American Freedom and Cyber Security
“We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. That to secure these rights, Governments are instituted among Men, deriving their powers from the consent of the governed, that whenever any Form of Government becomes destructive of these ends, it is the Right of the people to alter or abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness (Independence Hall Association, 1995).”
America was founded with these famous words of the Declaration of Independence. Public elementary education requires American children to learn of the Declaration of Independence and the Bill of Rights, as well as some other basic rules and regulations of government. It is important for a citizen to understand their rights and their government. Some of these very simple rights, rules and regulations have been complicated by the wide-spread use of the internet and associated technology. The internet does not play by America’s rules but is governed by the very people who create, add, and contribute content in its billions of pages connected throughout the world. When that content is unlawful according to U.S. law, can a citizen be prosecuted? What about actions or content that crosses borders? Thus far the U.S. government has held some jurisdiction over internet content in relation to matters of intellectual property, computer security, information privacy, and freedom of speech. Many times due to lack of knowledge, burden of proof, or jurisdiction, government is not successful in persecution of internet related crime or cybercrime (Brenner, 2006). The question remains as to what role the government should play in policing cybercrime? Is policing the internet in the best interest of the freedom of the people; the safety of the people? The internet and new technologies connecting the world have brought about new opportunities and new ways of life. However just like our forefathers felt it necessary to declare the rights of the people and the laws of the government during the founding of a brave, new world; so will Americans today have to rewrite some of those same rights and responsibilities to ensure the safety and happiness of the people in America’s new, connected world.
Threats to America’s Safety and Security
On September 11, 2001 multiple civilian airliners filled with innocent civilians were hijacked by terrorists and used as missiles to destroy some of America’s very critical political and economical structures and kill thousands of innocent civilians. Americans were in a panic over the safety of their homeland. Many blamed the government for not acting on earlier released intelligence reports that pointed to threats of this type. As a response to the attacks and the outcry from the public; President George W. Bush declared a war on terrorism inside and outside America’s borders. The Department of Homeland Security was founded to respond to terrorist threats and further protect the borders of America. Security policies resulted in a significant change to privacy laws per the U.S. Patriot Act which allows the government “to conduct a search without notifying the subject that a warrant has been executed and monitor an individual’s movements on the Web upon showing that these movements are likely to be relevant to an ongoing criminal investigation (Himma, 2006).” The U.S. government has previously attempted to control pornography and hate speech on the internet through various laws but all were found in violation of the First Amendment. Although the Patriot Act violates basic privacy rights, it also protects the safety and security of citizens. After the events of September 11th, the Patriot Act stayed intact despite complaints of breaches in privacy law. It seems safety and security has become more important than freedom in this case.
The Dangers of E-mail
Recent polls show that more than 80 percent of Americans have access to the internet and 92 percent of users use search engines and e-mail on a daily basis (Price, 2011). Compared to regular U.S. Postal Service mail, e-mail poses some serious threats to consumers. The biggest of which is exposure to phishing and malware attacks. PC World reports one in every 300 e-mails sent last year contained some elements to phishing, most pointing toward financial fraud. The Federal Bureau of Investigation (FBI) recently warned that cybercriminals were compromising e-mail accounts to request and authorize overseas wire transfers. Compromised legitimate e-mail accounts were also used by cybercriminals to trick banks into thinking a wire transfer had already been initiated. As of December 2011, the fraud amounted to 23 million dollars with an actual loss to victims of approximately 8 million dollars. How is the FBI to trace these criminals and prosecute them when many are using compromised accounts and are physically located in countries where the FBI does not have jurisdiction and the country in question may not have the necessary laws against such crimes (Olavsrud, 2012)?
Additionally, although the public is the biggest target of these scams, cybercriminals also target small and medium sized business which may not have the resources to practice robust cyber security. These smaller agencies have reported losses of up to $400,000 at one time, which is enough money to shut down a small or medium business. Jorge Rey, director, Information Security & Compliance with Kaufman, Rossin & Co., P.A. offers some tips for small businesses to combat cybercrime to include understanding the businesses’ liabilities with their financial institution, perform regular security assessments and audits, ensuring anti-virus software is installed and up-to-date, use a dedicated computer for all financial transactions, utilize separation of duties for financial responsibilities, review banking records with scrutiny and keep security in mind when reading and opening links in e-mails (Olavsrud, 2012). On the grounds that spam e-mail violates the First Amendment by spreading intentionally deceptive commercial speech, in 2004 Congress enacted the CAN-SPAM act which “prohibits transmitting multiple commercial e-mails with the intent to deceive and intentionally falsifying header information before transmitting commercial e-mails (Himma, 2006).” Although Congress had the best intentions, spammers are easily able to conceal their location and are most often located outside the U.S. and have yet to be prosecuted. Clearly the Department of Homeland Security and other government agencies are not prepared to combat such a large amount of separate and different types of scams and it is important for the private sector and businesses to be prepared to protect themselves and their customers.
Large enterprises such as Microsoft and Google have joined forces recently to combat e-mail scams from the source using new technology. Many of the phishing e-mails sent are masked as these big name businesses to entice consumers into providing their account information, passwords and credit card numbers. MSNBC News (2012) reports “Facebook, Google Inc. and Microsoft Corp. have joined with financial firms Bank of America Corp ., Fidelity Investments and eBay Inc.’s PayPal to create a set of industry standards for preventing criminals from sending out spam emails that appear to come from corporate e-mail addresses.” Using a combination of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail; when a cybercriminal sends an e-mail to a partner member’s account (such as Yahoo or Google) claiming to be PayPal or Bank Of America, the e-mail will not be properly authenticated and therefore will not be delivered to the intended recipient. However, if the e-mail is sent to a non-partner e-mail account such as a small town internet server provider, the spam would reach its target. It’s not a perfect solution but it’s a start in the right direction led by large industry members (Associated Press, 2012).
For those consumers and businesses not lured in by phishing there is malware to contend with. Malware can be attached in the form of a clickable link in an e-mail or can be embedded in a search engine or a pop-up in an internet browser. According to the Sophos (2011) mid-year security report, during the first half of 2011 19,000 new malicious URLs were found every day; a new URL every 4.5 seconds. The two most common malware threats are fake anti-virus software and search engine optimization poisoning. The fake anti-virus is a pop-up from a seemingly legitimate antivirus vendor claiming the victim’s computer has a virus. The victim then follows the link and is forced to pay for software to get rid of the virus. The payment then goes to the scammer and the victim is stuck with the malware and stolen credit card information. Last year the FBI caught a cyber gang selling the fake anti-virus software for $50 to $130 an instance. The gang had tricked nearly a million people netting 72 million dollars (Sophos Ltd., 2011). Cybercriminals can also hack legitimate websites through weaknesses in software and use those websites to infect unsuspicious visitor’s computers. Malware is so dangerous because it allows cybercriminals to sneak in and take over a computer many times completely unnoticed. Businesses and people store personally identifiable information and other important proprietary information on their computers. Losing this information can put their identity, finances or overall security in danger.
Threats from e-mail, search engines and the web are just a few examples of dangers in cyberspace. There are similar threats to mobile phones, tablet PCs, and social networking sites. The threats will only grow with the number of technologies and users connecting to the web. Although the U.S. government can continue to prosecute cyber criminals and gain expertise on cyber threats and mitigations, it is clear the threat is much larger than the government will ever be able to contain or control. It is up to the public to remain educated and work together with security professionals and government agencies to protect personal and business assets as best possible.
Another threat to all systems connected to the internet or connected to a private network is malicious security cracking (often mistermed hacking). Cracking is achieved by utilizing weaknesses in the security of a system to gain unauthorized access. Some agencies contract cracking experts to conduct penetration testing on their systems to identify security weaknesses before they are used for malicious cracking. Anytime a computer is cracked, the system and information stored on the computer can be stolen or used to the criminal’s advantage. Many crackers come in undetected and then purposefully leave backdoors in the system in order to return at a later time when they are less likely to be caught or can do further damage. A wide variety of information is targeted during cracking incidents including research, business strategies, financial information, and client databases containing names, social security numbers, credit card numbers and other personal information (Gish, 2012). The U.S. Computer Crime and Fraud Act (18 U.S. Code Section 1030) authorizes fines and imprisonment of up to 20 years for, among other things, “knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing at least $5,000 in damage without authorization to a protected computer (Himma, 2006).” The losses to businesses due to cracking can be substantial. Sony reported a loss of $170 million in 2011 due to a crack on a single PlayStation. The Computer Security Institute reported single instances of cracking cost businesses anywhere from $600,000 to $7 million in one day (Gish, 2012). With these statistics it is clear that businesses need to have cyber security policies and procedures clearly defined for all employees and information technology support personnel. The U.S. state and federal government can help by providing best practices and by thoroughly investigation cyber crimes to determine how they could have been prevented and to bring criminals to justice where possible.
The thought that simply clicking the wrong icon on the web or in an e-mail can lead to identity theft or financial loss is nerve-wracking. The thought of the businesses American’s trust being cracked or losing personal and proprietary information is equally unsettling. “In 1996, Barry C. Collin wrote, “This enemy does not attack us with truckloads of explosives, nor with briefcases of Sarin gas, nor with dynamite strapped to the bodies of fanatics. This enemy attacks us with ones and zeros (Jaeger, 2006).” Collin went on to list potential acts of cyberterrorists:
- Remotely changing the pressure in gas lines, causing valve failures, explosion, and fire
- Placing computerized bombs around a city
- Attacking future air traffic control systems to cause civilian jets to collide
- Remotely accessing the processing control systems of a cereal manufacturer to alter the formula and sicken children
- Disrupting banks and international financial institutions and stock exchanges, with resulting loss of confidence in the economic system
- Remotely altering formulas of medication at pharmaceutical manufacturers, resulting in ineffective or potentially harmful medications
- Shutting down the electrical grid, causing widespread chaos
When Barry Collin introduced the idea of cyberterrorism in 1996 his ideas may have seemed farfetched to the average American. After the attacks of September 11th and as more and more people become victims of cybercrime the threat of cyberterrorism quickly becomes a reality. The conclusion that Barry Collin made in his writing is very clear; “the cyber-terrorist will make certain that the population of a nation will not be able to eat, to drink, to move, or to live. In addition, the people charged with the protection of their nation will not have warning, and will not be able to shut down the terrorist, since the cyber-terrorist is most likely on the other side of the world (Jaeger, 2006).” The American government sees this same problem with cybercrime today in that it is very tough to trace, to track, to prove and to prosecute. No matter the laws and the severe consequences of being caught, the cyber-criminal has not been deterred.
Thus far, although there have been reports of cracks into U.S. water-systems and FBI and Department of Homeland Security databases by computer “hacktivists”; there have been no events that have qualified as cyberterrorism. CBS News reported in 2011 that a hacker had sent an e-mail to CNET news providing proof by attaching detailed diagrams that he had cracked a Houston water facility just to prove how easily it could be done. He wrote:
“Basically, people have no idea what’s going on in terms of industrial control, groups like ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) are too slow/don’t have enough power to react to situations. There’s a lot of rubbish information out there that’s being treated seriously, etc. Lot of crap. So I’m putting information out there to show people what kind of systems are vulnerable to basic attacks. No damage was done to any of the machines; I don’t really like mindless vandalism. It’s stupid and silly. On the other hand, so is connecting interfaces to your SCADA machinery to the Internet,” he added. “I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two-year-old with a basic knowledge of Simatic, as for how I did it, it’s usually a combination of poor configuration of services, bad password choice, and no restrictions on who can access the interfaces (Mills, 2011).”
The recent mischief by hacktivists does however show just how vulnerable America’s critical databases and infrastructures are to attack. Congress is currently working on a bill that would put the Department of Homeland Security in charge of regulating private companies in charge of critical infrastructures such as water, nuclear, electrical and power plants, 85 percent of which are controlled by the private sector. Representative Jim Langevin notes “We know voluntary guidelines simply have not worked. For the industries upon which we most rely, government has a role to work with the private sector on setting security guidelines and ensuring they are followed (Associated Press, 2012).” According to authors the bill is “intended to ensure that computer systems running power plants and other essential parts of the country’s infrastructure are protected from hackers, terrorists or other criminals. The Department of Homeland Security, with input from businesses, would select which companies to regulate; the agency would have the power to require better computer security (Associated Press, 2012).”
Cyber Security – A Unified Responsibility
System activity monitoring, e-mail phishing, malware infections, cracking, cyberterrorism – all are threats to America’s security; whether financially, structurally, socially, mentally, or physically. The thought of so many threats in the midst seems scary and out of control. Policing all of the world wide activity on the internet isn’t realistic. The best chance of protecting Americans from cyber threats is for law enforcement, government, private and public enterprises to join forces and ensure businesses and governments are securing their resources using best practices, reporting and mitigating the latest threats, and engineering new ways to combat threats on a regular basis.
Information technology professionals can ensure they are educated on the latest threats and security practices and maintain the security of company and government systems by installing patches, monitoring system logs, and updating software on a regular basis. Businesses can share their experience and protection practices with the government and industry to help other, less experienced businesses learn what to do when an attack occurs and how to prevent one in the first place.
Government can ensure they are protecting their own resources in order to protect others. In 2002, the Federal Information Security Management Act (FISMA) mandated that “government agencies develop annual reports and risk assessments, configuration guidelines, continuity plans, security policies, and inventories of systems (Jaeger, 2006).” In 2003, most government agencies were near failing compliance with FISMA. A 2010 FISMA Executive Report for the Securities and Exchange Commission notes lack of documentation for deviations to desktop configurations, failure to terminate user accounts when no longer needed, failure to properly identify users prior to granting access to systems and excess privileges granted to users (U.S. Securities and Exchange Commision, 2011). In order for the government to provide guidance and protection to others, government entities must first protect themselves.
Individual citizens can do their part by reporting incidents and remaining educated on threats and mitigations. Higher education institutions can offer training and education and lead the way in studying new ways of securing technology and sharing that information with business and government (Jaeger, 2006).
America has a long way to go to ensure its citizens are safe from cyber crime. The reality may be that the goal of safety may never fully be achieved. Freedom, however, is maintainable for those that are willing to contribute to the greater good of the people. Everyone has a responsibility to make ethical and lawful decisions in their use of the internet and use of private and commercial computer systems; and to take responsibility for securing those systems from known threats. If a reasonable effort is made, the words of the Declaration of Independence, “Life, Liberty and the pursuit of Happiness…” can still hold true for years to come.
Associated Press. (2012, February 6). Bigger U.S. role against companies’ cyber threats? Retrieved February 25, 2012, from Sheveport Times: http://www.shreveporttimes.com/article/20120206/NEWS03/120206009/Bigger-U-S-role-against-companies-cyberthreats-?odyssey=tab%7Ctopnews%7Ctext%7CFRONTPAGE
Associated Press. (2012, January 30). Tech companies team up to combat email scams. Retrieved February 23, 2012, from MSNBC: http://www.msnbc.msn.com/id/46191126/ns/technology_and_science-security/t/tech-companies-team-combat-email-scams/#.T0aNTIcgd2A
Brenner, S. W. (2006). Cybercrime and the U.S. Criminal Justice System. University of Dayton School of Law, 10-11.
Gish, W. (2012). The Effects of Computer Hacking on an Organization. Retrieved February 24, 2012, from Chron: http://smallbusiness.chron.com/effects-computer-hacking-organization-17975.html
Himma, K. E. (2006). Legal, Social, and Ethical Issues of the Internet. In H. Bidgoli, Handbook of Information Security (pp. 74-75). Hoboken: John Wiley & Sons, Inc.
Independence Hall Association. (1995, July 4). The Declaration of Independence. Retrieved February 21, 2012, from US History.org: http://www.ushistory.org/declaration/document/
Jaeger, C. (2006). Cyberterrorism and Information Security. In H. Bidgoli, Handbook of Information Security (pp. 14-17). Danvers: John Wiley & Sons, Inc.
Mills, E. (2011, November 18). Hacker: I broke into water plant. Retrieved February 25, 2012, from CBS News: http://www.cbsnews.com/8301-205_162-57328066/hacker-i-broke-into-water-plant/
Olavsrud, T. (2012, February 16). 8 Tips to Defend Against Online Financial Fraud Threats. Retrieved February 23, 2012, from PC World Business Center: http://www.pcworld.com/businesscenter/article/250139/8_tips_to_defend_against_online_financial_fraud_threats.html
Price, G. D. (2011, August 9). New Internet Usage Statistics. Retrieved February 23, 2012, from infodocket.com: http://infodocket.com/2011/08/09/new-internet-usage-statistics-u-s-search-and-email-remain-most-popular-online-activities/
Sophos Ltd. (2011). Security Threat Report. Boston: Sophos Ltd.
U.S. Securities and Exchange Commision. (2011). 2010 Annual FISMA Executive Summary Report. Washington D.C.: U.S. Securities and Exchange Commision.