A decade ago, Internet privacy violations were often pranks by script kiddies hoping to out-do each other through website defacements. Today, such juvenile antics attract little notice. Instead, more news covers criminal gangs from Eastern Europe who steal personal account and password information for bank and credit accounts. Personal information and credit card numbers for millions of retail customers of Target, PF Chang, Canada Revenue Agency (Canada’s IRS), eBay, and other entities have been the goal. The brazen thieves usually offload the loot quietly in big blocks, but they also offer credentials piecemeal on YouTube.
Recent news reports that a Russian hacker gang has a stock of 1 billion account and password combinations and 500 million email addresses. This booty was collected from a quarter million websites. Instead of political leaders’ vacuous speeches or vows to corral the perpetrators, we are admonished to change our passwords. Banks absorb most of the losses then fund those from credit card fees on merchants, who imbed them in retail prices. If consumers directly faced high personal losses, they would insist on more effective law enforcement countermeasures. The damage is still there, but it is conveniently socialized.
To mitigate future damage, the hacked businesses would need to cooperate on technical measures (e.g. chip cards, and wider use of encryption), or perhaps collaborate in aggressive pursuit of cyber-thieves, since the courts and law enforcement appear disinterested, and since they will say they lack the budget.
Cyber theft aimed at consumers is annoying, but alien military attacks are alarming. Stuxnet arrived as a Trojan horse which temporarily hobbled Iran’s juggernaut toward bomb-grade uranium. It fed destructive commands into the controllers of the centrifuges refining uranium. No one took credit for Stuxnet, but many assume it was the work of the US or Israel. Stuxnet may have made more progress than the high-profile, multi-party nuclear containment talks, but the downside is a stark public reminder of how devastating a supervisory control and data acquisition attack (SCADA) could be if applied to water reservoirs and dams, air traffic control networks, power or energy grids, and so on.
Russian hackers have pursued that theme in recent invasions of US oil and gas producers. The hackers’ software, believed to the Havex Trojan, searches energy employee computers looking for useful industrial information for transmission back to Russia. If the computer’s information is of no value they remove their software; if it is useful, they download more sophisticated monitoring and control software for remote activation at a later date. The oil and gas computer invasion may be pre-positioning for a terror attack. This should trouble us, since Russia’s Putin has begun retribution for the US and European sanctions over Ukraine.
China’s Army seems to specialize in high volume industrial espionage against US companies, especially those with meaningful association with the Department of Defense. Presumably the design and engineering information is passed onto China’s own industry. More ominously, China has withdrawn approval for its government entities to buy security software from Symantec (US) and Kaspersky (Russia). When the NSA co-opted the data encryption process at RSA Security, it may have sown the seeds for China’s actions. China might believe those software vendors would cooperate in espionage against China, or China may want exclusive access for surreptitious monitoring of its government computers.
Against this background of attacks by criminals and alien militaries, there should be unity and trust backing the protection of Americans and our way of life. Instead, our government has undermined the public’s privacy in high profile cases such as the NSA’s many wholesale invasions of privacy, and prosecutors/police collaboration in shameful “parallel construction.“ By a 70 to 26% margin, the public does believe that restoring and maintaining privacy should come at the price of compromising security and safety from terrorism.
We brought this untenable state of affairs on ourselves by trusting too few with too much power. If we leave fixing it to extremists, we will not like the outcome. Our politicians got it wrong. Now consumers must firmly guide politicians in restoring the right balance between privacy and security.
Alan Daley is a retired businessman who writes for The American Consumer Institute Center for Citizen Research