Print 20 comment(s) - last by Zaphod Beebleb.. on Jun 26 at 2:34 PM

The internet has fostered a new wave of crime, so we must join together to stomp it out

Most of us in the field of information security know the frustration of trying to get businesses and consumers to see the value proposition of security with little or no success.  Businesses typically see security as an unwanted expenditure while consumers for the most part are oblivious to security.  There are many reasons for this lack of interest and to be honest, security ranks right up there with a trip to the dentist or doing taxes.  Security is filled with industry-specific technical jargon and it's usually way too complicated.  More significant is the fact that the full impact of cyber attacks are not just borne by individual businesses and consumers that were attacked, but by society as a whole which can cost our economy billions of dollars a year.  Because people tend to only worry about their own costs, cybersecurity is often given too little priority or neglected altogether.

The commercialization and popularization of the Internet brought all the good and the bad of the physical world to cyberspace, but the bad elements of human civilization seem to be accelerated and amplified by the convenience and anonymity of the Internet.  It is a lot easier to commit crimes in cyberspace because everything on the Internet is literally no more than a tenth of a second away.  That means there is no such thing as a "bad neighborhood" on the Internet because the Internet is all one local neighborhood.  Finding potential victims on the Internet is often as simple as a Google search for specific telltale signs of vulnerability or simply spamming every mailbox on the planet because the cost of message delivery is practically nothing.

The threats on the Internet impact everyone from consumers to businesses to government and they involve everything from nuisances like spam to major attacks that can potentially cripple major portions of the Internet.  The Internet is filled with worms, viruses, and Trojan malware that seek to hijack personal computers, and the damage from hijacked computers goes far more than the victim of the hijacking because compromised computers are used to commit cybercrimes against many other computers.  While consumers have to worry about the theft of their identity and credit cards, the damage goes far beyond the individual whose information was stolen.  Any retailer unfortunate enough to sell their goods to the credit card thief has to eat the cost of the goods and this inevitably raises the price of goods for all consumers.

Businesses face have to defend against hackers in addition to all the threats that consumers face.  Corporate espionage is another major problem for any company with any significant holdings in intellectual property and losing this data reduces that company's competitiveness.  The data being targeted isn't limited to company secrets and intellectual property and it affects customer data as well.  That means customers and other businesses who are conned into accepting stolen credit cards are impacted as well.

Governments face major threats from foreign governments or individuals who hack for profit or ideology.  From website defacement to cyber espionage, governments have their hands full defending themselves in cyberspace.  Worse yet, the threats in cyberspace can potentially spill into the physical world if Supervisory Control And Data Acquisition (SCADA) systems that control critical infrastructure are attacked.  An attack that shuts down the power grid system on a hot day not only costs money, but thousands of people can die from overheating if they lose their air conditioners.  Next month at Blackhat 2009, security researcher Mike Davis will highlight many of the glaring weaknesses in smart grid implementations.  As with most of these security failures, the problem with smart grids stem from sloppy code implementation and weak or nonexistent authentication mechanisms.

President Obama's cybersecurity plan is a great start because it makes cybersecurity a national priority.  It also gives us a centralized place where independent security professionals and industry players can discuss and plan our defenses.  Obama's plan also calls a national breach disclosure law to make businesses more accountable for their insecurities, but excessive breach disclosure requirements which don't involve actual breaches should be avoided so that consumers aren't desensitized.  Government also needs to work beyond the borders of local, state, and national boundaries because the Internet knows no such borders.

Consumers can go a long ways to protect themselves just by avoiding pirated software which can often contain malicious software.  Software makers have a responsibility to stop using sloppy coding techniques and make security a priority from the ground up.  Web application providers have a responsibility to start defaulting to secure protocols so that web accounts aren't hijacked.  Search engine providers already play a role by warning users about unsafe destinations that are known to contain malicious content.  Network operators play a critical role in locating and convicting cyber criminals because they're the only ones that can provide network access logs.  Internet service providers can go a step further with Intrusion Detection Systems and gateway antivirus solutions that stop inbound and outbound malicious attacks before they reach their intended targets.

The lesson here is that everyone has a stake in the cybersecurity of the Internet because everyone pays the price for cyber insecurities.  The challenge is too great to be tackled alone by industry or government.  The Internet is critical to the social and economic welfare of the world and it needs a comprehensive and unified effort to keep it safe.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By Xavier434 on 6/24/2009 9:18:38 AM , Rating: 2
"Software makers have a responsibility to stop using sloppy coding techniques and make security a priority from the ground up."

This is a statement that I highly agree with. However, I also believe that it is very unrealistic for many reasons. To name a few...

1. Business dead lines do not always allow the time or funding for the kind of efficiency which really does work well.
2. Lack of knowledge and experience about how to do it right. Even those that have it will often fall behind because those breaching security tend to advance far faster that those trying to defend it.
3. Laziness in general

I realize those two examples can be argued on a case by case basis but that is not the point. The point is that both creating and maintaining proper cyber security is a very difficult, expensive, and ever changing task to do right. The only way which I can see the tables really turning in favor of software security would be to advance the ease, cost, and automation of the security. Not only does this need to happen at the user level but at the software designer's level too. If development tools and languages were both advanced and maintained to the point where software developers could write their code as near to "worry free" as possible when it comes to security without needing to be "in the know" then we will see much more universal cyber security everywhere. At the same time, those languages and tools need to be adopted universally as well.

Simply making them available for use is not good enough though. We need to make developers and businesses want to use them. We need to convince people that using them equates to more profit.

However, I realize there is little substance in this post. It is very general with few details which come even close to mapping out a real solution. The reason is because I don't have one lol. However, I do know that there is a ridiculous amount of money out there for the guys that finally come up with a way to make all that work and bring cyber security to the level it needs to be.

RE: Unrealistic
By crystal clear on 6/24/2009 10:12:16 AM , Rating: 2
Sloppy coding techniques are the results of companies outsourcing their work to countries like India for cheap labour costs.

Companies in their cost cutting frenzy to boost their profits use low grade programmmers,paying salaries that are 30% of that of a good quality programmers.

So cheap labour gives you low cost & low quality programmes

RE: Unrealistic
By aharris on 6/24/2009 6:25:16 PM , Rating: 2
Wait, I thought India's IT/CS grads were better than ours?

"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer

Related Articles

Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki