Cybersecurity — a false sense of security more like a sense of denial

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.deseretnews.com/article/865622577/Cybersecurity-2-a-false-sense-of-security-more-like-a-sense-of-denial.html


It seems that very few days pass before the news cycle churns up another
story about a major breach in computer security affecting institutions and
potentially millions of their consumers. The latest is a scheme targeting
more than 100 banks in 30 different countries and netting the cyber thieves
at least $1 billion.

News of the heist came just days after President Barack Obama signed an
executive order urging companies to share threat information with each
other and federal authorities. Unlike other recent uses of executive power,
this action received bipartisan support, as it should. Aggressive action
against cyber crime is overdue, as is a more comprehensive approach to the
problem through congressional action, which remains under discussion but
without any concrete proposals.

We are now stoutly past the point of arguing whether our computer systems
are vulnerable. They are, as demonstrated by any number of recent
incidents, including the infiltration of systems managed by Sony
International Pictures, JP Morgan Chase, Home Depot, Target and others. The
problem deserves high-priority response, and the president deserves credit
for urging direct action, though leadership on this issue has been anemic
given the severity of the threat.

Imagine the chaos that would ensue should hackers disrupt a critical system
of digital infrastructure such as the FAA’s air traffic control system or
any of the systems that facilitate trade in the commodities and equities
markets. The damage could be irreparable and the losses catastrophic. As it
stands now, when we engage in online commerce, we do so with a false sense
of safety that is tantamount to a state of denial.

A successful strategy against cybercrime must be more about detection and
prevention and less about deterrence and punishment once the deed is done.
Two tenets must be embraced.

First, there should be, as the president has ordered, a collaborative
network connecting all large public and private database managers and
authorities from various state and federal agencies. This would facilitate
a number of critical needs, including the ability to act quickly upon
discovery of a breach.

Second, there needs to be uniformity in the area of consumer protection.
Laws governing how and when consumers should be notified about breaches
involving their private data are patchwork, varying from state to state.
Congress needs to create a statutory system that serves consumers with
better protection and communication.

Authority in this area falls squarely in the federal arena. Online commerce
is interstate and international, as demonstrated in the coordinated attack
on dozens of separate banking institutions around the world. Public concern
over the matter transcends party lines. All of us are vulnerable, as
Internet transactions now exceed $1 trillion annually.

There will always be some who will invent nefarious schemes to skim off
some of those dollars. It’s the role of the federal government to stay
ahead of the scammers. It will require investment of considerable resources
as well as consistent leadership, coordination and acknowledgement the
battle will be constant — and one we can’t afford to lose.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!