The Biggest Cybersecurity Risk Is Not Identity Theft

Uploaded on 2015-12-11 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Resilience

The Sky News app has been hijacked by the Syrian Electronic Army

What would happen if a hacker edited a major news website to falsely report an anthrax attack in Times Square? Even if the site removed the story within minutes, it already would have been reposted and retweeted thousands of times. The misinformation likely would lead to crowded sidewalks, traffic accidents, overflowing hospitals, a plummeting stock market and other chaos.

A recently released PwC survey of 319 media executives found that 46 percent said they had received cyberattacks in the past year, up from 29 percent a year earlier.

Cybersecurity debates tend to focus on theft of personal information and cyberattacks that damage physical systems like electric grids. But there is less discussion about a very real threat posed by hackers who deface websites, apps and other sources to spread false information. Neither our legal system nor our private sector is adequately prepared to deal with such damaging acts.

Defacement received some attention when journalist Matthew Keys was convicted under the Computer Fraud and Abuse Act, the primary federal computer hacking law. Keys, a former employee of the Tribune Company, allegedly provided his login credentials to the hacking group Anonymous, which added some nonsensical words to a story on the Los Angeles Times’ website.

The Times removed the story about 40 minutes later, and the hack did not lead to the chaos that likely would have resulted from false reports of anthrax. Keys faces up to 25 years in prison, though he likely will receive a far shorter sentence when he is sentenced in January.

Advocates have blasted the Keys verdict as unfair and illogical. The Electronic Frontier Foundation wrote that the conviction demonstrates that the “CFAA is broken.” Via Twitter, Edward Snowden criticized the maximum sentence.

For a felony conviction, the statute requires a hack to cause at least $5,000 in losses, so the verdict hinged on the magnitude of the damage that Keys caused. On appeal, Keys likely will argue that the hack did not cause anywhere near $5,000 in damage, and the government will disagree.

Federal law should provide law enforcement with more precise and effective tools to prevent and punish website defacement.
The dispute demonstrates the uneasy fit between the CFAA and modern cybersecurity threats. The CFAA was passed in 1986, and does not explicitly address some of the most urgent and modern cybersecurity dangers, including website defacement. Indeed, Keys was charged under a provision of the statute that prohibits the knowing “transmission of a program, information, code, or command.”

U.S. laws can — and should — more directly and precisely address online defacement. The problem is too large — and potentially too destructive — to address it with an outdated law. Over the past few years, the Syrian Electronic Army, a group that supports Syrian President Bashar Hafez al-Assad, has defaced the websites and social media accounts of dozens of media outlets.

The frequency of the Syrian Electronic Army’s attacks demonstrates how easy it is to access and deface frequently viewed websites. If, instead of posting political messages, the hackers reported a nuclear bomb in Chicago, or a hijacking in Los Angeles, the result would be mass chaos.

Federal law should provide law enforcement with more precise and effective tools to prevent and punish website defacement. Website defacement should be a separate crime, with penalties that are more carefully tied to the actual damage that the acts have caused, or were intended to cause.

But the law is only part of the solution. News media, e-commerce companies, government agencies and other operators of frequently viewed websites have a duty to implement security measures that make it more difficult for hackers to deface the sites. Companies should guard their public-facing websites just as closely as they protect their internal data.

The frequency of website defacement — and the potential damage that such misinformation could cause — requires both the government and the private sector to take the threat more seriously in both their policies and practices.
Techcrunch: http://tcrn.ch/1H0S0rj

 

« Microsoft Leads FBI Coalition To Destroy Botnet
Spies Want IBM’s Quantum Computer »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

TechInsurance

TechInsurance

TechInsurance is America's top technology insurance company offering a range of technology related products including Cyber Liability insurance.

Infrascale

Infrascale

Infrascale specialise in providing cloud backup and disaster recovery services.

SiteLock

SiteLock

SiteLock is a global leader in website security solutions. We provide affordable, cybersecurity software solutions designed to allow small to midsize businesses to operate without fear of an attack.

Acutec

Acutec

Acutec is an award winning IT support, services and solutions provider including managed IT Security and backup/disaster recovery.

TruSTAR Technology

TruSTAR Technology

TruSTAR is a threat intelligence exchange platform built to protect and incentivize information sharing.

Level Effect

Level Effect

Level Effect is developing new capabilities to bring a unique perspective on proactive network defense and advanced security analytics.

Inflexor Ventures

Inflexor Ventures

Inflexor Ventures is a technology focused venture capital firm that invests in early stage companies from seed to Series-A+ stages.

Viria

Viria

Viria is an information and security technology solution provider that promotes digitalization in a secure way.

X Technologies

X Technologies

X Technologies provide world-class engineering, information technology, information security, program management and repair services to Federal, State and commercial customers.

IMQ Group

IMQ Group

IMQ is one of Europe’s top players in the field of conformity assessment. We offer certification services to support all the major sectors of the manufacturing and service industries.

Superus Careers - Cyber Career Exchange

Superus Careers - Cyber Career Exchange

The Cyber Career Exchange is a specialized recruiting platform focused specifically on cybersecurity.

SignalFire

SignalFire

SignalFire invest across both enterprise and consumer sectors at the seed and early growth stages.

Crispmind

Crispmind

Crispmind creates innovative solutions to some of today’s most challenging technology problems.

M.Tech

M.Tech

M.Tech is a leading cyber security and network performance solutions provider. We work with leading vendors to bring optimal solutions to the market through a channel of reseller partners.

DataStealth

DataStealth

DataStealth is a data protection platform that allows organizations to discover, classify, and protect their most sensitive data and documents.

SecuLore

SecuLore

An innovator in public-safety-focused cybersecurity, SecuLore is dedicated to protecting critical infrastructure from cyber attacks.