Caught in a web of cyber insecurity

Is cyber insecurity gnawing at you? After a spate of online attacks that makes 2014 a candidate for year of the hack, this would be an understandable reaction. For citizens of the Information Age, deciding what to do with these anxieties is becoming something of a puzzle. It is not obvious how much time to devote to worrying or how far to take self-defence.

Consider all the unknowns. Are the systems we rely on really as full of holes as a piece of Swiss cheese, as it is starting to seem? Who are we supposed to fear: North Korea, the United States National Security Agency (NSA), a gang of Russian cyberthieves or the neighbour’s malcontent teenager? And what, in the final analysis, do we actually stand to lose?

The uncertainties stemming from data vulnerability are bewildering. And, along with the individual Internet users who are having trouble making sense of things, even Washington has struggled to find an appropriate response to a devastating hack of Sony Pictures Entertainment, which it has blamed on Pyongyang.

In other fields of conflict, procedures for defending against attack, yardsticks for measuring losses and protocols to follow in the wake of a breach are all well established. Not so in cyberspace.

It is not only that this is a new arena of conflict that is still waiting to be codified. This is a hall of mirrors in which things are not what they seem, where the spilling of secrets represents an absolute failure of trust and where the value of confidential data can depend as much on context as the nature of the underlying bits.

The wide range of cyberattacks that has hit the headlines in the past year shows the extent of this problem. Starting with the infiltration of the US retailer Target as the 2013 holiday shopping season swung into gear, others — including Home Depot and Staples — found that large numbers of customers’ credit card records had been stolen.

If potential financial loss was the extent of it, the level of risk and appropriateness of defences would be easier to assess. But the value of personal data is not always so obvious. How do you put a price on the pilfering of nude photos of celebrities from Apple’s iCloud?

Most people will probably feel that obscurity insulates them from the risk of such embarrassing episodes. But their online identities are still ripe for plucking. This year, eBay admitted to a hack in which the perpetrators acquired access to the email and street addresses, names and birth dates of no fewer than 233 million customers. At least the password information was encrypted.

Last month’s attack on Sony Pictures is the icing on the cake for hackers this year. Along with movie scripts and other sensitive corporate information, the email accounts of all the company’s employees were ransacked and the contents laid bare.

The recriminations have been sweeping, including public sniping between the entertainment company and US President Barack Obama over the appropriateness of bowing to foreign threats, after the company initially decided to scrap the screening of a movie satirising North Korea.

Some well-known figures in Hollywood attacked the studio for caving in, while others slammed the media for reporting on stolen corporate information. Sony eventually released The Interview online and to some cinemas. Studio executives have had their most sensitive communications exposed, from bitchy remarks about the talent to racially-charged comments concerning Mr Obama and discussions about ways to limit the growing power of Google. This looks like much more than the hackers could have hoped for.

COUNTER CYBERATTACK

Finding the right way to respond to such episodes — or even the right terminology in which to discuss them — is not easy. Those who see the hand of government at work invite the label “cyberwar”, though the perpetrators are often obscure. Even when offences can clearly be laid at the door of the state, most Information-Age offences stop well short of the level that usually leads to all-out combat.

However, Mr Obama’s description of the hack as vandalism also seemed to miss the point. As personal data are transmuted into the raw material of the information economy and are the essential stuff of an individual’s online life, protecting their integrity assumes greater significance.

The consequences when such data are stolen, publicly exposed or erased are only now starting to be understood. The spilling of secrets, as demonstrated by the Sony case and last year’s leaks about NSA Internet surveillance, brings an extra level of recrimination all its own.

Without a clearer way to assess the damage, it is hard to know how far to go in building defences or taking reprisals when things go wrong. By definition, defending against a cyberattack often means preventing the Internet from doing what it does best: Delivering anonymous packets of data to their intended targets anywhere around the world as quickly and efficiently as possible.

Hence the irony of the US asking Beijing to help prevent future cyberattacks emanating from North Korea, following the Sony hack. As the conduit through which Internet traffic from the secluded nation reaches the wider online world, China is in a good position to block the flow of malevolent bits. That is a power more democratic countries hope it will use sparingly.

The new threats posed by data insecurity, and the methods needed to overcome it, require a wider understanding of what is at stake and a fresh form of public discourse. Only then might the average citizen know how much to worry — and what the costs are going to be for getting a good night’s sleep. THE FINANCIAL TIMES

ABOUT THE AUTHOR:

Richard Waters is the West Coast editor for the Financial Times. His beat covers the technology industry.