Last time, I talked about how important it is for every organization to be in compliance with whatever regulations apply. I used the example of a small merchant to set the scale of the potential cost of a data breach. While attacks against the small merchants are serious, the real damage is done when the big boys are attacked.
In just the last couple of months, millions of consumers have had their credit card and other information stolen by organized groups of hackers. In some cases governments directly sponsor these hackers. On June 8, Citibank disclosed the loss of information about 200,000 Citibank credit card customers. On June 11 the IMF was hacked, probably by a government. It is past time to make a concerted effort to stop these attacks and punish the perpetrators, whether they are criminal gangs or national governments.
We must stop treating these attacks as mere nuisances. They have a serious impact on the companies involved, and identity theft is not a “mere nuisance” to the person who has to, in some cases, spend years to reverse the negative effects on their personal reputation and credit rating. They also raise FUD (fear, uncertainty and doubt) about shopping in general and the Internet in particular. In today’s economy, this kind of dampening influence is exceedingly detrimental. In many cases, the people who had their credit compromised or their identity stolen were not using the Internet, but simply using a credit or debit card at their neighborhood gas station or local store.
What to do? We must start by treating hackers as what they are − terrorists. They are not petty thieves that should get their hand slapped and be sent on their way. They hide in foreign countries that make little or no effort to find and prosecute them. Why should they? These financial terrorists bring in lots of revenue or support their government’s political agenda.
There are three, probably not very popular, things that I believe should happen:
- Upgrade Payment Card Industry (PCI) Security Standards Council rules to embrace the Internet and the Cloud, not actively fight them. At they stand, every individual organization that handles or processes credit cards has individual responsibility. 89% of those organizations that had data breaches of credit/debit card data in 2010 and should have been PCI-DSS compliant were not. But PCI-DSS compliance is not sufficient. I suspect that Citibank was compliant, but they were still hacked. In fact, 11% of those organizations with breaches were compliant. Many Cloud Service Providers (CSPs) have the infrastructure and, more importantly, the personnel, processes and policy to be much more secure than the average organization. In fact, the US Secret Service / Verizon RISK Team “2011 Data Breach Report” indicated that the Cloud was not implicated in any of the 2010 data breaches they studied. It is a lot less expensive and a lot more secure to have few dozen CSPs providing security than to have thousands of individual organizations attempting it.
- Take a lesson from the FAA (Federal Aviation Administration): require full disclosure. Like airplane accidents, the goal is not to punish but to learn so others will not make the same mistake. Every data breach involving financial data should have an incident response team assigned to determine what happened, how it was corrected, and how to prevent it. That information than needs to be published. In some cases, changes should be mandated to be completed within specified time frames, and then those updates verified.
- One major problem with item 2 is that you don’t want to advertise how to cause a problem until it is fixed and the fix installed everywhere. The other problem is that it requires a lot of research to sift through a lot of technical data to determine the cause, the perpetrators, and the cure. Fortunately, there are organizations that are experts at sifting through lots of data, dealing with uncooperative governments, and keeping things secret: the US Department of Defense intelligence agencies. Unfortunately, these agencies do not necessarily have the confidence of the American people. I believe with the right oversight, however, they are the best organizations to lead this war.
We have to do something. If the Payment Card Industry itself won’t stand up, then our government should.
The last word:
Like armed terrorists and insurgents that spread terror and mayhem by physically attacking anyone anywhere, cyber terrorists do not play by any “Geneva Convention” set of rules, do not honor political borders, and often have the support of governments. When we try to fight them with our American Courts we, like the American military in places like Iraq and Afghanistan, are fighting an asymmetric war. Our military and intelligence organizations are, perhaps too slowly, learning to fight this kind of war. Sometimes our political leaders have the courage to violate accepted international rules to deal with them, like the recent assault into Pakistan that took out Osama bin Laden. We need to start treating cyber terrorists with the same tactics.
Keep your sense of humor.