The Biggest Cybersecurity Risk Is Not Identity Theft

The Sky News app has been hijacked by the Syrian Electronic Army

What would happen if a hacker edited a major news website to falsely report an anthrax attack in Times Square? Even if the site removed the story within minutes, it already would have been reposted and retweeted thousands of times. The misinformation likely would lead to crowded sidewalks, traffic accidents, overflowing hospitals, a plummeting stock market and other chaos.

A recently released PwC survey of 319 media executives found that 46 percent said they had received cyberattacks in the past year, up from 29 percent a year earlier.

Cybersecurity debates tend to focus on theft of personal information and cyberattacks that damage physical systems like electric grids. But there is less discussion about a very real threat posed by hackers who deface websites, apps and other sources to spread false information. Neither our legal system nor our private sector is adequately prepared to deal with such damaging acts.

Defacement received some attention when journalist Matthew Keys was convicted under the Computer Fraud and Abuse Act, the primary federal computer hacking law. Keys, a former employee of the Tribune Company, allegedly provided his login credentials to the hacking group Anonymous, which added some nonsensical words to a story on the Los Angeles Times’ website.

The Times removed the story about 40 minutes later, and the hack did not lead to the chaos that likely would have resulted from false reports of anthrax. Keys faces up to 25 years in prison, though he likely will receive a far shorter sentence when he is sentenced in January.

Advocates have blasted the Keys verdict as unfair and illogical. The Electronic Frontier Foundation wrote that the conviction demonstrates that the “CFAA is broken.” Via Twitter, Edward Snowden criticized the maximum sentence.

For a felony conviction, the statute requires a hack to cause at least $5,000 in losses, so the verdict hinged on the magnitude of the damage that Keys caused. On appeal, Keys likely will argue that the hack did not cause anywhere near $5,000 in damage, and the government will disagree.

Federal law should provide law enforcement with more precise and effective tools to prevent and punish website defacement.
The dispute demonstrates the uneasy fit between the CFAA and modern cybersecurity threats. The CFAA was passed in 1986, and does not explicitly address some of the most urgent and modern cybersecurity dangers, including website defacement. Indeed, Keys was charged under a provision of the statute that prohibits the knowing “transmission of a program, information, code, or command.”

U.S. laws can — and should — more directly and precisely address online defacement. The problem is too large — and potentially too destructive — to address it with an outdated law. Over the past few years, the Syrian Electronic Army, a group that supports Syrian President Bashar Hafez al-Assad, has defaced the websites and social media accounts of dozens of media outlets.

The frequency of the Syrian Electronic Army’s attacks demonstrates how easy it is to access and deface frequently viewed websites. If, instead of posting political messages, the hackers reported a nuclear bomb in Chicago, or a hijacking in Los Angeles, the result would be mass chaos.

Federal law should provide law enforcement with more precise and effective tools to prevent and punish website defacement. Website defacement should be a separate crime, with penalties that are more carefully tied to the actual damage that the acts have caused, or were intended to cause.

But the law is only part of the solution. News media, e-commerce companies, government agencies and other operators of frequently viewed websites have a duty to implement security measures that make it more difficult for hackers to deface the sites. Companies should guard their public-facing websites just as closely as they protect their internal data.

The frequency of website defacement — and the potential damage that such misinformation could cause — requires both the government and the private sector to take the threat more seriously in both their policies and practices.
Techcrunch: http://tcrn.ch/1H0S0rj

 

« Microsoft Leads FBI Coalition To Destroy Botnet
Spies Want IBM’s Quantum Computer »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

InfoSecurity Magazine

InfoSecurity Magazine

Infosecurity Magazine has over ten years of experience providing knowledge and insight into the information security industry.

F-Response

F-Response

F-Response is a software utility that enables an investigator to conduct live Forensics, Data Recovery, and eDiscovery over an IP network using their tools of choice.

CERT-FR

CERT-FR

CERT-FR is the French national government computer security incident response team.

Cybersecurity Credentials Collaborative (C3)

Cybersecurity Credentials Collaborative (C3)

C3 provides a forum for collaboration among vendor-neutral information security and privacy and related IT disciplines certification bodies.

Industrial Networking Solutions (INS)

Industrial Networking Solutions (INS)

INS Services specializes in designing, deploying and providing on-going support for critical OT (Operational Technology) and IIoT (Industrial Internet of Things) networks.

Conviso

Conviso

Conviso is a consulting company specialized in Application Security and Security Research.

ArmorText

ArmorText

ArmorText offers a seamless channel for communication and collaboration for organizations concerned with keeping communication data private and secure.

Secure Digital Solutions (SDS)

Secure Digital Solutions (SDS)

Secure Digital Solutions is a leading consulting firm in the business of information security providing cyber security program strategy, enterprise risk and compliance, and data privacy.

South East Cyber Resilience Centre (SECRC)

South East Cyber Resilience Centre (SECRC)

The South East Cyber Resilience Centre supports and helps protect SMEs and supply chain businesses and third sector organisations in the region against cyber crime.

CyberScotland

CyberScotland

The CyberScotland Partnership is a collaboration of key strategic stakeholders, brought together to focus efforts on improving cyber resilience across Scotland in a coordinated and coherent way.

Team Secure

Team Secure

Team Secure provide Enterprise-grade Cyber Security consultancy, managed security services and cyber security staffing services.

Quartz Network

Quartz Network

Quartz Network is a curated community for change-makers, up-and-comers, and professionals who are ready to grow, adapt, and thrive.

Paragon Cyber Solutions

Paragon Cyber Solutions

Paragon Cyber Solutions provides specialized security risk management and IT solutions to protect the integrity of your business operations.

Alchemy Security Consulting

Alchemy Security Consulting

Alchemy Security Consulting specialise in offensive and defensive cyber security. We find the weak link in your security so you can patch it up fast and avoid being hacked.

Triskele Labs

Triskele Labs

Triskele Labs deliver services including Penetration Testing, Compliance and Risk Management through to 24*7*365 Security Operations and outsourced Cybersecurity Managers.

CyberAI Group

CyberAI Group

CyberAI's mission is to pioneer the evolution of the cybersecurity landscape globally, by strategically acquiring and elevating IT consulting firms into leaders of cybersecurity innovation.