Separating Cybersecurity Hype From Reality

By: Rachel Marsden

LAS VEGAS -- The big players in the global information-security industry are intermingling with computer hackers this week at the annual Black Hat conference in Las Vegas. Even Chris Inglis, who stepped down as the deputy director of the National Security Agency earlier this year, is scheduled to attend the conference in his new capacity as an advisor to the American security-intelligence company Securonix. The purpose of the event is to reveal and discuss new threats and research in the field of cybersecurity.

So, why should you care?

Computers now affect every aspect of our lives, from transportation to banking to health care to transactions. We typically don't think much about it until there's a problem. For example, the automated commuter train we take to work every morning breaks down, or our credit card numbers are stolen from a store's database and published online, or the payment terminal at a store malfunctions and we're momentarily shocked at having to pay for a purchase in a more prehistoric way.

The phenomenon of technological ubiquity isn't even specific to the developed world anymore. Last week, Reuters quoted a Senegalese man on using his mobile phone for payments: "It is like having cash on you but safer because you don't have to carry the actual money on you all the time."

Couple this rapid technological expansion with the propensity of Middle Eastern and African banks not to disclose cyber attacks, and cyber attackers have a huge new market to exploit.

According to a new report by Palo Alto Networks, Nigerian email scammers have upped their game, moving on from soliciting bank account information from their targets to "spear phishing." This tactic uses a ruse to get the target to click on a link or open a document in an email, resulting in a code being installed on the target's computer that grants the scammer covert access to the target's computer and network.

The more we know about technology, the more we should see vulnerabilities rather than simply assume safety, as many of us do. Some of these vulnerabilities are due to the fact that government intelligence services themselves have installed backdoor access in their cryptographic protocols, which are then used by everyone in private industry. It's one thing to build in backdoor access for intelligence purposes, but this assumes that U.S. intelligence agencies are the only ones in the world smart enough to find and use the back door.

The flip side of technological complacency is that average users are prone to getting spooked by either an attack or the mass publicity around one. They tend to overreact and start seeing cyber-bogeymen everywhere. It's easy for paranoia to flood in and fill a knowledge vacuum.

In much the same way that the military-industrial complex thrives on the fear of war, the IT-industrial complex benefits from public paranoia. Few information-security professionals publicly shrug off some of the obvious smoke and mirrors, such as the recent denial-of-service attacks on some Israeli government websites by the hacktivist group Anonymous -- including the public-facing website of Israel's foreign intelligence service, Mossad -- at a time when the conflict in Gaza has reignited. If Anonymous wanted to pose a legitimate threat, it would be hacking Israel's Iron Dome missile-defense system rather than blocking the e-driveway to a few websites.

A much-hyped Black Hat presentation this week by a cybersecurity researcher will reportedly reveal how vulnerabilities in an airplane's wireless Internet or entertainment system can compromise its aviation equipment. But both the equipment manufacturer and the researcher himself have questioned the practical feasibility of the risk.

There's a fine but critical line in all of this, with the information-security industry getting together to assess threats and risk, and the subsequent possibility of the general public being spooked by potential threats that it can't fully understand because of technical complexities.

To ascertain the true degree of risk and paint a clear picture of what a "Cyber 9/11" attack would look like, it would be valuable for an event like Black Hat to host an expert-designed, "force-on-force" war game, with top cybersecurity experts facing off against the world's best hackers. Let's find out how much hysteria is warranted for a worst-case cyber-Armageddon.

The information-security industry should also partner with political-risk specialists to gain a broader understanding of who the attackers are, what they are after based on system resources they have previously targeted, and where the government and the private sector should be focusing their cybersecurity resources.

Where there's political unrest, there's cybersecurity risk. It's a logical extension of geopolitical competition. And it's critical to keep it all in perspective.