To err is human, to react without thinking is to compound the err
A thoughtful post at the NY Times, that deserves a better title: Hacked vs. Hackers: Game On <read>
The problem, Mr. Kocher and security experts reason, is a lack of liability and urgency. The Internet is still largely held together with Band-Aid fixes. Computer security is not well regulated, even as enormous amounts of private, medical and financial data and the nation’s computerized critical infrastructure — oil pipelines, railroad tracks, water treatment facilities and the power grid — move online.
After a year of record-setting hacking incidents, companies and consumers are finally learning how to defend themselves and are altering how they approach computer security.
If a stunning number of airplanes in the United States crashed tomorrow, there would be investigations, lawsuits and a cutback in air travel, and the airlines’ stock prices would most likely plummet. That has not been true for hacking attacks, which surged 62 percent last year, according to the security company Symantec. As for long-term consequences, Home Depot, which suffered the worst security breach of any retailer in history this year, has seen its stock float to a high point.
In a speech two years ago, Leon E. Panetta, the former defense secretary, predicted it would take a “cyber-Pearl Harbor” — a crippling attack that would cause physical destruction and loss of life — to wake up the nation to the vulnerabilities in its computer systems.
No such attack has occurred. Nonetheless, at every level, there has been an awakening that the threats are real and growing worse, and that the prevailing “patch and pray” approach to computer security simply will not do.
I agree that the problem is huge. We should hope that it does not take an attack like Pearl Harbor or 9/11 to change things. How would World War II have gone without Pearl Harbor – I suspect not much different. I am not a historian. I was not alive then, but overall our reaction to Pearl Harbor was on balance justified, appropriate, and successful. I do not think that 9/11 worked out that way, our wars “of choice” in Iraq and Afghanistan have yet to be successful, have been arguably unjustified and inappropriate as well. They certainly have been costly with no end in sight. When it comes to security, again the Patriot Act was a knee-jerk reaction, with every wishlist item of the security state fulfilled. It is questionable that the fortune and liberties we have sacrificed have been worth it or that all in all we are safer.
The goal should be to solve a problem of huge risk, without requiring a catastrophe, without attacking others, spending what is necessary and moving on.
That has happened once that I know of. It was called Y2K, a disaster avoided, a significant yet limited expense. Y2K was real, those warning about it in the late 1980’s were ignored for many years. The ultimate risk was overblown by the media, then when all went well we had years of poopooing the risk as overblown. For the record, I was a Y2K contractor for a bit over two years for three companies – I did small jobs that needed to be accomplished, where I was uniquely qualified. There were excesses. In fact, I helped save a client from a wasteful proposal. Yet overall we solved and prevented a problem that could have been avoided at a lower cost if more leaders had listened to those who warned us early. Even now, occasionally someone in a discussion will complain about “all the money computer programmers took home working on Y2K”, as if that caused our deficit. Yet, it is worth it to me, it to know that a real problem was avoided, despite the occasional uninformed criticism.
Yet as this article points out, we have already paid a huge, largely unrecognized price for Internet vulnerablity:
The Wake-Up Call
A bleak recap: In the last two years, breaches have hit the White House, the State Department, the top federal intelligence agency, the largest American bank, the top hospital operator, energy companies, retailers and even the Postal Service. In nearly every case, by the time the victims noticed that hackers were inside their systems, their most sensitive government secrets, trade secrets and customer data had already left the building. And in just the last week Sony Pictures Entertainment had to take computer systems offline because of an aggressive attack on its network.The impact on consumers has been vast. Last year, over 552 million people had their identities stolen, according to Symantec, and nearly 25,000 Americans had sensitive health information compromised — every day — according to the Department of Health and Human Services. Over half of Americans, including President Obama, had to have their credit cards replaced at least once because of a breach, according to the Ponemon Group, an independent research organization.
But the value of those stolen credit cards, which trade freely in underground criminal markets, is eclipsed by the value of the intellectual property that has been siphoned out of United States corporations, universities and research groups by hackers in China — so much so that security experts now say there are only two types of companies left in the United States: those that have been hacked and those that do not yet know they have been hacked.
And this year, American companies learned it was not just Beijing they were up against. Thanks to revelations by the former intelligence agency contractor Edward J. Snowden, companies worry about protecting their networks from their own government. If the tech sector cannot persuade foreign customers that their data is safe from the National Security Agency, the tech industry analysis firm Forrester Research predicts that America’s cloud computing industry stands to lose $180 billion — a quarter of its current revenue — over the next two years to competitors abroad.
Finally, let us also not forget the twin risks of doing nothing and doing too much of the wrong thing, apply as Connecticut tackles our voting system which may have had a wake up call this November, but nothing like Pearl Harbor or 9/11. On 9/11, I had a temporary pass to enter the World Trade Center and had friends that worked there – what happened in Hartford on November 4th, and the Courant not getting all the results that night was no 9/11.
