When Will We Stop the Hackers?

Purposeful View: We need to declare war on hackers (by Walt Lapinsky, 12 June 2011)

microscope

In just the last couple of months, millions of consumers have had their credit card and other information stolen by organized groups of hackers, in some cases sponsored by governments. On June 8, Citibank disclosed the loss of information about 200,000 Citibank credit card customers. On June 11 the IMF was hacked, probably by a government. It is past time to make a concerted effort to stop these attacks and punish the perpetrators, whether they are criminal gangs or national governments.

We must stop treating these attacks as mere nuisances. They have a serious impact on the companies involved, and identity theft is not a “mere nuisance” to the person who has to, in some cases, spend years to reverse the negative effects on their personal reputation and credit rating. They also raise FUD (fear, uncertainty and doubt) about shopping in general and the Internet in particular. In today’s economy, this kind of dampening influence is exceedingly detrimental. In many cases, the people who had their credit compromised or their identity stolen were not using the Internet, but simply using a credit or debit card at their neighborhood gas station or local store.

What to do? We must start by treating hackers as what they are: terrorists. They are not petty thieves that should get their hand slapped and be sent on their way. They hide in foreign countries that make little or no effort to find and prosecute them. Why should they? These financial terrorists bring in lots of revenue.

There are three, probably not very popular, things that we believe should happen:

  1. Upgrade Payment Card Industry (PCI) Security Standards Council rules to embrace the Internet and the Cloud, not actively fight them. At they stand, every individual organization that handles or processes credit cards has individual responsibility. 89% of those organizations that had data breaches in 2010 of credit/debit card data and should have been PCI-DSS compliant were not. But PCI-DSS compliance is not sufficient. I suspect that Citibank was compliant, but they were still hacked. In fact, 11% of those organizations with breaches were compliant. Many Cloud Service Providers (CSPs) have the infrastructure and, more importantly, the personnel, processes and policy to be much more secure than the average organization. In fact, the US Secret Service / Verizon RISK Team “2011 Data Breach Report” indicated that the Cloud was not implicated in any of the 2010 data breaches they studied. It is a lot less expensive and a lot more secure to have few dozen CSPs providing security than to have thousands of individual organizations attempting it.
  2. Take a lesson from the FAA (Federal Aviation Administration): require full disclosure. Like airplane accidents, the goal is not to punish but to learn so others will not make the same mistake. Every data breach involving financial data should have an incident response team assigned to determine what happened, how it was corrected, and how to prevent it. That information than needs to be published. In some cases, changes should be mandated to be completed within specified time frames, and then those updates verified.
  3. One major problem with item 2 is that you don’t want to advertise how to cause a problem until it is fixed and the fix installed everywhere. The other problem is that it requires a lot of research sifting through a lot of technical data to determine the cause, the perpetrators, and the cure. Fortunately, there are organizations that are experts at sifting through lots of data, dealing with uncooperative governments, and keeping things secret: the US Department of Defense intelligence agencies. Unfortunately, these agencies do not necessarily have the confidence of the American people. I believe with the right oversight, however, they are the best organizations to lead this war.

Our view: we have to do something. If the Payment Card Industry itself won’t stand up, then our government should.

Comments? Questions? Contrary views? Some event we missed?
We welcome your feedback at talk@purposefulclouds.com

Purposeful Clouds helps companies assess and plan their best options for Cloud technology adoption, with before-the-fact consideration of contingencies, ROI, and further migration strategies. To discuss how we would be able to help you make the best decisions, contact us at info@purposefulclouds.com.

Download the View.