In 2013, we’ll have to make a choice: Either we acknowledge we're at war and push back hard, or we keep pretending nothing's wrong⎯and get snuffed.
In the coming weeks, as we've seen every year for the past six, there will be endless reports detailing the digital dangers and identity threats lurking in every corner of our highly networked universe. But allow me to ask a heretical question: To what end?
Despite grandiose pronouncements, identity theft, cyber warfare, and the death of privacy at the hands of hackers and hyper-marketers are barely on the public radar. Everyone gives lip service to their oh-so-serious concern⎯but except for industry players, technocrats, and a handful of politicians and consumer advocates, nobody really understands the dynamics of the situation. And few seemed moved to action.
Frankly, this situation is insane. Practically every day, someone flags risks and makes dire predictions⎯all deadly accurate, by the way⎯but unless there's a class action suit pending, or an entire grid in darkness, no one gives a damn. Check your credit report? Only one out of five really do. Encrypt your database? “Encryption is hard.” Friends, the barbarians are no longer at the gate, they're in our homes eating off our best china⎯yet we can't be inconvenienced with dealing with them. The signs of things to come are everywhere⎯but like a man crossing a highway blindfolded, we refuse to see what's coming.
This year the situation must change. For the next few minutes, I invite you to take off the blindfold and look reality right in the eye.
A domestic war is being waged both here and abroad against our people, our economy, our institutions, indeed, our way of life. But until we take that seriously and respond strategically, we're in for a serious can of whoop-ass. Even a fool can see where the enemy is headed, but for some reason the cavalry doesn’t seem up to the task of heading them off. As with all things in Washington and corporate America, folks are talking the talk, but few are walking the walk.
Here are a number of battlegrounds where the fighting will be fiercest in 2013:
Mobile devices. That smartphone in your pocket is one mother of a data storage device, and it has a bull’s-eye on its back. We use them to communicate our most intimate (and sometimes highly inappropriate) thoughts, figure out where we are, telegraph our next move, as well as check bank balances, deposit checks, even file taxes. There's a gold mine behind that touch screen. Users may not realize how exposed their data is (I dare say most don't use password-protection or remote data-wiping in case of loss), but criminals know the weak spots, and they're making mobile exploits a high priority.
One scenario to watch for: a malicious programmer sneaks a malware-bearing app past iPhone gatekeepers (malware champ Android already has more bad apps than you can shake a stick at), and millions of Apple users realize the honeymoon is over.
Note that Europe already suffered the first large-scale attack on financial accounts via mobile phones: Eurograbber, a mobile SMS keylogger scam that pumped 36 million euros out of 30,000 European bank accounts. Make no mistake, we're next.
The insider threat. These come in two flavors: duplicitous and duped. Either way, they're sleeping with the enemy. Compromising or turning an insider is a big win for criminals, providing a precious pipeline to account info, network passwords, or a company’s deepest secrets. Infecting an outside (or inside) device used at work⎯mobile phone, tablet, laptop⎯by means of something as simple as an email can get keyloggers and other malware inside the firewall to infect other computers. The FBI warns of criminals targeting bank and credit union employees⎯and why wouldn't they? They've gone after folks at the most secure companies in the world already with spectacular results⎯just ask RSA and Lockheed.
Medical identity theft. Our push to digitize medical records and associated data ⎯ including identity, insurance, and financial information ⎯ has spawned system design flaws, sloppy data handling, and everything in between. The logistics of conversion has exposed risks and led to countless breaches⎯including data theft and/or loss by third-party contractors. No wonder electronic health records are a magnet for identity thieves⎯with potentially deadly consequences for victims, since medical identity theft can mean co-mingled medical records, magically changed blood types, disappearing allergies and looted insurance policies.
Malware, Malware, Everywhere. These days any would-be cyber-mercenary can play “infect your way to riches.” Be prepared for more sophisticated, undetectable, and untraceable malware available for low-cost purchase, rental, or lease from the underground purveyors of havoc. Now that botnets (like jet skis) can be rented by the hour, we'll also see more customer-facing networks crippled by denial-of-service attacks in 2013, as hackers distract and exhaust security teams to cover their own tracks.
Nonprofits and foundations. What's more delicious than an unencrypted database overflowing with wealthy donor data? Doubtless, several foundation or charities will face big breaches in 2013. Just don’t expect them to be so forthcoming with the details.
Debt collectors. After breaches of several debt collector databases expose records for hundreds of thousands of debtors (many who shouldn’t be in those files in the first place), public pressure will build for controls on collection agencies’ handling of clients’ data ⎯ including a requirement that breach response programs be in place before they can be bonded or licensed.
Infrastructure threat. Some facet of our critical infrastructure ⎯ perhaps the electrical grid, public transportation, air traffic control, banking, medical facilities, or some large bridge or tunnel ⎯ will suffer one or a series of cyber attacks, highlighting the ever evolving, highly dangerous cyber-war threat and the shared goals of enemy agents, cybercriminals and identity thieves.
Mega breaches of government data. South Carolina's “encryption is hard” data debacle showed how myopic and negligent a government can be. But don't assume politicians learned anything from it ⎯ though it brought the number of improperly accessed files in government custody to nearly 100 million. If anyone learned a lesson, it was the criminals, who will be emboldened in 2013 to revisit that poorly guarded well again and again.
Identity theft is big business, and the bad guys want to make this their most profitable year ever. So expect repeated, persistent attacks on government databases ⎯ followed by rage from a frustrated citizenry demanding (but not getting) action. Expect an increasing tidal wave of fraudulent business and individual tax returns and refunds filed by criminals in the names of legitimate taxpayers. And remember, criminals file early!
Data breach fallout. To confront the inevitable surge in attacks, 2013 should be the year of mandatory encryption, stringent security, and tough legislation holding negligent data stewards accountable; and “accountable,” dear friends, means doing hard time, not mouthing lukewarm mea culpas. I would prefer to say “will be” ⎯ but given the inability of Congress to agree on even the mundane, like the hour of the day ⎯ action seems unlikely. At this rate, we may be forced to rely on the ultimate regulators of our economic system ⎯ class-action attorneys.
Strategic realignment. When we are truly focused on this issue, a depressingly rare occurrence indeed, we are playing by an arcane set of rules in the face of a highly sophisticated, totally committed, stealthy, deadly, hydra-headed opponent who knows no rules of engagement.
To properly address this threat, nothing short of a Manhattan Project, or a renewed commitment to the kind of national effort that put a man on the moon will suffice. Complete cooperation, collaboration and communication among all levels of government, law enforcement, the business community, consumer advocates, individuals and the media must be achieved.
Taking the fight to the criminals is exactly what we must do ⎯ along with shoring up our corporate and individual defenses and demanding that our lawmakers take this fight seriously. This is war ⎯ and whether the attacks come from hackers in Latvia, agents in Beijing, a botnet stretched across the globe, or the quiet employee in the next office, the adversary is the same, as is the M.O. These guys have one more thing in common: They play for keeps. So should we. Perhaps 2013 will be the year we start to get it right.