Cyber Security Needs Its Ralph Nader
It took thousands of unnecessary traffic fatalities to create an environment for radical transformation of the auto industry. What will it take for a similar change to occur in data security? By every metric, driving an automobile is far safer today than it was in the 1960’s, due to a combination of factors including government regulations and legislation, consumer awareness, and technology advances. The catalyst for all of this was one man: Ralph Nader.
Prior to 1965, car manufacturers had no real motivation to make safe cars because the cost of doing so did not justify the business benefits. But then Ralph Nader published Unsafe at Any Speed, a critique of the safety record of American automobile manufacturers. His advocacy injected the traffic fatality epidemic into the headlines, and a nation changed.
Although the UAE has put several measures in place to encourage motor vehicle safety – be it car insurance laws, stringent UAE Federal Traffic laws, speed monitoring cameras all over the country, or even the latest tailgating deterrent cameras – many consumers still don’t seem to get the memo.
What does this have to do with cyber security? Well, the current data breach epidemic looks similar to the conditions that existed in 1965 with automobiles. Even though breaches are widely spread, they are easily overlooked and the prevention steps ignored by the potential victims. The value of the digital market in the Middle East and North Africa region is anticipated to reach $35 billion in 2015, and overall digitization initiatives could add $820 billion to regional economy, generating 4.4 million jobs by 2020, according to a study by Strategy&.
Extensive digitization and the resources of the region make the MENA a striking target for widespread cyber-threats. Governments and large organizations in almost all substantial sectors of the region have already experienced impairment from cyber-attacks. Government reactions are often delayed behind the continuously changing threat landscape, and defensive measures are often circumvented or exploited.
In the Middle East, cybercrime is the second most common form of economic criminality reported with aggregate losses ranging between $1 million and $100 million annually according to PricewaterhouseCoopers’ 2014 Global Economic Crime Survey. Clearly, things need to change if we are to curb the data breach epidemic… but who will be cyber security’s Ralph Nader?
With automobiles, Ralph Nader exposed a hidden crisis and called on government to change the rules of the game for manufacturers. This resulted in rapid, comprehensive legislation that required manufacturers to design safety equipment into their automobiles.
Despite today’s fire-and-brimstone headlines about data breaches, the problem with cyber security is that nobody is feeling the pain of the problem. Consumers know their credit cards will be replaced and they will not be responsible for financial losses. Breached companies know their stock prices will bounce right back and consumers will continue shopping at their stores, and at worst they may have to fire an executive to meet the bar for “we’ve done something about this.”
And government regulations speak for themselves: they simply are not a prescription for security, and at this point, breach disclosure requirements do more to breed public apathy than outrage.
Some themes for Cyber Ralph to consider include:
Make citizens aware of their entire risk exposure. They may not care about having passwords, account numbers, or credit card numbers compromised, but they likely would care about their healthcare records, or travel plans being stolen and used for fraud, blackmail, or burglary. And they probably would care if they knew that this information may already be compromised – the breaches just haven’t been discovered yet. The need for seatbelt laws demonstrates that consumers likely will not change their behavior based on this knowledge, but it might bring about the legislation required to protect them.
Make breach disclosure laws more intelligent. Not all breaches are alike, and yet breach disclosure laws treat them that way. A breach of customer data that cannot be used to harm those customers is different from a breach of unencrypted financial numbers. And yet, current regulations do not make this distinction, and the media simply fixate on the “number of records stolen,” not the potential damage that could be done with what was stolen. (The Breach Level Index is an interesting approach to shedding light on this problem.) As a result, all breaches are treated the same, and consumers have stopped caring because they are never materially affected by the “8 billion records stolen” headlines.
Adopt modern, practical technology. The most obvious example of this is chip-and-PIN credit cards. Europe has used them for years and also adopted complementary technologies like wireless point-of-sale in restaurants to improve credit card security. Credit card data protection has evolved into a more robust phenomena with the introduction of EMV (Chip&PIN), which has significantly lessened card fraud in MENA countries. Sensitive data is everywhere.
Protect what matters. In a climate of advanced threats and breaches, dense virtualization, evolving regulatory mandates, and accelerating mobility, enterprise data protection allows organizations to secure and control their sensitive information, wherever it resides. By using encryption, multi-factor authentication, and key management solutions enterprises can extend protection and ownership across the lifecycle of sensitive data, as it is created, accessed, shared, stored and moved. From the datacenter to the cloud, enterprises can remain protected, compliant and in control, no matter where their business takes them.
Do away with “shades of gray” penalties. Once we have effectively categorized breaches, we can separate out “secure” breaches (where the information stolen cannot be used to foment damage) from insecure ones. In cases where companies have done what they should to protect customer data (according to national standards), they can continue doing business unimpeded. Being at the forefront of cyber security, the UAE has already established an authority called The National Electronic Security Authority (NESA), which is the federal body set up to oversee the country’s cyberspace and implement a range of strategies, policies and standards to “align and direct national cyber-security efforts”. The companies that have not conformed to standards and experienced an insecure breach will have a grace period to bring themselves up to standards before they must cease operations.
This might seem Draconian – except the automotive industry experience shows us it creates a level playing field, and when we reduce things to a simple binary situation (you’re either in business or you’re not), all companies will choose to conform.
The tragedy of the automobile industry is that it took thousands of unnecessary traffic fatalities to create an environment where Ralph Nader could bring about radical change. One hopes that we do not need to reach a similar state of disaster in the data breach epidemic to spur similar change. Will we act now? Or do we have to wait until millions of us are being bribed, defrauded, burgled, or worse?