The Biggest Cybersecurity Risk Is Not Identity Theft

Uploaded on 2015-12-11 in TECHNOLOGY--Hackers, NEWS-News Analysis, FREE TO VIEW, TECHNOLOGY--Resilience

The Sky News app has been hijacked by the Syrian Electronic Army

What would happen if a hacker edited a major news website to falsely report an anthrax attack in Times Square? Even if the site removed the story within minutes, it already would have been reposted and retweeted thousands of times. The misinformation likely would lead to crowded sidewalks, traffic accidents, overflowing hospitals, a plummeting stock market and other chaos.

A recently released PwC survey of 319 media executives found that 46 percent said they had received cyberattacks in the past year, up from 29 percent a year earlier.

Cybersecurity debates tend to focus on theft of personal information and cyberattacks that damage physical systems like electric grids. But there is less discussion about a very real threat posed by hackers who deface websites, apps and other sources to spread false information. Neither our legal system nor our private sector is adequately prepared to deal with such damaging acts.

Defacement received some attention when journalist Matthew Keys was convicted under the Computer Fraud and Abuse Act, the primary federal computer hacking law. Keys, a former employee of the Tribune Company, allegedly provided his login credentials to the hacking group Anonymous, which added some nonsensical words to a story on the Los Angeles Times’ website.

The Times removed the story about 40 minutes later, and the hack did not lead to the chaos that likely would have resulted from false reports of anthrax. Keys faces up to 25 years in prison, though he likely will receive a far shorter sentence when he is sentenced in January.

Advocates have blasted the Keys verdict as unfair and illogical. The Electronic Frontier Foundation wrote that the conviction demonstrates that the “CFAA is broken.” Via Twitter, Edward Snowden criticized the maximum sentence.

For a felony conviction, the statute requires a hack to cause at least $5,000 in losses, so the verdict hinged on the magnitude of the damage that Keys caused. On appeal, Keys likely will argue that the hack did not cause anywhere near $5,000 in damage, and the government will disagree.

Federal law should provide law enforcement with more precise and effective tools to prevent and punish website defacement.
The dispute demonstrates the uneasy fit between the CFAA and modern cybersecurity threats. The CFAA was passed in 1986, and does not explicitly address some of the most urgent and modern cybersecurity dangers, including website defacement. Indeed, Keys was charged under a provision of the statute that prohibits the knowing “transmission of a program, information, code, or command.”

U.S. laws can — and should — more directly and precisely address online defacement. The problem is too large — and potentially too destructive — to address it with an outdated law. Over the past few years, the Syrian Electronic Army, a group that supports Syrian President Bashar Hafez al-Assad, has defaced the websites and social media accounts of dozens of media outlets.

The frequency of the Syrian Electronic Army’s attacks demonstrates how easy it is to access and deface frequently viewed websites. If, instead of posting political messages, the hackers reported a nuclear bomb in Chicago, or a hijacking in Los Angeles, the result would be mass chaos.

Federal law should provide law enforcement with more precise and effective tools to prevent and punish website defacement. Website defacement should be a separate crime, with penalties that are more carefully tied to the actual damage that the acts have caused, or were intended to cause.

But the law is only part of the solution. News media, e-commerce companies, government agencies and other operators of frequently viewed websites have a duty to implement security measures that make it more difficult for hackers to deface the sites. Companies should guard their public-facing websites just as closely as they protect their internal data.

The frequency of website defacement — and the potential damage that such misinformation could cause — requires both the government and the private sector to take the threat more seriously in both their policies and practices.
Techcrunch: http://tcrn.ch/1H0S0rj

 

« Microsoft Leads FBI Coalition To Destroy Botnet
Spies Want IBM’s Quantum Computer »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

HackRead

HackRead

HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends.

Spambrella

Spambrella

Spambrella provides email security with real-time threat protection. 100% SaaS (nothing to install)

FDM Group

FDM Group

FDM Group is an international Professional services company with a focus on IT. Services offered include Software Testing, and Information Security with a focus on operational security and compliance.

Association of Information Security Professionals (AISP)

Association of Information Security Professionals (AISP)

The Association of Information Security Professionals (AISP) represents the interests of information security professionals in Singapore.

Signal Sciences

Signal Sciences

Signal Sciences Web Protection Platform (WPP) provides comprehensive threat protection and security visibility for web applications, microservices, and APIs on any platform.

Smoothwall

Smoothwall

Smoothwall develop intelligent web filtering, Monitoring and security solutions designed to protect users worldwide.

authUSB

authUSB

authUSB Safe Door is a tool that provides secure access to the content of USB devices that circulate in organizations.

SmartContractAudits.com

SmartContractAudits.com

SmartContractAudits.com is the leading platform for finding companies providing smart contract auditing services.

Blockchain Solutions

Blockchain Solutions

Blockchain Solutions Limited is a technological One Stop Solution provider, for Blockchain technology.

LevelOps

LevelOps

LevelOps is an industry application security platform that tracks and develops your application security.

FireCompass

FireCompass

FireCompass SAAS platform helps CISOs & Security Teams in continuous risk assessment by mapping your attack surface and knowing the “unknown unknowns”.

META-Cyber

META-Cyber

META-cyber was founded by engineers with experience in process and control-protection to provide cyber security for industrial infrastructure.

Nagios

Nagios

Nagios is a powerful tool that provides you with instant awareness of your organization’s mission-critical IT infrastructure.

LimaCharlie

LimaCharlie

LimaCharlie gives security teams full control over how they manage their security infrastructure. Get full visibility, build what you want, control your data, get the security capabilities you need.

Cyclops

Cyclops

Cyclops is the first Contextual Search Platform for cybersecurity.

ARC Risk and Compliance

ARC Risk and Compliance

ARC Risk and Compliance is a consulting company comprised of a team of AML Specialists completely focused on anti-money laundering compliance and the technologies used to support compliance programs.