October is National Cyber Security Awareness Month, and the fact that it’s a month instead of a day speaks volumes about the growth and prevalence of cyber crimes.
The international security company Gemalto proclaimed 2014 as the year of mega breaches and identify theft. According to the company’s breach level index:
- 1,023,108,267 records were breached in 2014
- There were 1,541 breach incidents, which represents a 78 percent increase in breached records from 2013
How frequently are data records lost or stolen?
| 2,803,036 | every day |
| 116,793 | every hour |
| 1,947 | every minute |
| 32 | every second |
North America accounted for 76 percent of total breaches.
And 2015 is shaping up to be another stellar year – it has already produced high-profile security breaches involving Ashley Madison, CVS, Anthem, and even the IRS.
So far, the Ashley Madison hack has been the most high-profiled breach of the year. Ashley Madison is a social-networking site for married men and women looking to find partners for extramarital affairs, and claims to have 40 million users. To date, the site’s hackers have released seven years of credit card data, in addition to names, addresses and phone numbers - and the users’ desired preferences in potential partners. This breach has resulted in public embarrassment, marital strife, possible blackmail situations, and at least one suicide.
And while the breaches themselves are highly publicized, much less is known about the people behind the scenes who are charged with protecting company data, their responses to data breaches, and the ethical decisions they face.
A 2015 report by Alien Vault, a threat intelligence and security management provider, shines a spotlight on the many issues facing security professionals. Below are the responses to three questions selected from the survey portion of the report, along with ethical analyses of the respondents’ answers.
Question 1: Do you ever visit hacker forums or associate with black hats to learn about the security you need?
| 51% | Yes |
| 48.3% | No |
Javvad Malik, the report’s author, notes that some companies forbid interactions with black hats. A black hat is a computer hacker who breaks into computers and networks for malicious reasons, as opposed to white hats (who may be employees or consultants) who break in to locate and identify breaches. However, if the type of information needed to mount an effective defense is not available through legal channels, roughly half of respondents feel they need to do whatever is necessary to obtain credible data in a timely manner.
I spoke with Abraham Snell, who has an MBA in Technology Management from Auburn University and is a Senior IT Infrastructure Analyst at the Southern Company in Birmingham, Alabama. He views visiting hacker forums or consorting with black hats as an instance in which the means justify the end. “It is a brilliant idea,” Snell said. “It is just the reverse of criminals getting police best practices so they can be more successful criminals. In this case, the side of right is learning about the dark side before they strike. In some cases, this will be the only warning of things to come.”
Question 2: What would you do if you found a major vulnerability on a company’s system or website?
| 61.7% | Privately disclose to them |
| 12.0% | Publicly fully disclose |
| 9.8% | Disclose without releasing details |
| 9.5% | Do nothing |
| 8.2% | Tell your friends |
| 5.5% | Claim a big bounty |
| 2.5% | Sell on the black market |
While privately or publicly disclosing the vulnerability seems the most logical choice, it is not uncommon for companies to threaten legal action against the person reporting the security risk. Fortunately, only a small percentage of respondents would seek financial compensation, but it is troubling that almost 18 percent would either do nothing or just tell their friends. However, if companies provide a hostile environment in which this type of disclosure is not welcome, can security professionals be blamed for their lackadaisical attitude?
According to Snell, there are definitely ethical issues involved in the next steps taken when a vulnerability is discovered. “Even if this type of disclosure is not welcome, you have a moral obligation to reveal the vulnerability,” Snell said. “If the information is breached, people may have their financial and personal information stolen, even their identities may be stolen. If you fail to sound the alarm, you’re just as guilty as the people who actually steal the information because you knew it could happen and you did nothing.”
After viewing the other choices selected by respondents, Snell said they are negligent at best, and most likely criminal in most states. “Telling your friends, unless they are security experts or regulators, is the same as doing nothing,” Snell said.
Regarding the bounty, Snell said, “I’m unclear on how you claim a big bounty unless it becomes a major international issue because companies will not pay their own employees to do what they are already paying them to do.” And if the employee tried to claim a bounty anonymously, that could lead to various legal implications. “The vast majority of people who do what Edward Snowden did end up like he is … a man without a country,” Snell said. He also explained that selling the info on the black market is both unethical and illegal.
Question 3: If your company suffers a breach, what is the best course of action?
| 66.8% | Use the event to convince the board to give you the budget you need |
| 25.7% | Tell the regulator, pay the fine, and move on |
| 9.0% | If nobody knows, just keep quiet |
| 6.6% | Go to the media and brag about how you ‘told them so’ |
Overwhelmingly, the survey respondents feel that the only way they can get the resources they need is in the aftermath of a major cyber attack.
In fact, former White House Cyber Security Advisor Richard Clarke once said, “If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked.”
Darryl Burroughs, deputy director of IMS Operations for the City of Birmingham, Alabama, shared an interesting perspective with me: “If a compelling case was made to increase the cyber security budget and the company blatantly refused to do so, the ethical dilemma rests with the Chief Financial Officer and others who make budget decisions that do not take into consideration IT requests,” Burroughs said.
He added, “The real question is what unethical decision did they make when they funded something less important than the company’s security?”
And that’s also a question that Sony’s Senior Vice President of Information, Jason Spaltro, has likely asked himself over and over again. Back in 2007, Spaltro weighed the likelihood of a breach and concluded, “I will not invest $10 million to avoid a possible $1 million loss.” At the time, that may have sounded like an acceptable business risk. However, in 2014, when the company’s data breach nightmare dominated the headlines - and late night talk show monologues - for months at a time, that $10 million would have been a sound investment.
Snell said there are a lot of factors that determine if using a breach to increase the budget is ethical or not. “I wouldn’t say most companies wouldn’t increase the budget anyway, but I would say that many current and previous executives are not trained in technology, so the threat of security breaches is not a topic that resonates with them,” Snell said.
As a result, he thinks that in many cases it takes a major incident to get funding funneled to the right programs that will protect the company. “The problem with security is that it is mainly a cost when things are going well. You only see the wisdom of the investment after a breach occurs or is attempted.”
On the other hand, Snell said if the budget is adequate, and fear mongering is being used as a tactic to get more money, that is definitely unethical.
Negotiating With Cybercriminals
The process of retrieving stolen data from cybercriminals is another ethically murky area for security professionals. A recent whitepaper by ThreatTrack Security reveals that 30 percent of respondents would negotiate with cybercriminals for data held hostage:
However, 22 percent said it would depend on the stolen material. Among this group:
- 37 percent would negotiate for employee data (social security numbers, salaries, addresses, etc.)
- 36 percent would negotiate for customer data (credit card numbers, passwords, email addresses, etc.)
I also spoke with Dr. Linda Ott, a professor in the department of computer science at Michigan Technological University, who also teaches a class in computer science ethics, about negotiating with cybercriminals.
As with most ethical questions, she does not believe there is a simple answer. “One might argue that a company should be responsible for paying whatever costs are necessary to recover the data since it was presumably because of the company's negligence that the information was able to be stolen,” Ott said.
She explained, “However, unlike paying a ransom for the safe return of a person, the return of the data does not guarantee that the cybercriminals no longer have the data. And if they have a copy, paying the ransom merely amounts to enriching the criminals with no gain for the company whose data has been compromised.”
However, Ott noted that in certain situations the case for paying the ransom would be stronger. “For instance, if the company did not know what employee information was compromised, one might argue that they should pay for the return of the data,” Ott said. “In this scenario there is a benefit to the victims of the crime since they could be accurately notified that their information had been stolen.”
Big Brother: Friend or Foe
ThreatTrack’s survey also reveals a range of opinions regarding the government’s role in cybercrime extortion investigations:
- 44 percent said the government should be notified immediately and granted complete access to corporate networks to aggressively investigate any cybercrime extortion attempts
- 38 percent said the government should establish policies and offer guidance to companies who fall victim to cybercrime extortion
- 30 percent said companies should have the option of alerting the government to cybercrime extortion attempts made against them
- 10 percent said the government should make it a crime to negotiate with cybercriminals
Ott said the fact that most companies do not want government intervention is problematic. “Without government investigations of these matters, the cybercriminals remain free to continue their illegal activities,” she said. “This can ultimately lead to the theft of information of many more people.”
However, she explained, “Companies tend to do their analysis based on consideration of the impact on their reputation and the potential impact on their stock price, etc. They have little motivation to consider the bigger picture.”
So, how long did it take you to read this article? If it took you five minutes, 9,735 data records were lost or stolen during that time frame. That’s why Burroughs concludes, “The question is not if you will be breached - the question is when.”
Add new comment