Wednesday, October 10, 2012

Analysis of Cybersecurity as a Public Good: US Government Implications: Data Security a Public Good?

In 1988 a piece of malware was released on the fledgling internet which climbed into about 10% of the connected machines and clogged up resources. The Morris Worm was not stealing data, not monitoring users, and was not trying to cause downtime or server damage to a given target. It was merely an unethical and malicious tech demo of what was yet to come. (Marsan, 2008)

Now, almost twenty-five years later, we are not so lucky. The vandals and experimenters of the early internet have been replaced with organized criminals, unaffiliated hackers, and nation state espionage. Our data does not exist just on our workstations, it exists everywhere. That data is in the digital hands of companies with no intrinsic responsibility to protect it. Those holders do make an attempt to secure it because losing customer data doesn’t build strong trust with ongoing and future customers, but the vast majorities of companies are collecting the data to assist their mission. Once they have the data they don’t actually lose anything when that customer data is taken. Loss of exclusive control of research and intellectual property does cause actual damage but non-voluntary sharing of the customer data doesn’t. Because unauthorized access to this customer data may raise liability issues for the breached company, disclosing the loss of customer data to the affected customers is likely to be low on the company’s list of incident response priorities. (Waleski, 2011)

A compromise of a customer’s data is itself actually a compromise of the customer himself. In June 2012 the professionals-focused social network LinkedIn was breached and the intruders collected over 6 million hashed user passwords. Allegedly, the attackers successfully converted 60% of those back to plaintext. That leaves 3.6 million plaintext passwords in the hands of malicious actors which they probably used to train their password crackers to generate password scheme more efficiently. Thus, by attacking LinkedIn, the total online safety of the impacted customers was damaged because their password schemes will be more easily broken in the future. Though there was no report about it, it is not unlikely that the attackers also received the associated account email addresses. Put together, an email address and a plaintext password, an attacker has far more information about the customer than is at all good for the customer. (Carlson, 2012)

Considering that a person’s digital life can end up in malicious crosshairs if they get caught up in a bulk collect like the LinkedIn one, data breaches pose a significant risk to the public at large. A single compromised customer can chain into a small botnet when you consider that access to a single email account means virtually complete control over their all their digital life. Address book for contacts who can be spear phished from the stolen account. Ability to perform password resets on web services that have that account. Ability to read the emails that the victim keeps, which tells the attacker what kinds of email they are likely to open. Once an attacker can be sure of an email getting opened they can utilize technical exploits to place malware onto the workstation. Once keylogging data is returned, the attacker knows everything they need to know about the victim. Since a single compromised customer can lead to a widespread infiltration, it becomes apparent that the public as a whole needs to be protected. Trusting individual companies to protect their data does not cut it because the risk is that any of them get breached, not just if all of them do. When such breaches happen, the customers need to know as soon as the company does, even though it may not be in the company’s best interest to report it. Somewhere there should be an authority watching over this trust. Can anything be located which would be able to act as trustee, ensuring that companies attempt to protect themselves from all breaches and to report it when it happened? Ideally, this trustee should even be able to assist in incident response and investigations should an intrusion occur.

Carlson, A. (2012). Linkedin Password Leak Implies Weak Passwords in Law Firms. [C&W Security Blawg] Retrieved 5 October 2012 from:

Marsan, C. D. (October 30, 2008) Morris worm turns 20: Look what it's done. Retrieved 5 October 2012 from:

Waleski, B. D. (2011). Implications of Information Security:Regulatory Compliance and Liability. In Bidgoli, H. (Ed.), Handbook of information security (Vol 2). New York, NY: John Wiley & Sons.

Analysis of Cybersecurity as a Public Good:
US Government Implications
Workstation Cybersecurity a Public Good?
Data Security a Public Good?
Government as Trustee
Implementation Reliance back with Industry

No comments:

Post a Comment