As the Internet becomes central to more peoples’ lives, security becomes increasingly important.
First published July 6, 2011, in Knowledge@Wharton
Over the July 4 holiday in the U.S., the Fox News Twitter account was attacked by hackers who left six tweets saying that President Obama had been shot to death in Iowa. Apple was also attacked over the weekend with a tweet directing readers to a list of user names and encrypted passwords from the Apple Business Intelligence web site. Citibank, Sony and even the CIA have also suffered data breaches in recent months, drawing renewed attention to cyber security and accelerating the policy debate on how to protect critical information from hackers.
The opportunity for cyber attacks grows daily as corporations and governments continue to amass information about individuals in complex networks across the Internet. At the same time, new generations of cyber criminals, some motivated purely by money and others by the desire to unnerve corporations and governments, continue to hack into private data, according to Wharton faculty and security analysts.
“As the Internet becomes central to more peoples’ lives, security becomes increasingly important,” says Wharton professor of legal studies and business ethics Kevin Werbach. New wireless and mobile applications add to the volume of information that can be stolen. Moreover, he adds, the rise of cloud-based computing creates more centralization of processing and “bigger points of failure.”
In response to growing threats, the Obama administration unveiled a legislative proposal in May to address cyber security after more than 50 separate cyber-related bills were introduced in the last Congress. Meanwhile, the Department of Homeland Security last month published guidelines pointing to 25 common software problems that allow criminals to obtain access to personal data.
Wharton legal studies and business ethics professor Andrea Matwyshyn says concerns about cyber security have been growing since the early 2000s, but recent malicious attacks on corporate and government data is driving action in the United States and Europe. She also points to a watershed breach in 2009, when Google and other Silicon Valley companies were attacked in what some security experts believe was a hacking attempt sponsored by the Chinese government. Google stated that the attackers were out to access the Gmail accounts of anti-government activists in China. “The blurring of the lines between the private and the public sector in this space is part of what Washington and [Capitol] Hill are reacting to — an increasing recognition of the urgency with which cyber security needs to be addressed,” says Matwyshyn.
Since early May, a group of hackers calling themselves LulzSec, a splinter faction of a more established group, Anonymous, has taken credit for attacks on PBS, Fox News, Sony, the U.S. Senate and the CIA. “Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve,” the group tweeted after announcing it would disband. LulzSec went underground shortly after British police arrested a 19-year-old from Essex and charged him with attacks on targets linked to the hackers. According to PCMagazine, Anonymous has been around for many years, coordinating attacks on organizations such as Scientology, and companies and governments it believes pose a threat to Internet freedoms.
The Obama administration’s proposal emphasizes consumer protection through a standard, federal requirement for reporting data breaches that would replace the current patchwork of state statutes. The proposed legislation would also apply federal Racketeering Influenced and Corrupt Organizations Act (RICO) penalties to cyber crime. In addition, the White House would work with the private sector to improve security of critical infrastructure, such as the electrical grid, and upgrade security of the federal government’s own computer systems.
According to Matwyshyn, the initiative would create minimal nationwide standards for companies, vendors and all those involved in the collection, maintenance, transmission and storage of data. “At present, there is no floor, and that is desperately needed,” she says. However, some critics have charged that the federal statute might diminish the effect of some states’ strong data protection laws. In the meantime, Matwyshyn notes, the Federal Trade Commission is stepping up enforcement of basic privacy protections for consumers who provide data to companies when making online purchases.
From Bombs to Cupcakes
Shawndra Hill, a Wharton professor of operations and information management, says the government initiative is “long overdue.” Hill suggests that the best way to combat threats to national security is through a consortium of government, industry and academia. “The technical experts need to be able to inform lawmakers on what is possible with respect to cyber threats and vice versa,” she says. However, she warns that policymakers must consider ancillary effects of new legislation. For example, it may create new jobs in cyber security, but be very costly for companies that would have to create new infrastructure and data services to comply with the standards. So far, Hill notes, policy has not kept pace with technology and advances in data dissemination and use. “Companies will not necessarily act to prevent data misuse without incentives to prevent the exploitation of cyberspace,” she adds.
Like a bad staph infection, cyber threats are constantly morphing. In a report released this spring, Verizon, in partnership with the U.S. Secret Service and The Netherlands’ National High Tech Crime Unit, found a decrease in the volume of data stolen in 760 attacks investigated in 2010. However, the drop appears to reflect a shift away from large-scale attacks to a more targeted focus on theft from independent and small franchise businesses, according to Wade Baker, director of risk intelligence at Verizon.
Several years ago, he notes, high-profile breaches of large organizations resulted in the loss of millions of records. More recently, investigations point to a trend toward more financially oriented attacks on smaller, independent businesses where breaches are less likely to be detected. Point-of-sale equipment, including ATMs and gas pumps, are under attack by criminals who insert devices that “skim” consumer information and pass it on to thieves through Bluetooth devices and smartphones. Developing security for consumer-focused transactions is a challenge, Baker adds. “Any time you have to mix security with high availability and accessibility, that makes your job more difficult.”
According to Baker, “hacktivists” such as LulzSec — who break into networks not necessarily to steal money, but for ideological reasons or to prove a point — also appear to be ramping up activity. Since the earliest days of networked computing, hackers have sought to show their expertise by exposing vulnerable data systems. Baker says this form of hacking had subsided a few years ago “because it was not cool anymore.” Now, however, it appears to be on the rise with a harsher edge. “The mentality seems less about fun and getting your badge to be a hacker; this seems to have maliciousness to it.”
Additionally, he notes, in the past year or two, security officials have detected government-sponsored attacks, presenting new challenges for data protection. Baker says that criminals looking for financial gain will move on to new targets if they are at risk of being caught. But “nation states are different. They have the resources of nations behind them and a lot of time on their hands.” Computer analysts have said that an unnamed government was behind a June attack on the International Monetary Fund designed to steal secret economic data that could be used to destabilize currencies or trade. Also in June, British newspapers reported that the U.K. government had hacked into the al-Qaeda site and replaced an article on how to make bombs with a cupcake recipe.
Personal Data Backlash
Those who work with consumer data must continually weigh the risks of a breach against the upside of using rich data to develop more effective marketing and product development. Eric Bradlow, a marketing professor and co-director of the Wharton Customer Analytics Initiative, says academics are working on new ways to resolve the tension between data privacy and the benefits of using targeted personal information. “The reality is that big money is made by tracing individual-level customers,” he says. “That’s the magic of the web.”
However, rising concerns about privacy may erode consumer trust and create a backlash against companies that harness web-based data without providing effective security. Instead, academics, statisticians and computer scientists are developing new approaches to organizing data that can provide much of the benefit of individual-level data — but without as much risk, Bradlow notes. Some companies collect more personal information than they really need, creating greater potential for a damaging breach, he says, adding that firms should think carefully about what data is essential and ignore the rest.
In the meantime, government appears likely to step in to help manage the balance between privacy and a viable, innovative Internet. In a hearing before the U.S. Senate Committee on Commerce, Science and Transportation last week, corporate leaders voiced support for increased government control. Tim Schaaff, president of Sony Network Entertainment International, which suffered an attack on its PlayStation Network in April, called for industry and government to work jointly to protect consumer data. Hewlett-Packard’s chief privacy officer, Scott Taylor, told the committee that legislation is necessary to create national standards that will help restore trust in corporate stewardship of personal data. “Consumer trust is a precious commodity,” Taylor said.
However, Sen. Pat Toomey (R-Pa.) cautioned against government overreach that might stifle innovation and expansion of the Internet. The United States, he noted, has been a leader in web technology, largely because it has maintained a light hand compared to other nations. “We need to examine this issue and make sure we don’t find a solution in search of a problem.”
According to Werbach, cyber security is an issue that transcends lines between the private and public sectors. “No one wants security vulnerabilities. Just ask Sony,” he says. “The question is: How can government and the private sector work together most effectively?” He adds that the White House has “struggled” with balancing security against the benefits of free and open data exchange and is “quite cognizant of that trade-off. Overall, what I’ve seen coming out of the Obama administration is generally a sensitive approach focusing on security rather than fear mongering.”
Kartik Hosanagar, a Wharton professor of operations and information management, thinks government has a role in Internet security, but notes that information technology companies and firms that rely on the IT sector to manage data should take the lead. Government, he argues, is needed to combat instances of state-sponsored cyber attacks, which he predicts are likely to become more common unless countries work together to agree on rules for cyber warfare. Victims of cyber attacks need to rely on government “cyber cops” to detect and punish criminals, he suggests. “That job cannot be left to private companies.”
Hosanagar points to the financial service industry as a sector that has provided strong leadership in managing cyber security, largely because incentives to provide data protection are aligned closely with business goals in financial companies.
A More Effective Approach
According to Werbach, the Department of Homeland Security’s guidelines on common software holes do not break new ground. While a lot of attention has been focused on spectacular, highly-publicized hacker attacks, he notes, these breaches may amount to a larger problem. At the top of the list is a method used by LulzSec to break into web sites and gain access to user names and passwords.
The cloud presents additional challenges, Hosanagar says, because it eliminates one kind of threat but introduces another. He points out that in the cloud, data and applications are managed away from the individual user, typically by information professionals who can keep systems up-to-date with software updates and virus protection. “The flip side,” he notes, “is that a lot of critical data is centralized. As a result, it creates a single point of failure and an attractive target for attack.”
Baker, the Verizon analyst, says the security industry has the tools to combat much of the threat to data, but often fails as a result of faulty management structures. “The bad guys aren’t successful because organizations don’t have the technology,” he argues. “It’s really about using, deploying and configuring the basic things we’ve been doing for years.” He adds that security analysts should devote more time to following up on their efforts in order to get a better sense of what actually works. “We don’t have real science and study and testing to make sure the things we are recommending are really effective.”
According to Matwyshyn, the United States and Europe have approached government oversight of the Internet from different poles, but are now moving more in sync. The European Union started with privacy principles on the Constitutional level for all member states. In the U.S., she says, policy has developed through “bits and pieces” of state law and court rulings. In Europe, governments took an opt-in approach to consumer data, while in the United States, privacy was based in contract law and consumer decisions to opt-out of providing access to data. Now data breach notification has been evolving on a state-by-state basis. “That’s a uniquely U.S. approach, but something the EU has been looking at and considering,” Matwyshyn notes. “Meanwhile, there has been a bit of resurgence of a call for more contract-based and market-driven self-regulatory approach in the EU. What seems to be happening is the two different data regimes are starting to converge toward a middle ground.”
She adds that the U.S. fostered a self-regulatory approach to data privacy between 2002 and 2007. “Now it is clear that there aren’t adequate financial incentives to push companies to do the right thing in security,” Matwyshyn says. “Some companies, not all, are simply taking their chances and hoping they will not get hit by a major attack, or that they can conceal it from the public.”
Legal penalties, she notes, have not been swift or severe, leaving corporate counsels with little ammunition to convince top management to devote more resources to cyber security. She adds that companies, particularly during an economic downturn, find it hard to justify an investment in security because it may not generate easily identifiable, short-term returns. Data security, however, has long-term implications because a loss of consumer faith or trade secrets could have major implications for a company.
“No piece of code will ever be truly secure,” Matwyshyn says. “It’s a language used and written by humans and for humans…. The question is not whether there are flaws, but how companies and governments respond.”