Management Summary: Compelling evidence now shows that we face a vastly more serious information security and privacy crisis than we confronted just several years ago. Considerable additional top management attention and markedly augmented resources are urgently needed to address this crisis.
That America is in serious trouble can firstly be shown by the April 2015 breach of computers at the U.S. Office of Personnel Management.[1] That security breach resulted in personally identifiable information such as names, social security numbers, dates of birth, and addresses, being released for millions of people who had undergone military and government agency background checks. Not only does the breach pose a short-term risk of identity theft, but it will jeopardize U.S. undercover operations for a generation since those involved will be subject to blackmail, unexpected disclosure of their identities, etc. That one attack changes the balance of power between countries, alters the battlefield of international conflicts, and jeopardizes American competitiveness. That attack also points to the fact that computers and networks are the modern nervous system of our society, and they must be vigorously and effectively protected, if our now highly automated society is going to survive.
That the nation is now in a serious information security and privacy crisis can secondly be illustrated by the Sony Pictures Entertainment attack that took place on November, 24, 2014.[2] As a result of that attack, a major corporation lost the use of over 3,000 computers and 800 servers. All connections to the Internet were shut-off, including connections to other Sony units and third parties. The corporation was plunged into a pre-digital age of landline telephone and hand-delivered messages written via pen and paper. Not long after that, President Barack Obama declared a national emergency [3] and issued an executive order to deal with the “increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in part, outside the United States.”
In other words, the game has recently changed and nation states are now actively engaged in cyber-warfare, and both corporations and government agencies are at significant risk. While those seeking to make political points (aka “hacktivists”), those seeking to show their intellectual prowess (aka “hackers”), as well as those seeking to “make a buck” from crime such as identity theft (aka “ghosts”), are certainly still serious concerns, the attackers now include agents from well-financed nation states and operatives from sophisticated organized crime gangs. [4]
While there is unquestionably a wide variety of very powerful and versatile new security and privacy technology available, the fundamental issue behind information security and privacy problems that we now experience involves people. [5] The technology alone is not going to solve information security and privacy problems. Instead, management must devote additional attention to the risks that new information systems like the Internet introduce, and they must also allocate sufficient resources so that these same security and privacy problems can be adequately addressed. Top management now stands as the gatekeeper, holding the purse strings at organizations, and it is often blocking the work on information security and privacy that must be undertaken in order to adequately protect information systems, as well as the assets – both physical and intellectual – that these information systems control. Unfortunately, the prevailing incentive systems, such as quarterly bonuses paid for high profits, encourage top management to act in a penny-pinching manner, denying these essential activities both the top management attention and the resources that these areas must now receive. [6]
Only by redesigning incentive systems, and by reorganizing the way that people work, so that both incentives and penalties compel the involved persons to behave in a manner that supports information security and privacy, will this crisis be brought under control.
Notes
[1] Sanger, David E., “Hacking Linked to China Exposes Millions of U.S. Workers,” The New York Times, June 5, 2015; http://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html (accessed January 31, 2016)
[2] Grisham, Lori, “Timeline: North Korea and the Sony Pictures Hack,” USA Today, January 5, 2015; http://www.usatoday.com/story/news/nation-now/2014/12/18/sony-hack-timeline-interview-north-korea/20601645 (accessed on January 29, 2016).
[3] Exec. Order No. 13694, 80 Fed. Reg. 18077, 18077 (January 6, 2015); reflecting the serious problems in this area, one should note that President Obama has issued a total of five Executive Orders and Presidential Directives that authorize offensive and defensive actions in cyberspace. For details see Theohary, Catherine A., and Anne I. Harrington, “Cyber Operations in DOD Policy and Plans: Issues for Congress,” Congressional Research Service, January 5, 2015, p. 22; https://fas.org/sgp/crs/natsec/R43848.pdf (accessed March 17, 2016).
[4] Bergsman, Jeremy, “Information Risk – Do You Care Who’s Attacking Your Firm? Information Security Officers and Their Teams Should Collect Information on Who’s Attacking Their Firm, Rather Than Just How It’s Done,” CEB Blogs, May 13, 2015; https://www.cebglobal.com/blogs/information-security-do-you-care-whos-attacking-your-firm (accessed January 29, 2015)
[5] Parker, Donn B., “People are the Number One Problem for Computer Security: Some Suggestions for Control,” pp. 5-10, Computer Crime Digest, vol. 2, no. 6 (1984).
[6] Loveland, Gary, and Mark Lobel, “Cybersecurity: The new business priority,” PWC (Price Waterhouse Coopers), 2016; http://www.pwc.com/us/en/view/issue-15/cybersecurity-business-priority.html (accessed on January 29, 2016).