Most of us in the field of information security know the frustration of trying to get businesses and consumers to see the value proposition of security with little or no success. Businesses typically see security as an unwanted expenditure while consumers for the most part are oblivious to security. There are many reasons for this lack of interest and to be honest, security ranks right up there with a trip to the dentist or doing taxes. Security is filled with industry-specific technical jargon and it's usually way too complicated. More significant is the fact that the full impact of cyber attacks are not just borne by individual businesses and consumers that were attacked, but by society as a whole which can cost our economy billions of dollars a year. Because people tend to only worry about their own costs, cybersecurity is often given too little priority or neglected altogether.
The commercialization and popularization of the Internet brought all the good and the bad of the physical world to cyberspace, but the bad elements of human civilization seem to be accelerated and amplified by the convenience and anonymity of the Internet. It is a lot easier to commit crimes in cyberspace because everything on the Internet is literally no more than a tenth of a second away. That means there is no such thing as a "bad neighborhood" on the Internet because the Internet is all one local neighborhood. Finding potential victims on the Internet is often as simple as a Google search for specific telltale signs of vulnerability or simply spamming every mailbox on the planet because the cost of message delivery is practically nothing.
The threats on the Internet impact everyone from consumers to businesses to government and they involve everything from nuisances like spam to major attacks that can potentially cripple major portions of the Internet. The Internet is filled with worms, viruses, and Trojan malware that seek to hijack personal computers, and the damage from hijacked computers goes far more than the victim of the hijacking because compromised computers are used to commit cybercrimes against many other computers. While consumers have to worry about the theft of their identity and credit cards, the damage goes far beyond the individual whose information was stolen. Any retailer unfortunate enough to sell their goods to the credit card thief has to eat the cost of the goods and this inevitably raises the price of goods for all consumers.
Businesses face have to defend against hackers in addition to all the threats that consumers face. Corporate espionage is another major problem for any company with any significant holdings in intellectual property and losing this data reduces that company's competitiveness. The data being targeted isn't limited to company secrets and intellectual property and it affects customer data as well. That means customers and other businesses who are conned into accepting stolen credit cards are impacted as well.
Governments face major threats from foreign governments or individuals who hack for profit or ideology. From website defacement to cyber espionage, governments have their hands full defending themselves in cyberspace. Worse yet, the threats in cyberspace can potentially spill into the physical world if Supervisory Control And Data Acquisition (SCADA) systems that control critical infrastructure are attacked. An attack that shuts down the power grid system on a hot day not only costs money, but thousands of people can die from overheating if they lose their air conditioners. Next month at Blackhat 2009, security researcher Mike Davis will highlight many of the glaring weaknesses in smart grid implementations. As with most of these security failures, the problem with smart grids stem from sloppy code implementation and weak or nonexistent authentication mechanisms.
President Obama's cybersecurity plan is a great start because it makes cybersecurity a national priority. It also gives us a centralized place where independent security professionals and industry players can discuss and plan our defenses. Obama's plan also calls a national breach disclosure law to make businesses more accountable for their insecurities, but excessive breach disclosure requirements which don't involve actual breaches should be avoided so that consumers aren't desensitized. Government also needs to work beyond the borders of local, state, and national boundaries because the Internet knows no such borders.
Consumers can go a long ways to protect themselves just by avoiding pirated software which can often contain malicious software. Software makers have a responsibility to stop using sloppy coding techniques and make security a priority from the ground up. Web application providers have a responsibility to start defaulting to secure protocols so that web accounts aren't hijacked. Search engine providers already play a role by warning users about unsafe destinations that are known to contain malicious content. Network operators play a critical role in locating and convicting cyber criminals because they're the only ones that can provide network access logs. Internet service providers can go a step further with Intrusion Detection Systems and gateway antivirus solutions that stop inbound and outbound malicious attacks before they reach their intended targets.
The lesson here is that everyone has a stake in the cybersecurity of the Internet because everyone pays the price for cyber insecurities. The challenge is too great to be tackled alone by industry or government. The Internet is critical to the social and economic welfare of the world and it needs a comprehensive and unified effort to keep it safe.
quote: the Internet is Lindsay Lohan...but don't go into its dark recesses