Fighting today’s cyber malware is not like the game of “whack a mole.” There used to be something satisfying about whacking the mole back under the game surface. Back then our computers could be worm and virus free if we used smart passwords, antivirus protection, and we resisted social engineering scams. But today’s malware attacks are becoming stealthier, more expensive and dangerous. We cannot rely on our own alertness, reaction speed and energy to keep the malware mole under control. The cyberattack moles come at us outside the game. They come through the floor, through the ceiling, and they hit our family, friends and neighbors, and the attacks don’t end when the quarter runs out.
Malware has been harnessed by criminals as a tool of theft, ransom and extortion. Foreign nations use malware attacks to conduct stealthy war on the cheap. Old fashioned hacking into a database of customer records has metastasized. Now hackers raise a vast digital army of unwitting attack computers to focus on the Internet’s essential services. It wasn’t your computer and you didn’t expose your private information, but you will suffer the consequences from an ill-equipped, network-connected database. Hundreds of popular mobile apps are constantly leaking personal information and no one stops them from operating.
In 2016 “cybercrime cost the global economy over $450 billion, over 2 billion personal records were stolen and in the U.S. alone, over 100 million Americans had their medical records stolen.” Medical devices are exposed to malware that can alter dosages or rhythm to jeopardize a patients’ life. Cybercrime has invaded our political institutions, undermined our expectations of privacy, and has damaged the complacency of anyone who’s paying attention.
The anticipated millions of new jobs and trillions in economic benefits from 5G mobile and Internet of Things (IoT) are at risk. Today’s IoT devices are inadequately protected and billions of cheap future devices will be vulnerable. These devices will connect to the internet and each other without designed-in security measures. They are open doors for malware invasions that will co-opt them into digital armies which hackers direct to plunder and kill from a safe distance. Again, you didn’t cause it but you and those around you will be damaged.
So, what are you going to do about it?
Consider direct action. In the nineteenth century, individual citizens would pack the essentials, join a posse and aggressively hunt down the criminals. So far in the twenty-first century, we just admire the problem and hope it will go away. Today, a digital posse is unlawful, but with the right amount of cash, determination and smarts, it could be effective. Well publicized justice meted out on a handful of perpetrators would dissuade some cybercriminals, just as a naval presence slowed the Somali pirates.
Direct action may feel good, but it will remain hit and miss, and may be insufficient to handle nation-sponsored attacks. On the other hand, vigilantism will freak out the Departments of Defense and State. The Department of Justice would be apoplectic if vigilantes poach in the turf it owns, but seldom rids of criminals. The NSA may smile since they have developed nice tools that would be exquisitely useful in these “crusades.”
Consider government action. Bruce Schneier provided a very thoughtful piece on the future of cybersecurity and what can be done about the attacks. The current failures in cybersecurity stem from market failures that are unlikely to be corrected by the private sector. Despite national reluctance to launch yet another government agency, it appears that one is necessary and it cannot be just an extension of the agency silos already dealing with special facets of cybersecurity; FAA, NHTSA, FDA, FCC, FTC, FEC, the Department of Education, Homeland security, and a dozen intelligence related agencies.
As a starter set of functions, Schneier proposes that the security agency pursue these objectives:
· Ensure companies follow good security practices: testing, patching, secure defaults and hold companies liable when they fail to do these things.
· Mandate strong personal data protections, and limitations on data collection and use. Individuals need the right to take their data with them.
· Ensure that responsible security research is legal and well-funded.
· Enforce transparency in design, some sort of code escrow in case a company goes out of business, and interoperability between devices of different manufacturers, to counterbalance the monopolistic effects of interconnected technologies.
· Require that Internet-enabled devices retain some minimal functionality if disconnected from the internet.
Such an agency is starting with some technology and practices that are helpful. Some devices can be made resistant to cyberattack. They are designed to work mostly without connecting to the Internet. This is like operating in your (arguably) clean home environment, and avoiding germy elevator buttons and subway handrails. You are less exposed if you avoid contact with sources of infection. Some systems do not need to be connected to everywhere else. It makes security sense to avoid Internet connections, if you can. The smarter that devices become on their own, the less the need to connect them to everything else.
Unfortunately, there are no in-built security standards generally followed by inexpensive consumer devices such as cameras, fax machines and toys. Computers, laptops, and smartphones have some security and users can adjust it. For cheap devices, there are no consumer-level controls that can tighten security or isolate the device from the internet. For those devices, manufacturers either don’t care, don’t feel the market pressure of competitors’ security features or have not been properly “motivated” by savvy regulators. These cheap devices will be the majority of the IoT and for that layer of devices, there is no relevant regulation. This is where the security agency can make the biggest improvement.
Despite our reluctance to encourage the imposition of regulation, we have little choice. If we do not take control over cyberattacks they will soon shred our privacy and cut deeply into our productivity and incomes. This is another instance of when, not what.