We Can Be Sure of Death and Taxes, and Cyberattacks

When it comes to cyber security, our government, politicians and consumer media are ready to react, but they sometimes focus on the wrong issue or allow political sentiment to write the story.

In 2017, more cyberattacks are expected on government departments and agencies and on critical infrastructures. Likewise, there will be more attacks on merchant databases that contain consumer’s personally identifiable information. There will also be distributed denial of service (DDoS) attacks against a target, but with mass collateral damage splattering the rest of us such as caused by the DDoS that took much of the Internet off air one day in 2016. The most sinister aspect of that DDoS was that the weapon was a robot network of minor connected devices (e.g. webcams and home thermostats) and was available for rent. Hopes for the “Internet of Things” may be dashed if those autonomous cheap devices are allowed to be interconnected without proper cybersecurity .

For two decades, we have resisted cybercrime, and some have protected our computers and phones with antivirus software, encryption and multiple authentication measures. Government and commercial enterprises have supposedly installed even more sophisticated protections. Still, cyberattacks continue to be successful. Just how successful, we do not know, since we are unsure what still lurks in our Internet connected systems.

So, when we hear of an attack, we should be focusing first on why it was successful, and secondly how could it have been prevented. Attack authorship is a tertiary matter, because punishing the author is difficult to achieve and seldom halts cyberattacks. Many high skilled hackers live in jurisdictions that our justice system cannot reach and that our diplomats have been unable to discipline.

There are four consumer wounds from commercial cyberattacks. First, merchants’ costs increase as they post-mortem the damage done by the perpetrator, remediate their inadequate cybersecurity measures, and pay for nominal damages to consumers. Second, merchants will face tort claims arising allegations of negligent security practices. Third, consumers may need to remedy theft problems and all will need to monitor their credit carefully. Fourth, the merchants’ fixes to security measures, plus breach notification fines, plus lawsuit defense and settlements costs will be laid at the feet of consumers who patronize the attacked merchants. Consumers are the ultimate financial victims who bear the costs.

The key issue for merchants is to enforce tough-to-penetrate protection around consumer data, and to limit employee access to consumer data. Only those with a true need to know and with enough training to resist social engineering by hackers should be entrusted with access.

If someone can place malicious code on a laptop used at an electric generating plant, that is a problem. With a refinement in strategy and tactics the perpetrator can get that malware to the next stage – into the electric generation operations software, where it can really mess things up.

Someone managed a two-stage insertion of Stuxnet, a virus that damaged 1000 Iranian uranium enrichment centrifuges. Whoever actually wrote or paid for the malware is less important than presence of malware inside the uranium foundry. Hardening defenses against malware insertion has higher value than prosecuting the perpetrator.

Some politicians and media have treated the identity of the culprit as the main news. It is not. It does not matter if a script kiddie, or a professional hacker, or a bribable plant worker placed it there. Its presence and activation can be sold to any state actor who wants to do harm to the U.S. They can take over once the hard work of implanting is done. For critical infrastructure, the key security measures are similar to those for merchants – enforce tough-to-penetrate areas around infrastructure operations controls and limit control access to employees with a true need to know, as well as limiting access to those with enough training to resist social engineering by hackers.

Current laws are insufficient to motivate commercial database operators on protecting consumers from cyberattack harms, and there are no widely accepted cyber protection standards, although there are plenty of competent consultants ready to help firms who need help.

Out of self-interest, commercial firms with databases of consumer information should be converging to establish common technical standards of protection against cyberattacks and an opportunistic tort bar. These standards need to go far deeper than style sheets for talking point memos. Industry’s readiness may be aided by ongoing threat briefings from the Department of Homeland Security and by collaboration with the Federal Trade Commission. Inclusion of the Commission in the standards process will avert frivolous allegations of collusive behavior by industry. Adherence to cyber protection standards will reduce the incidence of successful attacks and the costs they impose on consumers.