Accountability in Cybersecurity is a Two-Way Street

July 29, 2019

The biggest story in cybersecurity this past week was the eye-popping $5 billion dollar (that’s billion with a B) fine the FTC placed on Facebook for not adequately fulfilling its responsibilities to protect its consumer’s data. Probably just as painful to Facebook, and its CEO, as the fine itself is having to publicly acknowledge their failure to be adequately accountable to the individuals who trusted them.

Entities that fail to fulfil their obligations to protect individuals from abuse of their data obviously ought to be called out and be expected devote the time and resources to fulfil their responsibilities under the law.

This is just as true for government entities as it is for those in the private sector – arguably more so.

Nowadays you can’t open a news site without seeing a story about private entities being victimized by cyber attackers.  Despite the fact that cyber criminal activity has been a massive problem for years, government – at all levels – is failing to adequately respond.
While properly calling on industry to be accountable, government failing to be accountable to the citizens it has the responsibility to protect. Government should be at least as trustworthy as industry.

Depending on how you define “cyber-crime” multiple sources place its impact somewhere between hundreds of billions of dollars a year and a trillion (that’s trillion with a T) dollars a year and growing dramatically.

When one thinks back to all the high profile cyber attacks over the past few years, in classic blame the victim mode, you can see all sorts of press and government critiques of the organizations who have been attacked, and virtually no mention of the fact that none of the criminals who actually broke the law and attacked these private entities have ever been brought to justice.

Some commenters are relying on the outdated mantra that all you need to do is follow basic security hygiene (certainly a good idea) to prevent attack. Such empty rhetoric belies a fundamental misunderstanding of the actual complexity of cyber security and the increasing sophistication of the modern cyber criminals.

We now know many cyber-attacks are launched by nation states, or state-affiliated criminals that private companies have no chance of defending themselves against. The NSA has documented the North Koreans are in the bank robber business and were largely responsible for the not-Petya Ransomware attacks that recently crippled and robbed thousands of private organizations. The Chinese have been stealing our intellectual property for decades (no one innovates at 10%-12% a year as the Chinese have done — you accomplish this be stealing your competitor’s property) and that is just part of problem.

The nation-state issue is just the tip of a massive iceberg. The 2018 Symantec Report on cybercrime found that. “Cyber criminals at the high end are as technically sophisticated as the most advanced information technology companies and like them have moved quickly to adopt cloud computing artificial intelligence software as a service (cyber-crime as a service) and encryption.” The Report also illustrates how the criminals have leveraged crypto-currency to make it ever easier to monetize their ill-gotten gains.

The report concludes with this stark assessment “Cybercrime is relentless, undiminished and unlikely to stop. It’s just too easy, rewarding and the chances of getting caught are far too low. Cybercrime also leads on a risk to payoff rate. It is a low risk crime with high profits. A smart cybercriminal can easily make millions without fear of being caught.”

In the blogosphere we will occasionally hear calls for greater cyber deterrence. Maybe the best way to deter cyber crime is to begin to put the criminals in jail Best estimates is that at best we successful prosecute maybe 1% of cyber criminals. Government needs to be accountable for this failure.

To be clear, our problem is not that we don’t have expert and dedicated individuals in our law enforcement communicates working on cyber-crime –we do.  The problem is that our policy makers have not provided them with enough tools, including the legal structures –domestic and international — as well as adequate personnel and technology to compete with the modern cyber criminals.

Metaphorically our law enforcement team is NFL quality, but so are opponents.  And while we are putting 11 players on the field, they are playing with a hundred players and they don’t follow the rules.

I’m fine with pushing Big Tech to evolve their practices and be more accountable to protect us. I just want government to be accountable too. To face the cyber- crime epidemic, we need less finger pointing and more joining of hands.