You have probably seen the headlines about the largest-ever identity theft scheme that was just broken up by federal officials. The crime ring hacked into the databases of some of the U.S.'s largest companies (7-Eleven, Heartland Payment Systems, Hannaford Brothers and a couple others that weren't named) and stole financial data (think credit and debit card information) on more than 130 million individuals.
Albert Gonzalez and two cohorts (which stayed in touch evidently by using Instant Messaging) would then turn around and try to make purchases or withdrawals with the information or sell it to other enterprising criminals. The scheme wasn't a one time thing - it went on from Oct. 2006 until May of 2008 (here's the indictment). This means repeated intrusions into sensitive databases, which in theory should have been protected by the security machinations and experts of each company.
I wish this was just a one time thing, but I am afraid it is simply indicative of what's to come. There are a lot of indicators that attacks are on the rise and they are getting more and more sophisticated (according to an Aladdin eSafe CSRT study in 2008, spyware was found to be doubling every month - and that's just one attack type). The network's ability to support so many different users, devices and applications and to extend the reach of all who use it also makes it a harder environment to control and protect. Mixed in with all the good that the network enables, is bad and malicious traffic (such as Albert's SQL attacks and malware).
It is critical we do all we can to secure the network, particularly as more and more of our personal and professional business is conducted online - in the U.S. alone, there are estimates that the "ad-supported Internet" contributes $300 billion to the economy. As we increasingly rely on the network to do almost everything, from buying a home to finding a date, we need to have confidence in the fidelity of these activities, which requires all of us to take some responsibility for the overall network.
Individuals, businesses and governments alike need to play a role in trying to protect the information that flows over the network. However, we also all need to be realistic - nothing is totally secure. There are risks to the physical world (when you hand your credit card over to that waiter, whose to say they aren't going out back and making a copy... when you put your valuables in a safety deposit box, whose to say it can't be stolen in a bank heist), and their are risks to the digital one. We need to be aware of the risks, do what we can to mitigate them, and then understand that it's a process that's constantly evolving. As such, we need to have ways to effectively deal with breaches when they happen (and they will) and then, just as in the physical world, the vigilance and fortitude to seek justice.
This, in my mind, is why this identify theft case is so interesting - law enforcement was involved and committed to prosecuting the case. To date, that seems to be the exception versus the rule. Only 60% of the respondents to the Computer Security Institute's annual survey said they attempted to identify the perpetrator of an attack on their network and only 27% actually reported incidents to a law enforcement agency of any kind (citing the incidents were either too small, or they didn't think law enforcement could help, or they wanted to avoid negative publicity). This thinking has to change.
Companies need to be held accountable, but they also need to be able to disclose incidents without being unduly punished. We need to know about the risks and then take the precautions to do all we can to mitigate them. The responsibility is on all of us. We will only use the network, if we trust it, and we are only going to trust it if we have a system in place that can protect and defend it. It is absolutely critical for the sustainability of the network that its security continues to evolve and keep pace with both the inventiveness of the hackers and the innovation of all its users.