This week President Obama announced new proposals for identity theft and how to safeguard everyone's online privacy. The announcement follows a series of incidents involving the hacking of websites and sensitive consumer information in the past year. Most notably, Sony's cyber-attack, which occurred in November, exposing the company's corporate network made international waves still being discussed and analyzed today. UMass Dartmouth Electrical and Computer Engineering Professor Lance Fiondella provides his initial thoughts on the President's proposals and how "hacking" has become modern day bank robbery.
What is your first impression of the President's proposals? Do they extend enough protection to the average consumer?
LF: There are notable protections for students to prevent use of data on academic performance that could be used to discriminate against them as they progress through their academic career. However, it is not apparent what the present business practices are that have motivated such protections. Consumer protection is a much broader issue and one for which there is no simple solution. Both businesses and consumers want the advantages that come with online services, but neither wants to be 100 percent accountable for violations of security. In the absence of strong legislation, consumers may be at a disadvantage.
Should we have been surprised that a company the size of Sony was hacked?
LF: It may not be such a great surprise that a company the size of Sony was hacked. Keep in mind that the larger a company is the larger its network is. This larger network may possess a larger "attack surface" for hackers to probe in search of entries. All it takes is one vulnerability to be discovered and exploited for the severity of a hack to elevate to a more serious scenario.
Do you think major companies and organizations are doing enough to protect sensitive information? How can they be more proactive in doing so?
LF: Major companies and organizations may not be doing enough to protect sensitive information. They may be doing more than smaller organizations, but security is one more cost to a business. In many cases, there is little motivation for a business to do more than maintain the status quo. Some tech companies have greater internal capability and maintain higher levels of security because of the nature of their services. Most organizations need to stay current by applying security patches for vulnerabilities discovered in the applications they use. However, discovering vulnerabilities before they are exploited is at least as complex as testing software to ensure it is free of bugs that could lead to application failure.
How can smaller, more local companies and agencies better protect themselves?
LF: Local companies need to rely on individuals within their organization to develop these skills. Alternatively, they can seek external security profiling services, but these can be expensive and there is occasionally the perception that it is better to have in house talent than an external consultant that can be contacted if security is breached. A longer term strategy requires a more detailed combination of business and technology best practices. Larger more capable entities can protect themselves better. For example, Federal Reserve Banks have large and highly trained cybersecurity units, whereas local banks have a smaller number of computer security professionals on their staff. Documenting the practices of larger organizations could provide greater guidance to smaller companies in the same or similar line of business.
"Cyber attacks" and "hackers" have garnered significant mainstream attention in the past year. Do you think there is misinformation out there as to the size and scope of the issue?
LF: Movies have glorified hacking in several ways that tend to glamorize the process. Most hackers have an education in computer science or computer engineering or are self-educated. They possess knowledge of programming, operating systems, and other low level concepts that go into the design of a computer and the software that runs on it. A progressive goal of cybersecurity is to protect citizens from those who would seek to disrupt services we depend on. To assure the resilience of our cyber-infrastructure, more individuals need to major in these topics. They would certainly be compensated for their efforts. The average starting salaries for computer security positions are higher than the overall average for the discipline and the Commonwealth of Massachusetts ranks near the top of the list nationally when it comes to vacant positions. The demand is there for those willing to educate themselves.
Do we live in the world where anyone with a computer is a potential hacker?
LF: Any one could become a hacker. Some of the best hackers do what they do to expose the vulnerabilities in critical systems so that these vulnerabilities can be closed before exploited. Others hack for a range of criminal intentions. Ultimately, the question is why do people do it and the answer seems obvious. In many cases, it is a lucrative way to obtain money. It is essentially modern day bank robbing and so much more because of all of the kinds of information that are processed online.
About Lance Fiondella
Lance Fiondella joined the Department of Electrical and Computer Engineering in 2013. Prior to joining UMassD, he was a postdoctoral fellow in the School of Mathematical and Geospatial Sciences at the Royal Melbourne Institute of Technology (RMIT) in Australia. He conducts research in the areas of software and system reliability and risk. He has published over 65 peer reviewed journal and conference papers on these topics. His research is supported by the United States Department of Homeland Security.
For more details about Prof. Fiondella, please click here