The Biggest Cybersecurity Risk Is Not Identity Theft

The Sky News app has been hijacked by the Syrian Electronic Army

What would happen if a hacker edited a major news website to falsely report an anthrax attack in Times Square? Even if the site removed the story within minutes, it already would have been reposted and retweeted thousands of times. The misinformation likely would lead to crowded sidewalks, traffic accidents, overflowing hospitals, a plummeting stock market and other chaos.

A recently released PwC survey of 319 media executives found that 46 percent said they had received cyberattacks in the past year, up from 29 percent a year earlier.

Cybersecurity debates tend to focus on theft of personal information and cyberattacks that damage physical systems like electric grids. But there is less discussion about a very real threat posed by hackers who deface websites, apps and other sources to spread false information. Neither our legal system nor our private sector is adequately prepared to deal with such damaging acts.

Defacement received some attention when journalist Matthew Keys was convicted under the Computer Fraud and Abuse Act, the primary federal computer hacking law. Keys, a former employee of the Tribune Company, allegedly provided his login credentials to the hacking group Anonymous, which added some nonsensical words to a story on the Los Angeles Times’ website.

The Times removed the story about 40 minutes later, and the hack did not lead to the chaos that likely would have resulted from false reports of anthrax. Keys faces up to 25 years in prison, though he likely will receive a far shorter sentence when he is sentenced in January.

Advocates have blasted the Keys verdict as unfair and illogical. The Electronic Frontier Foundation wrote that the conviction demonstrates that the “CFAA is broken.” Via Twitter, Edward Snowden criticized the maximum sentence.

For a felony conviction, the statute requires a hack to cause at least $5,000 in losses, so the verdict hinged on the magnitude of the damage that Keys caused. On appeal, Keys likely will argue that the hack did not cause anywhere near $5,000 in damage, and the government will disagree.

Federal law should provide law enforcement with more precise and effective tools to prevent and punish website defacement.
The dispute demonstrates the uneasy fit between the CFAA and modern cybersecurity threats. The CFAA was passed in 1986, and does not explicitly address some of the most urgent and modern cybersecurity dangers, including website defacement. Indeed, Keys was charged under a provision of the statute that prohibits the knowing “transmission of a program, information, code, or command.”

U.S. laws can — and should — more directly and precisely address online defacement. The problem is too large — and potentially too destructive — to address it with an outdated law. Over the past few years, the Syrian Electronic Army, a group that supports Syrian President Bashar Hafez al-Assad, has defaced the websites and social media accounts of dozens of media outlets.

The frequency of the Syrian Electronic Army’s attacks demonstrates how easy it is to access and deface frequently viewed websites. If, instead of posting political messages, the hackers reported a nuclear bomb in Chicago, or a hijacking in Los Angeles, the result would be mass chaos.

Federal law should provide law enforcement with more precise and effective tools to prevent and punish website defacement. Website defacement should be a separate crime, with penalties that are more carefully tied to the actual damage that the acts have caused, or were intended to cause.

But the law is only part of the solution. News media, e-commerce companies, government agencies and other operators of frequently viewed websites have a duty to implement security measures that make it more difficult for hackers to deface the sites. Companies should guard their public-facing websites just as closely as they protect their internal data.

The frequency of website defacement — and the potential damage that such misinformation could cause — requires both the government and the private sector to take the threat more seriously in both their policies and practices.
Techcrunch: http://tcrn.ch/1H0S0rj

 

« Microsoft Leads FBI Coalition To Destroy Botnet
Spies Want IBM’s Quantum Computer »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Codified Security

Codified Security

Codified is a testing platform for mobile application software. We make it easier than ever for companies to detect and fix security vulnerabilities and ensure their applications are compliant.

TechArch

TechArch

TechArch helps customers to optimize their investments in cybersecurity by providing them independent and vendor-neutral consultation and guidance.

Arctic Wolf Networks

Arctic Wolf Networks

Arctic Wolf Networks delivers the industry-leading security operations center (SOC)-as-a-service that redefines the economics of cybersecurity.

Blockchain Solutions

Blockchain Solutions

Blockchain Solutions Limited is a technological One Stop Solution provider, for Blockchain technology.

Quantum Xchange

Quantum Xchange

As the provider of unbreakable quantum-safe encryption, Quantum Xchange gives commercial enterprises and government agencies the ultimate defense to keep high-value data safe.

Infosequre

Infosequre

Infosequre builds up your security awareness culture and turns your employees into the first line of defense against cyber risks.

CybrHawk

CybrHawk

CybrHawk is a leading provider of information security-driven risk intelligence solutions focused solely on protecting clients from cyber-attacks.

Wontok

Wontok

Wontok deliver innovative value-added data security services that fill the gaps left in traditional security solutions.

Darkscope

Darkscope

Darkscope is an award-winning personalised cyber intelligence service provider. Our cutting-edge AI and Deep Artificial Neural Networks lead the world of cyber intelligence solutions.

Stryve

Stryve

Stryve is a leading carbon-neutral provider of specialist cloud and cybersecurity services in Europe.

Womble Bond Dickinson

Womble Bond Dickinson

Womble Bond Dickinson is a transatlantic law firm, providing high-quality legal experience and outstanding personal service from key locations across the United Kingdom and United States.

ThreatNG Security

ThreatNG Security

ThreatNG is redefining external attack surface management (EASM) and digital risk protection with a platform of unmatched breadth, depth, and capabilities in thwarting technical and business threats.

Strivacity

Strivacity

Strivacity lets brands quickly add secure login and identity management capabilities to their customer-facing applications without tying up an army of developers or consultants to do it.

Chorus Cyber

Chorus Cyber

Chorus are a leading Managed Security Service Provider (MSSP), and member of the Microsoft Intelligent Security Association (MISA), with three Microsoft Advanced Specialisations in security.

Velaspan

Velaspan

Velaspan design, deploy, and manage enterprise wireless networks and cybersecurity solutions for leading businesses and brands.

CMD+CTRL Security

CMD+CTRL Security

CMD+CTRL Security is a pioneer in software security training. Industry-leading organizations rely on our training solutions to make software secure wherever it runs.