The Freakonomics blog assembled an interesting quorum on security. Industry heavyweights like Schneier weighed in on the following question:
Why has there been such a spike in hacking recently? Or is it merely a function of us playing closer attention and of institutions being more open about reporting security breaches?
Aside from Bruce there were opinions from folks at Imperva, IronKey, Aite Group, and BAE Systems – most of it decent. Some contradictory points, but get a bunch of folks to weigh in and that’s bound to happen. In something targeted to a mass market readership, some of these folks threw in the APT and PCI terminology. Seriously. Which really underscored to me how most security folks have no fracking clue on how to talk to a non-security audience. But that’s a story for another day.
Since I wasn’t invited into the quorum (sad panda), I figured I’d rant a bit on the question. So if they kind folks at Freakonomics invited me to participate (hint, hint), here’s what I’d say.
In general I have to agree with Bruce Schneier. There hasn’t been a huge spike in hacking. Sure, the number of data breaches is up, but the number of stolen identities is way down. The real change is the increased reporting on hacking. That’s right – security has finally come into your living room. And it’s a scary place for most folks.
For instance, a few months back the Anonymous hacker collective broke into the website of Westboro Baptist Church – on live TV. Unless you’ve been to the Black Hat conference or a similar technical forum, you probably haven’t seen a lot of computer attacks happen live. That was cool. It was newsworthy. So the media picked up on this hacking stuff.
Combined with the disclosure of previously off-limits information on sites like WikiLeaks and Pastebin, now you have real news. When the contact information of undercover Arizona police officers is posted on the Internet, or the tactics of The News of the World come to light, it’s going to make news. And it has.
We do have more visible attacks as well. When hackers take down Sony’s PlayStation Network for weeks, that’s newsworthy. Steal some plans for the Joint Strike Fighter, which happened a few years ago, and it barely makes news. Take down a multi-player game and all hell breaks loose. This is the world we live in.
We can talk about the increasing sophistication of the hackers (as a number of them did), but that’s crap. Most of these attacks have not been sophisticated at all. We can also talk about the laws requiring data breach disclosure, but that’s also crap. Disclosures have been happening for years, and this mainstreaming of hacking is much more recent.
Compounding the issue is the real-time media cycle. Driven by anyone with a computer Tweeting whatever they want, and dimwit media outlets running with it without proper fact checking (or, often, even understanding what they’re saying), and you have a perfect way to game the system. We see it every day with the NFL labor negotiations. Some player – perhaps clued in but just as likely not – tweets something, and everyone thinks it’s gospel. Within seconds it’s broadcast on ESPN and NFL Network. It’s on TV so it must be right, right?
It’s not gospel. It’s not anything besides what’s always been happening. Now it’s in plain sight, and that’s uncomfortable for most folks. Especially the ones who find their corporate and personal secrets on public web sites.