The Biggest Cybersecurity Risk Is Not Identity Theft

Uploaded on 2015-12-11 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Resilience

The Sky News app has been hijacked by the Syrian Electronic Army

What would happen if a hacker edited a major news website to falsely report an anthrax attack in Times Square? Even if the site removed the story within minutes, it already would have been reposted and retweeted thousands of times. The misinformation likely would lead to crowded sidewalks, traffic accidents, overflowing hospitals, a plummeting stock market and other chaos.

A recently released PwC survey of 319 media executives found that 46 percent said they had received cyberattacks in the past year, up from 29 percent a year earlier.

Cybersecurity debates tend to focus on theft of personal information and cyberattacks that damage physical systems like electric grids. But there is less discussion about a very real threat posed by hackers who deface websites, apps and other sources to spread false information. Neither our legal system nor our private sector is adequately prepared to deal with such damaging acts.

Defacement received some attention when journalist Matthew Keys was convicted under the Computer Fraud and Abuse Act, the primary federal computer hacking law. Keys, a former employee of the Tribune Company, allegedly provided his login credentials to the hacking group Anonymous, which added some nonsensical words to a story on the Los Angeles Times’ website.

The Times removed the story about 40 minutes later, and the hack did not lead to the chaos that likely would have resulted from false reports of anthrax. Keys faces up to 25 years in prison, though he likely will receive a far shorter sentence when he is sentenced in January.

Advocates have blasted the Keys verdict as unfair and illogical. The Electronic Frontier Foundation wrote that the conviction demonstrates that the “CFAA is broken.” Via Twitter, Edward Snowden criticized the maximum sentence.

For a felony conviction, the statute requires a hack to cause at least $5,000 in losses, so the verdict hinged on the magnitude of the damage that Keys caused. On appeal, Keys likely will argue that the hack did not cause anywhere near $5,000 in damage, and the government will disagree.

Federal law should provide law enforcement with more precise and effective tools to prevent and punish website defacement.
The dispute demonstrates the uneasy fit between the CFAA and modern cybersecurity threats. The CFAA was passed in 1986, and does not explicitly address some of the most urgent and modern cybersecurity dangers, including website defacement. Indeed, Keys was charged under a provision of the statute that prohibits the knowing “transmission of a program, information, code, or command.”

U.S. laws can — and should — more directly and precisely address online defacement. The problem is too large — and potentially too destructive — to address it with an outdated law. Over the past few years, the Syrian Electronic Army, a group that supports Syrian President Bashar Hafez al-Assad, has defaced the websites and social media accounts of dozens of media outlets.

The frequency of the Syrian Electronic Army’s attacks demonstrates how easy it is to access and deface frequently viewed websites. If, instead of posting political messages, the hackers reported a nuclear bomb in Chicago, or a hijacking in Los Angeles, the result would be mass chaos.

Federal law should provide law enforcement with more precise and effective tools to prevent and punish website defacement. Website defacement should be a separate crime, with penalties that are more carefully tied to the actual damage that the acts have caused, or were intended to cause.

But the law is only part of the solution. News media, e-commerce companies, government agencies and other operators of frequently viewed websites have a duty to implement security measures that make it more difficult for hackers to deface the sites. Companies should guard their public-facing websites just as closely as they protect their internal data.

The frequency of website defacement — and the potential damage that such misinformation could cause — requires both the government and the private sector to take the threat more seriously in both their policies and practices.
Techcrunch: http://tcrn.ch/1H0S0rj

 

« Microsoft Leads FBI Coalition To Destroy Botnet
Spies Want IBM’s Quantum Computer »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Identity Theft Resource Center (ITRC)

Identity Theft Resource Center (ITRC)

ITRC is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime.

DCL Search & Select

DCL Search & Select

DCL Search & Selection connect candidates to the best companies in the IT Security, Telco, UC, Outsourcing, ERP, Audit & Control markets.

Cyber Together

Cyber Together

Cyber Together is dedicated to advancing the cyber security industry by giving businesses access to Israel’s leaders, innovators and great minds in the field of cyber security.

NSHC

NSHC

NSHC is a provider of mobile security solutions, cyber security consulting and training, and offensive research.

MythX

MythX

MythX is the premier security analysis service for Ethereum smart contracts.

BrandProtections.Online

BrandProtections.Online

BrandProtections.online offer end-to-end customer support solutions to help protect against threats which may affect your brand online.

Bitcrack

Bitcrack

Bitcrack Cyber Security helps your company understand and defend your threat landscape using our key experience and skills in cybersecurity, threat mitigation and risk.

FortifyData

FortifyData

FortifyData is the next generation of cyber risk management–a comprehensive platform that continuously evaluates your third-party, internal and people risks.

Fifosys

Fifosys

Fifosys is a professional technology infrastructure specialist, delivering a broad portfolio of high quality technical and strategic managed services.

Nitrokey

Nitrokey

Nitrokey is the world-leading company in open source security hardware. Nitrokey develops IT security hardware for data encryption, key management and user authentication.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Convergence Networks

Convergence Networks

Convergence Networks is one of North America's leading Managed Services & Security Providers.

Sensity

Sensity

Sensity is a company that offers an AI-driven solution to detect and verify deepfakes and other forms of identity fraud.

Nova Microsystems

Nova Microsystems

Nova's mission is to revolutionize cybersecurity through continuous data analysis and dynamic AI-driven encryption.

CHERI Alliance

CHERI Alliance

CHERI Alliance is an industry initiative spearheading the global adoption of the Capability Hardware Enhanced RISC Instructions (CHERI) security technology across the computing industry.

Seamfix

Seamfix

Seamfix helps businesses and their customers globally to seamlessly create, verify and access trusted digital identities and services.