An average of 160 cybercrimes per week are launched against companies and the average cost of each attack is in the millions. Almost half of Americans are aware of an attack that impacted them personally. The most famous attacks such as the Office of Personnel Management breach affecting 5 million and the Target stores attack involving 70 million customers reinforce our concerns about exposures from the Internet. The experience of being a cyber-victim motivates us to avoid our own faulty security practices (e.g. picking an easily guessed password for email or banking, choosing the same password for most accounts, succumbing to a phishing exploit, or volunteering too much information on Facebook).
Aside from our own security missteps, news convinces us that we face peril from hackers, criminals and zealous government agencies. We see the continual cascade of stories about email exposures, communications eavesdropping, bank account raids and “creative” credit card breaches. They may not have happened to us yet, but we know they could. We also know that too few cyber criminals are caught and even fewer are forced to give proper restitution to victims.
Nation state cyberattacks against the US are common. The US response is typically a namby-pamby, subjunctive-soaked suggestion that the perps might possibly consider not doing more of that. The limp wrist response is clearly ineffective, and the public regards the absence of a big stick as an admission of impotence. It makes them feel more at risk.
Technical cyber security remains an arcane and bleak subject for most consumers. Consumers have taken a few steps we thought would assure adequate security, but they never seem to be enough. Like most consumers, there is so much technical material that is beyond our understanding and we are unsure if we could master it or even if it would be helpful. More discouraging, attacks keep happening even to those who know the most, such as the Department of Defense. No wonder, “nearly one in two Internet users say privacy and security concerns have now stopped them from doing basic things online — such as posting to social networks, expressing opinions in forums or even buying things from websites.”
This drag on Internet use and expression of free speech mostly affects individuals, but it could slow investment and development of the Internet serving retail customers. On the other hand, streaming, the “Internet of Things” (IoT), and commercial exchanges of information are still growing rapidly.
Individual consumers will not re-engage with some Internet applications until the Internet is more secure and less threatening. The progress must have real substance in many dimensions. It cannot be just good intentions or political and marketing rhetoric. There are many issues that should be addressed to deliver the kind of improvements consumers want:
- Consumers should have an easy way to avoid being tracked as they browse the Internet;
- Government funds and expertise should be robust enough to capture and imprison cyber criminals;
- The US response should feature teeth that dissuade further state-sponsored cyber-attacks;
- Public input (not self-appointed leaders) should set the balance between personal privacy and law enforcement access to personal information;
- Clarify the accountability for nonhuman caused damages (e.g. driverless car crashes and other IoT);
- Reconcile international court conflicts over which nation’s laws apply in cybercrimes (e.g. the Irish drug dealer, the history-rewriting “right to be forgotten,” and political censorship);
- Resolve the standoff between Federal Communications Commission and the Federal Trade Commission over which has supremacy for regulating and enforcing personal privacy on the Internet.
Resolution of these and the many other issues will not be easy. Some US government agencies and courts have already staked out conflicting positions, but those stances have not convinced consumers that the Internet is as safe as they want it to be.
To reach that degree of security consumers will require collaboration from the many interest groups with a stake in the outcomes. As IBM Chief Technology Officer, Bruce Schneier, framed it: This will be a “ ‘war of all against all,’ which is the recognition that security policy is a series of ‘wars’ between various interests, and that any policy decision in any one of the wars affects all the others.”
The Internet security issues require fast attention since we count on the Internet as a major driver of the US economy. The leadership for addressing these and other Internet “loose ends” will need to be technically savvy and tough enough to withstand the inevitable lobbying and intransigence from well-heeled interest groups, as well as from politicians tempted to campaign on single issues. That suggests selecting a body that reports to the Congress, not a department with bias and special interest such those held by the FISA Court, DoD, DoJ, FCC, NIST, NSA, FBI or Homeland Security.
Resolving Internet security issues to consumers’ liking will be a highly useful contribution from government.