Government Technology

At Issue: Who’s to Blame for Shoddy Security (Opinion)


Whack-a-Mole Malware Protection

July 2, 2012 By

Last week two security firms announced that a coordinated cyberattack dubbed "Operation High Roller" appears to have hacked into 60 different banks. Believed to have originated in Russia, the hack scored approximately $78 million.

This brazen theft has left a number of unanswered questions in its trail. One may loom above all others: If banks are the gold standard for security, where does that leave the rest of us?

The short answer is we’re all in trouble.

No one needs to be reminded of the long litany of cybersecurity attacks, disruptions, thefts and exposures carried out during the past few years. Most anyone who owns a computer that's connected to the Internet — even with the newest operating system upgrades, patches ad infinitum, the latest security software, firewalls and bulletproof passwords — has had some malware bring down a system or at least cause major inconvenience.

"Looking back, the first 20 years in the war between hackers and security defenders was pretty laid back for both sides," said Kevin Poulsen in a 2009 Wired article. "The hackers were tricky, sometimes even ingenious, but rarely organized. A wealthy anti-virus industry rose on the simple counter-measure of checking computer files for signatures of known attacks. Hackers and security researchers mixed amiably at DefCon every year, seamlessly switching sides without anyone really caring. From now on, it's serious," he warned. "In the future, there won't be many amateurs."

Poulsen was right. Attacks have become more sophisticated and numerous, creating real economic damage as Americans spend more time and money online. Earlier this month, researchers reported that the Flame malware can even hijack the Microsoft patch update mechanism to spread by the very method designed to protect against attacks. The cost is high and rising. Consumer Reports said that in 2010, malware cost Americans $2.3 billion.

Government is also feeling the threat. According to a 2011 report from the U.S. Government Accountability Office, "Weaknesses in information security policies and practices at 24 major federal agencies continue to place the confidentiality, integrity, and availability of sensitive information and information systems at risk. Consistent with this risk, reports of security incidents from federal agencies are on the rise, increasing 650 percent over the past 5 years."

Attacks have cracked banks, destroyed electrical generators and disarmed nuclear plant safety features. They have the ability to bring down a country's electrical grid; the smart grid will add additional vulnerability.

It might be time to stop swatting at mosquitos and seriously consider draining the swamp — doing something very different to eliminate the threats and the vulnerabilities. But are there any incentives to do that? The security industry is big business and without attackers to fight, nobody needs an antidote. As Poulsen said, the hackers and security researchers mix and change sides. A successful attack might earn the perpetrator a good job with a security firm. It's black hats vs. white hats, and computer users are the pawns, the losers, the suckers.

What would happen if “malwar” peace broke out? Would productivity soar, lifting the economy, or would the economy crash with news that the robust cybersecurity market segment was kaput?

And if the incentives were there, is a complete solution to cybersecurity even possible? Internet pioneer Vint Cerf, in a 2009 presentation said that if he were to do the Internet over, he would put much stronger emphasis on authentication and accountability in the architecture, even though, as he said, the idea has "tension with anonymity." So is stronger authentication the answer, and is it possible to add it on at this late date?

There are all kinds of reasons given for our porous security. We tend to blame users for weak passwords, for using memory sticks, for downloading free software and apps, for using unsecured Wi-Fi hot spots — all the things that are convenient and useful.

Maybe it’s time to start faulting the overall design of the Web, and the malware makers, and also to begin demanding better solutions from security firms who can't seem to stop these increasingly serious intrusions.

At Issue: Are we destined to an eternity of "Whack-a-Mole" security, or is there some real solution we are overlooking?


| More

Comments

Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Better security. Better government.
Powering security at all levels of government with simpler, more connected IT.
Cybersecurity in an "All-IP World" Are You Prepared?
In a recent survey conducted by Public CIO, over 125 respondents shared how they protect their environments from cyber threats and the challenges they see in an all-IP world. Read how your cybersecurity strategies and attitudes compare with your peers.
Maintain Your IT Budget with Consistent Compliance Practices
Between the demands of meeting federal IT compliance mandates, increasing cybersecurity threats, and ever-shrinking budgets, it’s not uncommon for routine maintenance tasks to slip among state and local government IT departments. If it’s been months, or even only days, since you have maintained your systems, your agency may not be prepared for a compliance audit—and that could have severe financial consequences. Regardless of your mission, consistent systems keep your data secure, your age
View All

Featured Papers