the tipping point in getting businesses to view cyber attacks not as a corporate nuisance, but a serious threat to the survival of firms and the long-term competitiveness of economies built on intellectual property. In the meantime, one of the world’s most trusted brands has been tarnished and is being punished in the financial marketplace.
Scott Shackelford is an assistant professor of business law and ethics at the Indiana University Kelley School of Business. He is also author of the forthcoming Cyber Peace: Managing Cyber Attacks in International Law, Business, and Relations (Cambridge University Press).
Monday, May 9, 2011
Monday, January 10, 2011
Government's Earlier Failure to Act Clouds the Facts
by Art Coviello
Recent disparaging comments about private sector engagement in U.S. national cyber defense misrepresent collaboration and hard-won progress with the U.S. government and public sector. In an interview that aired on National Public Radio, a former Bush administration official applauded Estonia's emerging citizen-based cyber army while casting aspersions at the contributions of our own nation's corporate security experts.
Not only are those assertions untrue, it's a ridiculous comparison. The U.S. is certainly not Estonia and the issues are more complex with more risk to us from criminals, terrorists and nation states. With the advent of cloud computing and new degrees of openness on the Internet, our problems could become even more complex. The characterization of private enterprise as 'standoffish' by a former government insider, whose focus was not cyber, highlights the heart of the problem. The fact is, until recently we've not had sufficient expertise in the government to secure our critical infrastructure from cyber attacks.
The U.S. has a long history of fits and starts in its public/private partnership going back to the 1990s when the NSA sought to hold encryption keys and limit the strength of encryption used in the US commercial marketplace. Regulation prevented the sale of encryption technology abroad enabling foreign companies to develop their own technology and industry. President Clinton relaxed encryption controls in 1999 and since that time, the NSA has been very cooperative with the private sector and has shown great leadership on cyber security.
In late 2001, the Council of Europe and the U.S. agreed to a cybercrime convention that would enable cross-country investigation and prosecution of cybercriminals. Despite industry lobbying efforts, it took the U.S. Senate over five years to ratify that treaty -- hardly internet speed.
In February 2003, a national strategy to secure the critical infrastructure of the U.S. was released. In December of that year, then DHS Secretary Tom Ridge convened a diverse group of private sector companies to develop a framework for a more effective public/private partnership to execute the strategy. In April 2004, after several months of work, the private sector released multiple recommendations from several task groups. In the ensuing years few, if any, of those recommendations were acted on by the federal government.
When Michael Chertoff took over DHS in 2005, he elevated the position of cyber security from a director to an assistant secretary, an action widely supported by industry. However, three years later there were still limited operational capabilities and staff.
Recently, again despite strong industry support, legislation to update the Federal Information Security and Management Act has still not passed, nor has Congress passed legislation to establish federal standards for data breach notification and for protecting sensitive information, while almost all states have enacted such laws.
Nevertheless, as we enter 2011, we're starting to make significant progress. Late in the Bush Administration, and continued in the Obama Administration, significant hiring of competent people commenced in DHS and other agencies, bolstering cyber security operational capabilities in civilian government. In addition, the positions of Federal CIO and Cyber Security Coordinator were established with Vivek Kundra and Howard Schmidt, respectively. Kundra and Schmidt teamed up last year to issue important White House guidance to federal agencies for implementing more effective risk management practices using continuous monitoring -- another important industry recommendation.
In the meantime, there's work done every day by private sector companies who run our Critical Infrastructure. Industries such as finance, retail and healthcare have made enormous strides in protecting financial transactions and personal information. The security and telecommunications industries consistently share information with the government about known threats, viruses and sources of attacks. Further, the security industry is exploiting innovative technologies like virtualization, the enabling technology of the cloud, to actually reduce complexity and create better security than exists today.
Next month the information security industry will converge for the 20th annual RSA Conference, the largest security gathering in the world. Each year, the conference hosts leaders from government who are sincerely interested in improving cyber security and advancing collaboration with the private sector. Federal government speakers in the last few years have included the NSA Director, General Keith Alexander; FBI Director Robert Mueller; and current DHS Secretary Janet Napolitano. Next month, the Conference will welcome current Department of Defense Deputy Secretary William Lynn, and former President Clinton will present the closing keynote.
So let us not be misinformed about our nation's ability and desire to harness the knowledge and experience of the private sector to defend our critical infrastructure. We stand ready to help.
Art Coviello is the President of RSA, the security division of EMC, the world's leading provider of information infrastructure.
Monday, December 6, 2010
Do Not Track may not be big deal to some Internet users
By Bruce Horovitz, USA TODAY
There's one pivotal question that the nation's major online marketers want to know about the proposed "Do Not Track" tool for Internet users: Just how big could it really get?
"If consumers were to (use Do Not Track), en masse, the industry could take an enormous hit," says Abbey Klaassen, editor of trade publication Advertising Age.
Do Not Track is a Web browser tool proposed earlier this week by the Federal Trade Commission that would prevent advertisers and marketers from tracking the Internet browsing habits of consumers.
Marketers find these habits valuable to know, which is why online ad revenue continues on a tear — up nearly 12% for the first half of 2010 to $12.1 billion, reports the Interactive Advertising Bureau.
SET-UP: Don't Track technology is simple, experts say
EARLIER: U.S. seeks 'Do Not Track' online privacy measure
But there's wide disagreement — both inside and outside the industry — about how far-reaching this proposed consumer privacy tool could be.
Some key factors in play:
•It's not like a phone call at dinner. It sounds creepy to many consumers that information about the things they do and buy online is being collected — and sometimes sold — by marketers. But it's not as irritating as the unwanted phone call at dinner or in the middle of your favorite TV show. "It doesn't interrupt your family time, so there's not as much of an uproar over it," Klaassen says.
•Younger folks are used to sharing information. Call it the Facebook effect. Younger consumers are more comfortable than are their parents about sharing a great deal of information online, says Scott Shackelford, professor of law at Indiana University, who is writing a book on privacy. So, Millennials may be far less interested in a Do Not Track list, he says.
•Do Not Track could ultimately benefit some marketers. When people feel their privacy is gone or threatened, they typically become "unhappy, agitated and not very good consumers," says Janna Malamud Smith, author of Private Matters: In Defense of the Personal Life. If consumers feel more at ease about privacy, she says, they'll probably buy more.
•It could create a super-class of consumers. Websites make money by convincing advertisers that they've got the most valuable and targeted audience for them. Under a new Do Not Track system, those consumers who opt-in to specific websites would become "an extremely valuable audience," says Evan Hendricks, editor of Privacy Times newsletter.
•It would lead to heftier incentives. Online marketers would have to find more substantive ways to coax consumers to let themselves be tracked, says Katy Bachman, senior editor at Mediaweek. Under Do Not Track, consumers would likely get better or more free stuff for signing up, she says.
There's one pivotal question that the nation's major online marketers want to know about the proposed "Do Not Track" tool for Internet users: Just how big could it really get?
"If consumers were to (use Do Not Track), en masse, the industry could take an enormous hit," says Abbey Klaassen, editor of trade publication Advertising Age.
Do Not Track is a Web browser tool proposed earlier this week by the Federal Trade Commission that would prevent advertisers and marketers from tracking the Internet browsing habits of consumers.
Marketers find these habits valuable to know, which is why online ad revenue continues on a tear — up nearly 12% for the first half of 2010 to $12.1 billion, reports the Interactive Advertising Bureau.
SET-UP: Don't Track technology is simple, experts say
EARLIER: U.S. seeks 'Do Not Track' online privacy measure
But there's wide disagreement — both inside and outside the industry — about how far-reaching this proposed consumer privacy tool could be.
Some key factors in play:
•It's not like a phone call at dinner. It sounds creepy to many consumers that information about the things they do and buy online is being collected — and sometimes sold — by marketers. But it's not as irritating as the unwanted phone call at dinner or in the middle of your favorite TV show. "It doesn't interrupt your family time, so there's not as much of an uproar over it," Klaassen says.
•Younger folks are used to sharing information. Call it the Facebook effect. Younger consumers are more comfortable than are their parents about sharing a great deal of information online, says Scott Shackelford, professor of law at Indiana University, who is writing a book on privacy. So, Millennials may be far less interested in a Do Not Track list, he says.
•Do Not Track could ultimately benefit some marketers. When people feel their privacy is gone or threatened, they typically become "unhappy, agitated and not very good consumers," says Janna Malamud Smith, author of Private Matters: In Defense of the Personal Life. If consumers feel more at ease about privacy, she says, they'll probably buy more.
•It could create a super-class of consumers. Websites make money by convincing advertisers that they've got the most valuable and targeted audience for them. Under a new Do Not Track system, those consumers who opt-in to specific websites would become "an extremely valuable audience," says Evan Hendricks, editor of Privacy Times newsletter.
•It would lead to heftier incentives. Online marketers would have to find more substantive ways to coax consumers to let themselves be tracked, says Katy Bachman, senior editor at Mediaweek. Under Do Not Track, consumers would likely get better or more free stuff for signing up, she says.
Friday, November 5, 2010
Getting Burma Back Online
Published in the Huffington Post, Nov. 5, 2010
Burma, already one of the most censored nations on Earth, has recently been knocked off the Internet entirely. Cyber attacks starting in late October have worsened in the last few days, overwhelming Burma's Internet connection just days ahead of its upcoming November 7 elections. Some reports speculate that the Burmese military, anxious to stay in control by restricting the flow of information, is behind the attacks. But they may have an unlikely accomplice -- you and me.
The cyber attacks that are now crippling Burmese networks are known as Distributed Denial of Service (DDoS) -- attacks that work by flooding a host with requests until it crashes. How do they work?
Start by considering that more than 90 percent of the 140 billion emails sent daily are spam. Of these, about 16 percent contain moneymaking scams, including phishing attacks in which e-mail is sent from someone the user supposedly knows and trusts. Once opened, infected attachments download malware onto a host's computer, allowing access to confidential information stored on the computer system. This can turn computers into zombies, which may be linked with millions of other computers around the world to create a "botnet." These botnets then launch DDoS attacks. Which nation is currently the number one source for such attacks, due to its unsecured networks? The United States.
Even though there is not yet any direct evidence that the attacks are emanating from U.S. systems, there are a few simple steps can help keep your computer from turning into a zombie of the Burmese military.
* Install antivirus and antispyware software, like Microsoft Security Essentials.
* Keep all software up to date, especially Windows, but also programs like Adobe Reader, Flash, and Java, which are often convenient backdoors that can be closed through frequent updates.
* Use strong passwords of at least 14 characters, and keep them secret.
* Consider starting with a favorite sentence, and then just take the first letter of each word. Add numbers, punctuation, or symbols for complexity.
* Never turn off your firewall; it's an important software program that helps stop viruses and worms.
* Use flash drives cautiously. They are easily infected --in fact the biggest breach of U.S. military systems to date was due to a flash drive.
* Encrypt sensitive information on your computer with programs like Identity Finder.
* Download a program that can scan your computer for vulnerabilities.
* Be conscious of what you click on, both in emails and on the Web.
And for Mac users, don;t think that you're completely immune. Cybersecurity specialist Charlie Miller will soon be announcing a record-breaking 20 security holes found in OS-X, the Mac operating system.
Cyber attacks are a big and growing problem. In fact, forty-two percent of businesses now rate cybercrime as the greatest threat to their well-being, more than natural disaster, terrorism, and traditional crime combined. Things have gotten so bad in fact that James Lewis of the Center for Strategic and International Studies in Washington, D.C., has said: "We have a faith-based approach, in that we pray every night nothing bad will happen."
But by taking these simple steps, we can all help make it a lot harder for criminals, terrorists, and even some nations from launching the kinds of attacks that are now crippling Burmese systems. So if you want to support democratic reforms in Burma, consider starting off by checking your firewall settings.
Scott Shackelford is an Assistant Professor of Business Law and Ethics at Indiana University-Bloomington. He is also a fellow at the Center for Applied Cybersecurity Research, and the author of the forthcoming book, The New Cyberwarfare: Countering Cyber Attacks in International Law, Business, and Relations.
Burma, already one of the most censored nations on Earth, has recently been knocked off the Internet entirely. Cyber attacks starting in late October have worsened in the last few days, overwhelming Burma's Internet connection just days ahead of its upcoming November 7 elections. Some reports speculate that the Burmese military, anxious to stay in control by restricting the flow of information, is behind the attacks. But they may have an unlikely accomplice -- you and me.
The cyber attacks that are now crippling Burmese networks are known as Distributed Denial of Service (DDoS) -- attacks that work by flooding a host with requests until it crashes. How do they work?
Start by considering that more than 90 percent of the 140 billion emails sent daily are spam. Of these, about 16 percent contain moneymaking scams, including phishing attacks in which e-mail is sent from someone the user supposedly knows and trusts. Once opened, infected attachments download malware onto a host's computer, allowing access to confidential information stored on the computer system. This can turn computers into zombies, which may be linked with millions of other computers around the world to create a "botnet." These botnets then launch DDoS attacks. Which nation is currently the number one source for such attacks, due to its unsecured networks? The United States.
Even though there is not yet any direct evidence that the attacks are emanating from U.S. systems, there are a few simple steps can help keep your computer from turning into a zombie of the Burmese military.
* Install antivirus and antispyware software, like Microsoft Security Essentials.
* Keep all software up to date, especially Windows, but also programs like Adobe Reader, Flash, and Java, which are often convenient backdoors that can be closed through frequent updates.
* Use strong passwords of at least 14 characters, and keep them secret.
* Consider starting with a favorite sentence, and then just take the first letter of each word. Add numbers, punctuation, or symbols for complexity.
* Never turn off your firewall; it's an important software program that helps stop viruses and worms.
* Use flash drives cautiously. They are easily infected --in fact the biggest breach of U.S. military systems to date was due to a flash drive.
* Encrypt sensitive information on your computer with programs like Identity Finder.
* Download a program that can scan your computer for vulnerabilities.
* Be conscious of what you click on, both in emails and on the Web.
And for Mac users, don;t think that you're completely immune. Cybersecurity specialist Charlie Miller will soon be announcing a record-breaking 20 security holes found in OS-X, the Mac operating system.
Cyber attacks are a big and growing problem. In fact, forty-two percent of businesses now rate cybercrime as the greatest threat to their well-being, more than natural disaster, terrorism, and traditional crime combined. Things have gotten so bad in fact that James Lewis of the Center for Strategic and International Studies in Washington, D.C., has said: "We have a faith-based approach, in that we pray every night nothing bad will happen."
But by taking these simple steps, we can all help make it a lot harder for criminals, terrorists, and even some nations from launching the kinds of attacks that are now crippling Burmese systems. So if you want to support democratic reforms in Burma, consider starting off by checking your firewall settings.
Scott Shackelford is an Assistant Professor of Business Law and Ethics at Indiana University-Bloomington. He is also a fellow at the Center for Applied Cybersecurity Research, and the author of the forthcoming book, The New Cyberwarfare: Countering Cyber Attacks in International Law, Business, and Relations.
Wednesday, October 27, 2010
How to Stop Zombies
There could be a zombie sitting in your living room right now, ready to feast. Worse yet, studies have found that there could be hundreds of millions of zombies around the world waiting to attack at any moment. Before you grab a bat, call Will Smith and head for the hills though, there may be an easier option—update your anti-malware.
Aside from Halloween, another scary fact about October is that it’s also National Cyber Security Awareness Month. Why’s that so terrifying? Because cyber attacks, which were already a big problem, are on the rise.
According to a recent Symantec study, cyber attacks are up from an average of one or two per week on a given computer system in 2005, to 77 today. More than 90 percent of the 140 billion emails sent daily are spam. Of these, about 16 percent contain moneymaking scams, including phishing attacks in which e-mail is sent from someone the user supposedly knows and trusts. Once opened, infected attachments download malware onto a host’s computer, allowing access to confidential information stored on the computer system. This can turn computers into zombies, which may be linked with millions of other computers around the world to create a “botnet” – a kind of zombie evil empire. These botnets can then send spam and launch new cyber attacks, adding zombies to the virtual armies of criminals, terrorists, and even some nations.
In fact, forty-two percent of businesses now rate cybercrime as the greatest threat to their well-being, more than natural disaster, terrorism, and traditional crime combined. Things have gotten so bad in fact that James Lewis of the Center for Strategic and International Studies in Washington, D.C., has said: “We have a faith-based approach, in that we pray every night nothing bad will happen.”
But fear no more. There are a few simple steps can help keep your computer from turning into a zombie.
Install antivirus and antispyware software, like Microsoft Security Essentials.
Keep all software up to date, especially Windows, but also programs like Adobe Reader, Flash, and Java, which are often convenient backdoors that can be closed through frequent updates.
Use strong passwords of at least 14 characters, and keep them secret. Consider starting with a favorite sentence, and then just take the first letter of each word. Add numbers, punctuation, or symbols for complexity.
Never turn off your firewall; it’s an important software program that helps stop viruses and worms.
Use flash drives cautiously. They are easily infected – in fact the biggest breach of U.S. military systems to date was due to a flash drive.
Encrypt sensitive information on your computer with programs like Iden
tity Finder.
Download a program that can scan your computer for vulnerabilities.
Be conscious of what you click on, both in emails and on the Web.
And for Mac users, don’t think that you’re completely immune. Cybersecurity specialist Charlie Miller will soon be announcing a record-breaking 20 security holes found in OS-X, the Mac operating system.
The only way to stop the zombies is to hit them where it really hurts – open, unsecured systems that are making the world a far scarier place than it needs to be. So this Halloween, while you’re watching Night of the Living Dead, I Am Legend, or Shaun of the Dead, join the fun and help kill off a few thousand zombies with just a few clicks of the mouse.
Aside from Halloween, another scary fact about October is that it’s also National Cyber Security Awareness Month. Why’s that so terrifying? Because cyber attacks, which were already a big problem, are on the rise.
According to a recent Symantec study, cyber attacks are up from an average of one or two per week on a given computer system in 2005, to 77 today. More than 90 percent of the 140 billion emails sent daily are spam. Of these, about 16 percent contain moneymaking scams, including phishing attacks in which e-mail is sent from someone the user supposedly knows and trusts. Once opened, infected attachments download malware onto a host’s computer, allowing access to confidential information stored on the computer system. This can turn computers into zombies, which may be linked with millions of other computers around the world to create a “botnet” – a kind of zombie evil empire. These botnets can then send spam and launch new cyber attacks, adding zombies to the virtual armies of criminals, terrorists, and even some nations.
In fact, forty-two percent of businesses now rate cybercrime as the greatest threat to their well-being, more than natural disaster, terrorism, and traditional crime combined. Things have gotten so bad in fact that James Lewis of the Center for Strategic and International Studies in Washington, D.C., has said: “We have a faith-based approach, in that we pray every night nothing bad will happen.”
But fear no more. There are a few simple steps can help keep your computer from turning into a zombie.
Install antivirus and antispyware software, like Microsoft Security Essentials.
Keep all software up to date, especially Windows, but also programs like Adobe Reader, Flash, and Java, which are often convenient backdoors that can be closed through frequent updates.
Use strong passwords of at least 14 characters, and keep them secret. Consider starting with a favorite sentence, and then just take the first letter of each word. Add numbers, punctuation, or symbols for complexity.
Never turn off your firewall; it’s an important software program that helps stop viruses and worms.
Use flash drives cautiously. They are easily infected – in fact the biggest breach of U.S. military systems to date was due to a flash drive.
Encrypt sensitive information on your computer with programs like Iden
tity Finder.
Download a program that can scan your computer for vulnerabilities.
Be conscious of what you click on, both in emails and on the Web.
And for Mac users, don’t think that you’re completely immune. Cybersecurity specialist Charlie Miller will soon be announcing a record-breaking 20 security holes found in OS-X, the Mac operating system.
The only way to stop the zombies is to hit them where it really hurts – open, unsecured systems that are making the world a far scarier place than it needs to be. So this Halloween, while you’re watching Night of the Living Dead, I Am Legend, or Shaun of the Dead, join the fun and help kill off a few thousand zombies with just a few clicks of the mouse.
Tuesday, October 19, 2010
The Future of the Internet
What will the Internet look like in 10 or 50 years? Check out the scenarios that the Internet Society has put together at http://www.isoc.org/tools/blogs/scenarios/.
Tuesday, October 5, 2010
Subscribe to:
Posts (Atom)