Earlier this month, the Reliant Center hosted the Secure World – Houston conference, a cybersecurity conference that brings together many of the computer and information security specialists in the greater Houston area. As compared to last year, attendance appeared to be up a great deal. For computer security managers at some of the largest companies in town, this is their annual opportunity to sit down and chew on the issues that they are facing.
A top challenge for many of those folks is helping their bosses understand the tangible risks posed by cyber threats. Their job is to provide some sort of estimate of what might happen if things go wrong. What if a trade secret is stolen? What if the network is down for a week? What if? What if? There are endless possibilities as to what bad things might happen, but few answers as to how this boils down to something corporate boards or shareholders need to think about.
This year, the cyber problem is increasingly hitting home for organizations both big and small. That last point is important. Cybercrime, i.e. theft and fraud, is growing rapidly. Depending on what figures you consider, it is probably bigger than the crystal methamphetamine business. And it’s not just the big guys, Google, Citibank or any other members of the Fortune 100 that are being attacked. Actually, the big guys are getting better at tightening up their defenses, so, as a result, the wilier cyber thieves are moving on to smaller operations. Thus, the idea that “Mom and Pop” shops are not at risk probably does not hold true any longer. While big banks or other large corporations may work to run down those who steal from them, the little guys may not have the capacity to do the same thing. Since the bad guys are smart, they will likely steal a little bit from many at almost no risk, rather than chase after a big score.
One policy issue addressed at the Secure World conference is the problem of what to do with those who abuse their network privileges to do harm and how those individuals will be punished. John O’Leary, who has been raising awareness on cybersecurity for more than 20 years (when we were calling it computer crime), examined the case of Gabriel Murillo and Kartik Patel, two Los Angeles city engineers who manipulated the city’s traffic signals in August 2006. Basically, they swiped their managers passwords and backed up traffic at four major intersections across town. They did not make all the lights turn green, something that is prevented by an electo-mechanical safeguard, but reversed signaling, so the main thoroughfare would have a green light for a few seconds and then go red for several minutes. So these public servants tampered with the city’s traffic lights and caused increased traffic mayhem in a city already famous for its congestion problems. They were arrested, indicted and convicted of a felony charge, which the pair then plead down to a misdemeanor. Their final sentencing, handed down last week – 240 hours of community service and a $6250 fine for each. And yes, they are still on the job.
So for all of our concern and interest on cybersecurity, we are a long way from where we want to be. Today it’s easy to make a buck doing cybercrime. It’s hard to get caught. And when someone does get caught, it’s a slap on the wrist for them. Now there are many “Electronic Pearl Harbor–Cyber Katrina” fear mongers out there, and that’s not helpful, but risk is a game of knowing how not to either over-react or under-react. The big picture: As a society we’re still under-reacting, and the security professionals themselves are still going overboard. Now’s the time to bridge that gap.
Christopher Bronk is the Baker Institute fellow in technology, society and public policy. He previously served as a career diplomat with the United States Department of State on assignments both overseas and in Washington, D.C. His Feb. 12, 2009, op-ed in the Houston Chronicle, “In new federal legislation,
a victory for cybersecurity,” discussed steps federal lawmakers are taking to address cybersecurity.