Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/24/2014
10:30 AM
Tsion Gonen
Tsion Gonen
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Cyber Security Needs Its Ralph Nader

It took thousands of unnecessary traffic fatalities to create an environment for radical transformation of the auto industry. What will it take for a similar change to occur in data security?

By every metric, driving an automobile is far safer today than it was in 1965, due to a combination of factors including government regulations and legislation, consumer awareness, and technology advances. The catalyst for all of this was one man: Ralph Nader.

Prior to 1965, car manufacturers had no real motivation to make safe cars because the cost of doing so did not justify the business benefits. But then Ralph Nader published Unsafe at Any Speed, a critique of the safety record of American automobile manufacturers. His advocacy injected the traffic fatality epidemic into the headlines, and a nation changed.

Congress unanimously passed the 1966 National Traffic and Motor Vehicle Safety Act and established the National Highway Traffic Safety Administration (NHTSA). Manufacturers responded by putting seatbelts, headrests, and other mandated equipment in their cars, and some started making safety a competitive differentiator. And consumers… well, they never really got the memo. Many (if not most) still didn’t use seatbelts, even though they knew the risks. It took subsequent legislation at the state level in the 1980s to enforce seatbelt use among drivers.

What does this have to do with cyber security? Well, the current data breach epidemic feeds off a delicious broth of consumer apathy, corporate incrementalism, and flawed federal regulations -- exactly the conditions that existed in 1965 with automobiles. Clearly, things need to change if we are to curb the data breach epidemic… but who will be cyber security’s Ralph Nader?

Who will be the security industry's Cyber Ralph?
Who will be the security industry's Cyber Ralph?

With automobiles, Ralph Nader exposed a hidden crisis and called on government to change the rules of the game for manufacturers. This resulted in rapid, comprehensive legislation that required manufacturers to design safety equipment into their automobiles. These requirements were not an option: If you didn’t meet them, you could not sell cars in the US. Smart companies used this new focus on highway safety to their advantage.

Despite today’s fire-and-brimstone headlines about data breaches, the problem with cyber security is that nobody is feeling the pain of the problem. Consumers know their credit cards will be replaced and they will not be responsible for financial losses. Breached companies know their stock prices will bounce right back and consumers will continue shopping at their stores, and at worst they may have to throw an executive under the bus to meet the bar for “we’ve done something about this.” And government regulations speak for themselves: They simply are not a prescription for security, and at this point, breach disclosure requirements do more to breed public apathy than outrage.

Some themes for Cyber Ralph to consider include:

Make citizens aware of their entire risk exposure. They may not care about having passwords, account numbers, or credit card numbers compromised, but they likely would care about their healthcare records, tax returns, or travel plans being stolen and used for fraud, blackmail, or burglary. And they probably would care if they knew that this information may already be compromised -- the breaches just haven’t been discovered yet. The need for seatbelt laws demonstrates that consumers likely will not change their behavior based on this knowledge, but it will create a political environment where elected officials will want to do more to protect their constituents.

Make breach disclosure laws more intelligent. Not all breaches are alike, and yet reach disclosure laws treat them that way. A breach of customer data that cannot be used to harm those customers is different from a breach of unencrypted Social Security numbers. And yet, current regulations do not make this distinction, and the media simply fixate on the “number of records stolen,” not the potential damage that could be done with what was stolen. (The Breach Level Index is an interesting approach to shedding light on this problem.) As a result, all breaches are treated the same, and consumers have stopped caring because they are never materially affected by the “8 billion records stolen” headlines.

Adopt modern, practical technology. The most obvious example of this is chip-and-PIN credit cards. Europe has used them for years and also adopted complementary technologies like wireless point-of-sale in restaurants to improve credit card security. (Meanwhile, we in the US continue to hand our cards to strangers.) President Obama’s recent executive order promoting the adoption of chip-and-PIN is a promising start, but there really is no reason the US should lag so far behind its overseas peers in adopting sensible technology and processes.

Create an NHTSA for cyber security. Automobile safety improved only after the establishment of the NHTSA, an agency with authority to mandate safety standards nationwide. Cyber security needs the same type of organization. Implementing national standards will be good for consumers and businesses, because it will eliminate the complexity and variability in today’s state-level standards. This agency should have authority to implement standards across all areas of risk, including credit cards. (Chip-and-PIN would likely already be deployed in the US were this type of organization in place.)

Do away with “shades of gray” penalties. The National Traffic and Motor Vehicle Safety Act made things very simple for automobile manufacturers: Conform to national safety standards for automobiles, or don’t sell cars in the US. The “NHTSA for Cyber Security” should have a similar approach. Once we have effectively categorized breaches, we can separate out “secure” breaches (where the information stolen cannot be used to foment damage) from insecure ones. In cases where companies have done what they should to protect customer data (according to national standards), they can continue doing business unimpeded. Those that have not conformed to standards and experienced an insecure breach will have a grace period to bring themselves up to standards before they must cease operations.

This might seem Draconian -- except the automotive industry experience shows us it creates a level playing field, and when we reduce things to a simple binary situation (you’re either in business or you’re not), all companies will choose to conform.

The tragedy of the automobile industry is that it took thousands of unnecessary traffic fatalities to create an environment where Ralph Nader could bring about radical change. One hopes that we do not need to reach a similar state of disaster in the data breach epidemic to spur similar change. Will we act now? Or do we have to wait until millions of us are being bribed, defrauded, burgled, or worse?

Tsion Gonen serves as Chief Strategy Officer for Gemalto's Identity and Data Protection Division. He is responsible for developing global business and product strategies, and identifying and capitalizing on emerging market trends within the information security market. Prior ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/24/2014 | 3:15:55 PM
Who will be the Cyber Ralph for data security?
My guess is the whisteblower will come out of financial services. It's doubtful that anyone will ever die from a data breach, but the idea of millions of people getting bribed, defrauded or burgled is something that is not seem particularly far-fetched. Thought anyone?
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/24/2014 | 8:32:03 PM
Re: Who will be the Cyber Ralph for data security?
That is a good guess. I think retail is more on the minds of consumers/voters though. I think slowly but surely things are changing as awareness is growing. We've already seen attempts to improve data breach laws all over the country.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/25/2014 | 9:53:44 AM
Re: Who will be the Cyber Ralph for data security?
I hope there is not death because of data breaches. If it goes beyond what it is now that is not unimaginable. If they are able to attack electricity grids, or nuclear reactors that may result into more unexpected damages.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/25/2014 | 1:47:42 PM
Re: Who will be the Cyber Ralph for data security?
You would think that the general public would be outraged (and frightened) about how insecure our public infrastructure actually is. But I think that is an area where people show the least concern of all...
ODA155
50%
50%
ODA155,
User Rank: Ninja
11/25/2014 | 4:13:41 PM
Re: Who will be the Cyber Ralph for data security?
@Marilyn Cohodas,... "a cyber Ralph Nader"... yes, I like that , but you know what would really be cool... a Cyber Wyatt Earp! Someone to clean it up! An agency charged AND empowered to wear two hats... one to get after the bad guys (by any means available) who make a living breaking into anything they consider to be worthy of targeting. And also to take whatever action necessary to "influence" business in this country to start taking this matter as serious as they take the bottom line at the end of the year. Give this person what she\he needs to make an impression on large corporate CEO's and without a doubt small business will fall in line. Make this person\position reportable to Congress and revisable by law so that it doesn't get too powerful or go stagnant. I would be nice if if this could be done at the private level, but as little faith that I have in our government with such things I have even less when it comes to letting business monitor itself, especially with something this serious, just look at PCI-DSS, when VISA & MasterCard themselves are fined, then there will be something there to build on, until then it's just a good start of "what can be".

I know htis is all "pie in the sky"... but a security guy can wish (no time to dream)... can't I?

 

Happy Holiday's Everyone!
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/25/2014 | 4:32:27 PM
Re: Who will be the Cyber Ralph for data security?
It's a great thought @ODA155. So far we have suggestion for Cyber Ralph, CyberWyattEarp and Cyber Eisenhower. Al good role models. (And Happy Thanksgving to you too!)
TsionG898
50%
50%
TsionG898,
User Rank: Apprentice
11/25/2014 | 5:50:11 PM
Re: Who will be the Cyber Ralph for data security?
Yeah, but wouldn't you agree Nader had the best sounding name of them all? :)
TsionG898
50%
50%
TsionG898,
User Rank: Apprentice
11/25/2014 | 5:54:31 PM
Re: Who will be the Cyber Ralph for data security?
I agree! I think the question has always been 'how big should the goverment role be?'. I personally think the goverment should get more involved. And put down regulations that really push companies to do more than what they'd like to. Just like the goverment did other things to save lives...I remember when I was forced to put on a seat belt... I didn't like that first also. 
tjgkg
50%
50%
tjgkg,
User Rank: Apprentice
11/24/2014 | 4:32:50 PM
This is not just a consumer problem
Data security goes beyond a consumer arena. Nation-states are hacking into banks, utilities, companies, military and this threatens our existence. We need more than Ralph Nader. We need someone like Eisenhower to run cyber security. It needs a military grade solution because in a war, this country could be brought to its knees by a small power that could never match us on the battlefield. The cyber-field is a different story.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
11/25/2014 | 9:56:05 AM
Re: This is not just a consumer problem
I agree, it requires different skill sets tough to protect us from cyber-security breaches. We always think security as a defensive approaches, we ned to get out of that mindset and become more proactive and maybe offensive at the same time.
Keith Graham
50%
50%
Keith Graham,
User Rank: Author
12/2/2014 | 11:48:28 AM
Re: This is not just a consumer problem
Further to tjgkg's point, it really does go beyond the consumer arena. One concern we should have IS the loss of life as a result of a breach, and I don't just mean in terms of damage to public infrastructure (like nuclear power facilities, or natural gas processing plants), which I think is much less likely, but at time of war. As a basic example, some nation state actor with the capability of compromising military and government systems could prevent the use of kinetic weapons in response to a kinetic attack, and entirely undermine our defenses. We shouldnt kid ourselves that these capabilities do not exist, or are not being developed. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/2/2014 | 1:20:42 PM
Re: This is not just a consumer problem > Vs time of war r
@Keith Graham, I would assume that our military has a strategy in place against the kinetic attacks that you mention. At least I hope so. Am I being naive? 

Keith Graham
50%
50%
Keith Graham,
User Rank: Author
12/2/2014 | 1:42:35 PM
Re: This is not just a consumer problem > Vs time of war r
@Marilyn Cohodas, I would hope so too! I guess we're beyond the realms there of what is known in the public domain.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/25/2014 | 9:49:59 AM
Auto vs. computer
I know we had to go through regulations around auto industry, I am not sure it made us more secure or it made whole product more expensive and not high tech. I do not really want to compare auto industry to computer/information industry. I am basically in favor of secure and advanced automobiles, not only secure. You still have to user your arms, legs and head to drive a car. There must be an easier way to do it.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5524
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an attacker on the same network segment to execute arbitrary OS commands with root privileges via UPnP function.
CVE-2020-5525
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via management screen.
CVE-2020-5533
PUBLISHED: 2020-02-21
Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2020-5534
PUBLISHED: 2020-02-21
Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors.
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.