Punishing cybercriminals might be more effective
than beefing up security systems
than beefing up security systems
Punishing cybercriminals might be more
effective than beefing up security systems
effective than beefing up security systems
Jo-Ann Huang,
freelance writer
freelance writer
Illka
Gobius, managing director, PINPOINT PR
Gobius, managing director, PINPOINT PR
Cybercriminals need to
face legal repercussions that would deter them from committing the crime in the
first place
face legal repercussions that would deter them from committing the crime in the
first place
As the lines blur
between computers, software and things, protecting an entity from security
threats shouldn’t be dependent on implementing software for protection.
Instead, the criminals themselves should be punished, which could be a better
deterrent.
between computers, software and things, protecting an entity from security
threats shouldn’t be dependent on implementing software for protection.
Instead, the criminals themselves should be punished, which could be a better
deterrent.
Turning Award winnerProfessor Butler Lampson, who is Technical Fellow at Microsoft and adjunct
professor at MIT, has long argued that against any given investment in
preventative measures, it is impossible to measure the degree of security, or
the consequences of less than perfect security. If benefits are uncertain, then
what takes priority is to spend on that which returns visible benefits.[1]
In a presentation to
the 2015 Cyberforum participants[2],
Professor Lampson said that there has not been much evidence of actual harm
from cyberattacks. From a security standpoint, we can ‘secure something simple
very well’ and we can ‘protect complexity by isolation and sanitisation’, but
what we can’t do is ‘make something complex secure’ or ‘make something big
secure’ or even ‘keep something secure when it changes’. We can’t even ‘get
users to make judgments about security’.
the 2015 Cyberforum participants[2],
Professor Lampson said that there has not been much evidence of actual harm
from cyberattacks. From a security standpoint, we can ‘secure something simple
very well’ and we can ‘protect complexity by isolation and sanitisation’, but
what we can’t do is ‘make something complex secure’ or ‘make something big
secure’ or even ‘keep something secure when it changes’. We can’t even ‘get
users to make judgments about security’.
A veteran of the
computing industry, Professor Lampson is credited with having co-created the
Xerox Aalto in 1973, considered the world’s first personal computer. As
Technical Fellow in Microsoft Research, Professor Lampson is working on
improving security, privacy, fault-tolerance and other systems that are
important in computing today.
computing industry, Professor Lampson is credited with having co-created the
Xerox Aalto in 1973, considered the world’s first personal computer. As
Technical Fellow in Microsoft Research, Professor Lampson is working on
improving security, privacy, fault-tolerance and other systems that are
important in computing today.
In 2004, in his paper
Computer Security in the Real World[3],
Professor Lampson said that most disruptions caused by cybercrime are minor and
companies are of the view that the high cost of setting up security does not
justify the damage done.
Computer Security in the Real World[3],
Professor Lampson said that most disruptions caused by cybercrime are minor and
companies are of the view that the high cost of setting up security does not
justify the damage done.
Twelve years later,
things haven’t changed radically. According to The State of Cybersecurity and Digital Trust 2016 report by
Accenture and HFS Research, global budgets for cybersecurity are not unlimited.
The report surveyed senior and executive IT managers around the world who are
overseeing or directly involved in their companies’ cybersecurity
infrastructures.
things haven’t changed radically. According to The State of Cybersecurity and Digital Trust 2016 report by
Accenture and HFS Research, global budgets for cybersecurity are not unlimited.
The report surveyed senior and executive IT managers around the world who are
overseeing or directly involved in their companies’ cybersecurity
infrastructures.
The report notes that
70 per cent of respondents cite a lack of, or inadequate, funding for either
cybersecurity technology or security talent, even though 64 per cent of IT
personnel said executive management regularly asks for updates on the
companies’ cybersecurity systems.
70 per cent of respondents cite a lack of, or inadequate, funding for either
cybersecurity technology or security talent, even though 64 per cent of IT
personnel said executive management regularly asks for updates on the
companies’ cybersecurity systems.
Cyberattacks are getting increasingly complex
In December 2016, the
CIA reported that the US elections had been compromised by hackers that stole
confidential emails from the Democratic National Committee (DNC).
CIA reported that the US elections had been compromised by hackers that stole
confidential emails from the Democratic National Committee (DNC).
In October 2016, an
unusual, coordinated DDoS attack, short for Distributed Denial-of-service,
targeted internet traffic management company Dyn. Dyn issues domain name server
addresses (DNS) to companies such as Twitter, Amazon, Paypal and Spotify and
many of these huge companies suffered outage across the Americas for hours
after the attack. Cybercriminals used hundreds of thousands of
internet-connected devices that were previously infected with a malicious code,
gaining access through common devices such as webcams and digital recorders,
news agencies reported. Dyn said that the complexity of the attacks was what
made it challenging to resolve, as the breach came from millions of internet
addresses.
unusual, coordinated DDoS attack, short for Distributed Denial-of-service,
targeted internet traffic management company Dyn. Dyn issues domain name server
addresses (DNS) to companies such as Twitter, Amazon, Paypal and Spotify and
many of these huge companies suffered outage across the Americas for hours
after the attack. Cybercriminals used hundreds of thousands of
internet-connected devices that were previously infected with a malicious code,
gaining access through common devices such as webcams and digital recorders,
news agencies reported. Dyn said that the complexity of the attacks was what
made it challenging to resolve, as the breach came from millions of internet
addresses.
Since he wrote his
2004 paper, Professor Lampson has lobbied for heavier punishments to deter
cybercriminals. In the real world, he says, security is retroactive and about
deterrence, not about locks. The cyber world should be no different, but on the
internet, it’s hard to find and see the bad guys, so deterring them is not
always feasible.
2004 paper, Professor Lampson has lobbied for heavier punishments to deter
cybercriminals. In the real world, he says, security is retroactive and about
deterrence, not about locks. The cyber world should be no different, but on the
internet, it’s hard to find and see the bad guys, so deterring them is not
always feasible.
Moreover, for most
companies, setting up effective security systems is ill affordable. Instead,
Professor Lampson says that authorities should be tasked with ensuring that
cybercriminal activity cannot and will not be tolerated, be it from internal
parties or from external sources.
companies, setting up effective security systems is ill affordable. Instead,
Professor Lampson says that authorities should be tasked with ensuring that
cybercriminal activity cannot and will not be tolerated, be it from internal
parties or from external sources.
“Like any security, it
is only as strong as its weakest link, and the links include the people and the
physical security of the system. Very often the easiest way to break into a
system is to bribe an insider,” Professor Lampson highlighted.
is only as strong as its weakest link, and the links include the people and the
physical security of the system. Very often the easiest way to break into a
system is to bribe an insider,” Professor Lampson highlighted.
He suggests that in
terms of security, rather than requiring prevention, those that manage security
should focus on reacting and thereby working on real problems rather than
spending money on anticipation or possibilities. Deterrence needs punishment
and punishment, in turn, needs accountability.
terms of security, rather than requiring prevention, those that manage security
should focus on reacting and thereby working on real problems rather than
spending money on anticipation or possibilities. Deterrence needs punishment
and punishment, in turn, needs accountability.
End nodes, he
illustrates, can enforce accountability. For example, if an entity receives
messages that aren’t accountable enough, you can strongly isolate those
messages he says. The senders of those messages can be made accountable if you
can punish them, be it fiscally, or with ostracism, by terminating their
employment or with jail time.
illustrates, can enforce accountability. For example, if an entity receives
messages that aren’t accountable enough, you can strongly isolate those
messages he says. The senders of those messages can be made accountable if you
can punish them, be it fiscally, or with ostracism, by terminating their
employment or with jail time.
Professor Lampson will
be in Singapore to inspire young scientists at the Global Young Scientists
Summit 2017, from 15 to 20 January 2017.
be in Singapore to inspire young scientists at the Global Young Scientists
Summit 2017, from 15 to 20 January 2017.
[1]
Risk Management and the Cybersecurity of the U.S. Government
https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf
Risk Management and the Cybersecurity of the U.S. Government
https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf
[2]
http://research.microsoft.com/en-us/um/people/blampson/Slides/Resilience%20slides%20for%20Cyberforum.pdf
http://research.microsoft.com/en-us/um/people/blampson/Slides/Resilience%20slides%20for%20Cyberforum.pdf
[3]
http://research.microsoft.com/en-us/um/people/blampson/64-SecurityInRealWorld/Acrobat.pdf
http://research.microsoft.com/en-us/um/people/blampson/64-SecurityInRealWorld/Acrobat.pdf
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
