Cybersecurity battles complicated by laws, ethics - East Valley Tribune: Nation / World

Cybersecurity battles complicated by laws, ethics

Print
Font Size:
Default font size
Larger font size

Posted: Friday, July 1, 2011 2:03 pm | Updated: 7:56 am, Tue Jun 17, 2014.

First they came for the video games, launching an attack in April that siphoned millions of users' personal information from Sony's PlayStation Network that shut it down for weeks.

Then they came for the banks in May, purging the names, account numbers and email addresses of 360,000 Citibank customers.

They came for the government organizations in June, attacking the U.S. Senate and the International Monetary Fund over the course of a single week.

The question is: Are hackers coming for your organization's system next? If they haven't already gained access, security experts say, there's no doubt they're trying.

"There's certainly a fair amount of consternation and fear," said Kevin Richards, president of the Information Systems Security Association International, headquartered in Portland, Ore. "This is something that's a very real economic issue, and organizations are struggling with that."

A recent study of security professionals by the Ponemon Institute in Michigan said 90 percent of professionals at large companies in the United States, Britain, France and Germany had seen at least one breach in the past year and that 59 percent had two or more, according to a New York Times report.

Eric Irvin, a Houston-based security analyst with Alert Logic Inc., says it's time to fight fire with fire when it comes to cyberattacks.

He theorizes that security experts are held back from catching the bad guys by ethical obligations imposed by security certification organizations such as ISSA, in addition to being bound by laws and their own moral reservations.

He presented his idea under the provocative title, "Nice Guys Finish Last -- Why Doing the Right Thing Sucks," at last month's BSidesPittsburgh computer security conference in Pittsburgh.

Richards defended the security association's six-point code of ethics, which tells professionals to comply with the law, conduct duties with diligence and honesty, promote current best practices, maintain confidentiality, avoid conflicts of interest and avoid intentionally damaging an individual or company's reputation.

"We would never say it's OK to break laws," he said. "That's talk of vigilantism, which has never worked in any construct. "

He added security experts should focus on containing the problem, collecting evidence and turning it over to law enforcement agents to push for prosecution.

Even if cybersecurity were as simple as hacking the hackers, Irvin noted that innocent bystanders would most likely take the hits because hackers use other people's systems to do their dirty work.

Marty Lindner, principal engineer for the Cert Program at Carnegie Mellon University in Pittsburgh, said there were roadblocks to catching hackers internationally.

Last month's arrest of a British teenager linked to the group Lulz Security -- which claimed responsibility for hacking the U.S. Senate and Arizona's Department of Public Safety -- resulted from a joint effort between the FBI and Scotland Yard. But prosecution could hit a dead end if the source was in a country without clear cyberlaws.

"Other countries don't have laws like we do," Lindner said, and hacking is "not a crime. If it's not a crime, then there's nothing we can do about it."

Stewart Baker, former National Security Agency general counsel and partner at the law firm Steptoe & Johnson, said most cybercrimes are committed on compromised machines inside the United States but that many attacks come from China and some Eastern European countries.

He said the Council of Europe's Convention on Cybercrime -- which applies a single cyberlaw to all Council of Europe countries as well as the United States, Canada and other countries -- is the closest thing to a cohesive international law.

"The problem is the law dates back to the '80s and only deals with a limited number of attacks and exploits. It's not a complete legal response," Baker said.

Beyond hacking the hackers or waiting for international laws to adapt to the changing times, security experts should encourage organizations to reinforce and update their current security methods, regularly monitor for suspicious activities and purge their systems and servers of unnecessary software applications, Richards said.

"When people enter my network, what applications and technologies am I expecting them to see? Is my network configured with that environment to allow only that kind of transaction? Start weaning out things you don't need," he said.

But even the most comprehensive network security available today will be hacked at some point, said Karl Vokman, chief technology officer of Chicago-based information technology company SRV Network Inc.

"It doesn't matter that we're making our best effort," Volkman said. "It's like Fort Knox. Someone's going to break into it eventually."

More about

More about

More about

  • Discuss

[Sponsored] Terri's Consignment: Divorce the sofa

Your Az Jobs