[Vision2020] Asleep at the Laptop

[Art Deco]

  [image: The New York Times] <http://www.nytimes.com/>

<http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/printer-friendly&pos=Position1&sn2=336c557e/4f3dd5d2&sn1=8a907ae1/15fbc62a&camp=FSL2012_ArticleTools_120x60_1787507c_nyt5&ad=BEMH_120x60_May4_NoText&goto=http%3A%2F%2Fwww%2Efoxsearchlight%2Ecom%2Fthebestexoticmarigoldhotel>

------------------------------
June 3, 2012
Asleep at the Laptop By PREET BHARARA

THE alarm bells sound regularly: cybergeddon; the next Pearl Harbor; one of
the greatest existential threats facing the United States. With increasing
frequency, these are the grave terms officials invoke about the menace of
cybercrime — and they’re not understating the threat.

Some cybercrime is aimed directly at our national security, imperiling our
infrastructure, government secrets and public safety. But as the recent
wave of attacks by the hacker collective Anonymous demonstrates, it also
targets private industry, threatening the security of our markets, our
exchanges, our bank accounts, our trade secrets and our personal privacy.

With all the attention paid to the so-called fiscal
cliff<http://www.bloomberg.com/news/2012-05-30/u-s-may-avert-plunging-over-fiscal-cliff-in-2013-economy.html>approaching
at year’s end, it is equally important to ask whether
collective inaction has us simultaneously barreling toward a cybercliff of
equal or greater height.

As the United States attorney in Manhattan, I have come to worry about few
things as much as the gathering cyberthreat. Law enforcement is racing to
respond, filling its ranks and fortifying its defenses against
cyber-malefactors. Businesses should worry, too. But my experience suggests
that they are not doing nearly enough to protect themselves, their
customers and their shareholders.

Recently I met two executives from major companies who did not even know
whom in law enforcement to contact in the event of a hack or intrusion. A
few weeks ago, after a speech I gave about cybercrime, a board member of a
significant Internet-based company took me aside and admitted, with some
horror, that his company’s board had not spent a single minute discussing
cybersecurity.

These troubling admissions reveal critically outdated thinking in the
business community. But there is recourse, and the cliff can still be
avoided.

For one thing, large and small corporations alike must adopt a culture of
disclosure. A bank would never think to delay reporting to the police a
conventional robbery by a masked criminal wielding a gun and a note. But
that is what institutions are still routinely doing after being compromised
by anonymous criminals operating through the Internet.

Corporations may wait days or even weeks and months, or never disclose the
attacks at all, for fear of exposing proprietary information. But doing so
makes it much harder to identify the perpetrator and prevent future
economic injury. It also makes it harder to tell who the next victim might
be, so that they might assess their own vulnerabilities and formulate
solutions.

Businesses should be assured that law enforcement will operate with the
utmost sensitivity toward victims of cyberattacks. Prosecutors and agents
have developed techniques to minimize disruptions to daily operations and
to safeguard proprietary information. Where necessary, we can seek judicial
orders to protect confidentiality. But to the extent that businesses remain
allergic to the idea of promptly reporting cybercrime to law enforcement,
they need to get over it.

Second, every company needs to do a better job of creating and fostering a
culture of security. A recent report by
Verizon<http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf>suggests
that a stunning 97 percent of data breaches last year were
avoidable. That’s because even well-intentioned companies that are already
spending large sums of money on high-tech security are overlooking the most
fundamental precautions.

In a way, they’re overthinking the threat. We have a false impression that
all hackers are hyper-sophisticated, digital versions of Tom Cruise
rappelling down a building, “Mission Impossible”-style. But the more
mundane reality is that companies are most often breached by hackers
walking down virtual hallways, looking for a single unlocked door. And the
proverbial unlocked door can mean entry into the entire data network.

In response, companies must start thinking ahead of the hack and locking
their doors. It is simply no longer enough for company leaders to take a
hands-off approach, leaving these matters to a few “techies.” Such an
attitude practically invites a hack. Even simple measures — like employee
training and regular threat assessments — can help companies avoid becoming
the easy target.

But the most important step is the most obvious and fundamental one:
understanding the threat in a comprehensive, serious manner. Every member
of a board or executive suite is duty bound to protect the institution
against material risk, whether they currently possess particular expertise
or not. And yet, how many companies have a concrete plan in place to deal
with a hack? How many conduct independent audits of their
cybervulnerabilities? The answer, many in my position fear, is too few.

Some say we are outgunned. But in my view, it is less a matter of being
outgunned than being simply outdated — in our thinking and in our vision.
Yes, there is an army of computer saboteurs, spies, thieves and nihilists
who wish to do us harm. But we have an army, too, or at least the makings
of one, which can draw from the best of law enforcement, intelligence,
business and academia.

I have no doubt that we could find the collective will to amass and
mobilize our army once a true catastrophe strikes — just as we did after
Pearl Harbor and Sept. 11, 2001. The question is whether we can do so
before that happens.

Preet Bharara <http://www.justice.gov/usao/nys/meetattorney.html> is the
United States attorney for the Southern District of New York.
  ____________________________________

Short comment:  The congress and the executive branch are even further
behind, refusing to pass legislation to address this problem.  Is there
anyone on this list who has never been a victim of some kind of cyber crime?

-- 
Art Deco (Wayne A. Fox)
art.deco.studios at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.fsr.com/pipermail/vision2020/attachments/20120604/bc3ffb08/attachment.html>