It’s hard to blog about technology these days and not talk about what has become known as Breachfest 2011, or—to put it plainly—the seemingly monumental increase in “hack attacks” and breaches of data privacy at some of the world’s biggest companies, governments, and organizations since the beginning of 2011.
Just to give a sense of the size and scope of this festival of cyber-barratry, check this Google doc spreadsheet complied by CNET. The victims range from electronics/video-game-console maker Sony, to data security firm RSA, to Citigroup bank, to the Turkish government, to the International Monetary Fund—and many in-between. Those that are doing the hacking—from the group Anonymous of WikiLeaks fame, to an offshoot of Anonymous (most likely anyway, its really anyone’s guess) called LulzSec which has apparently recently called it quits, to who-knows-who-did-it—seem to have a variety of motivations from the political to whimsical. All one can say for sure is that there is suddenly a lot of talk about it all.
This up-tick in disclosure in regards to data theft and security compromises can be viewed many ways, depending on whom you’re reading. Just the mere volume of reputable news sources talking about The Hackers (yes, capital-lettered and grouped into one blob of computer-manipulators) gives one the impression that hacking—or the more political-motivated hacktivism—is surely on the rise, a “660% [increase] over the past five years” to quote one article. This, most would agree, is a bad thing.
The feel-good angle, however, is that by merely talking about these breaches, by making them public, these organizations and companies are being more transparent, more open about their security flaws. As some say, sunshine kills all blemishes. There was a time, no more then five to ten years ago, when publically admitting that some of your client data was stolen meant a major loss in public and private confidence. It might just be that 2011 is the year this officially changes.
The coupling of mass media coverage and the mega-organization publically admitting it has been hacked might have had its acceptance moment back in January 2010 when behemoth Google ran to the State Department with a finger pointed at China. Yes, the claims of cyberattacks against its digital infrastructure and the pressure to suppress free speech under China law was unprecedented, but just announcing it and admitting that security was thwarted was also a bold move on Google’s part. In this case the do-gooder Google gained a friend in the State Department and (maybe, probably) the NSA. Naturally, this isn’t the first case where admitting a failure gained a corporation friends in high places.
Fast-forward to today, and people like attorney Lori Nugent, who is a breach specialist at the law firm Wilson Elser Moskowitz Edelman & Dicker, says that if a breach is handled well, “customer loyalty and your brand can actually improve.” The same article quotes one Michael Fox, a data-breach response specialist at the communications firm ICR Inc., stating that today, “There’s not as much of a stigma attached [to being hacked].”
The reasons for this shift are of course many. Probably first and foremost should be the public’s acceptance of these breaches. Maybe one random day you receive a new debit card in the mail from your bank with a letter explaining that they had a data security issue and, for good measure, they wanted to replace your card for your safety. At some point this practice used to illicit fear and an uncertainty of one’s information, today it could happen a couple of times a year on average. Also some of the hacker operations have been quite impressive, even to the uninformed—like this recent Citigroup hack which has reportedly lost customers somewhere in the ballpark of $2.7 million. Add this to the reliance a growing number of countries have to their digital dealings, and suddenly being hacked or having your personal information stolen is an everyday—yet still a very abstract—thing.
So is Breachfest 2011 really reflective of the increasing sophistication of hackers, or is it more a sign that it’s become publically acceptable for companies/governments/organizations to admit that they’ve been hacked? Probably both, but it is interesting to note the shift in attitude, summed up nicely, again, by ICR Inc.’s Michael Fox: “Breaches are increasingly viewed less as a weakness on the part of the company and more as the sophistication and relentlessness on the part of the hackers.”
On one side there’s an increase in transparency, entities admitting breaches in an attempt to heighten the stakes and the visibility of the attacks. On the other is a vaulting of the hacker, armed with increasingly capable tools and an evolving ecosystem of crime with many ways to play. One side can’t build security walls fast enough; the other only needs a single crack to gain access, or to show how weak a company’s or government’s digital security really is. Either way: Technology giveth, technology taketh away.
As the perception of cybersecurity evolves, it will be interesting to see how societies around the world respond. As public as these breeches are becoming, the true test remains public loyalty or, in some cases, the availability of alternative options. In the case of the first and second hacking of Sony’s gaming network, bank account and credit card numbers, as well as other private identification information, were stolen from almost 25 million people worldwide.
As of the last week of June 2011, Sony was claiming that over 90% of their customers have returned to the network. It could be that those customers had nowhere else to go to fulfill their online gaming needs. It could also be that they don’t really care. Either way, it’s hard to ask for robust security when a breach does little to shake your customer base.
internet, Public Opinion, Security, Wikileaks