The story of Google’s allegation that China hacked the Gmail accounts of top government officials, including senior White House staffers, made headlines around the world June 1. The allegations drew the expected angry denials from Beijing and quieter messages from Washington that an investigation was underway. The big surprise: This story made front-page news.
Hackers in China, who most security experts believe work for the Chinese government, have been whacking away at Gmail accounts of Chinese citizens for years and have previously hacked into accounts of prominent U.S. journalists and businesspeople working in the Middle Kingdom.
Cyberattacks that were once shocking are now a regular and almost expected occurrence. In April, black hat hackers, those who work in defiance of the law, forced the extended shutdown of Sony’s PlayStation Network (PSN) — after they broke through the tightly guarded databases and stole 2.2 million credit card numbers and 100 million account holders’ identities. In late May, one of the country’s largest defense contractors announced that intruders had accessed its networks by using security tokens provided by EMC Corp’s RSA Security Division. The tokens are by far the most popular two-factor authentication mechanism for government contractors and sensitive industries. Everything from health-care information and large credit information warehouses to Facebook address books has become a target.
This is only a taste of a future when the attacks will be more common and more aggressive — and perhaps more damaging. In a few years, everyone in an industrialized society probably will have their DNA sequenced for medical purposes, and a growing number of comprehensive satellite data has already been used by governments for enforcement activities. Remember how the Greek government used satellite images to spot swimming pools at the homes of people who had not paid their taxes?
Opportunities to hack collected data correlated with detailed mapping information — like the location information Google and Apple are collecting from smartphone users — will provide rich possibilities for the cyber underworld. A digital Sept. 11 is now a real possibility, validated, in part, by the highly successful Stuxnet worm that struck industrial control systems and specifically targeted uranium centrifuges in Iran. But it is not just governments we have to fear. Interpol security adviser Marc Goodman says that organized crime groups have created a highly efficient, global, underground economy for stolen data. Goodman sees the opportunity for artificial intelligence-based technologies that scour the net looking for criminal activity. All these data that we are gathering also make it possible to thwart cybercrime, after all. This “Minority Report” world might be the future, but there are simpler solutions that are possible today.
We are going to need the same types of security systems for Internet usage as we have for travel at airports. The question is — will the cure be worse than the disease?
Innovation relies on a certain degree of freedom to achieve adoption or to push the envelope and create new things. If Facebook forced users to go through a rigorous opt-in before allowing them to sign up and posted onerous security warnings, it is doubtful that 600 million people would have joined the largest social network in history.
The Chinese Gmail attacks were made possible by public information that the targets had themselves made available via their carelessness in opening attachments. People simply need to learn how to better protect themselves — to be more suspicious, to never provide their passwords to links they click on in an unsolicited e-mail (this is security no-no No. 1), to pay attention to the composition of URLs and to change their passwords regularly.
Likewise, practicing textbook cybersecurity hygiene is a painful exercise. Do you keep your passwords to your office network in a clear text e-mail in a personal account? Have you written it on a PostIt and slapped it up on the wall? If you are, you might be stifling innovation.
Changing passwords regularly goes against the grain of how the human mind comfortably works. We could never remember our own phone number if it changed weekly, but that’s akin to what security experts are asking of us with current password best practices. That behavioral change adds up to a drag on society, productivity and innovation. At its core, too, the types of behavioral changes required could rein in the open exchange of information and ideas typical of social media that is the lifeblood of innovation itself.
There are other, simpler, non-intrusive technologies also. PayPal offers a feature that allows holders of its credit cards to receive a text message each time a transaction occurs, a great way to spot ID theft quickly. Likewise, Mint.com can be programmed to send a variety of alerts based on account activity. Google compiles a log of every IP address that accesses a Gmail account and encourage users to check this. But checking the logs takes time and requires a behavioral change. Services such as SlingBox or GoToMyPC could also improve their security barriers by instituting security alerts when users logged in to their own machines or accessed data from their personal desktops remotely. I’d expect the tension between innovation and security concerns to grow very quickly in the new social mobile era. Which would you choose and why?