[Infowarrior] - Cybersecurity Researcher Takes On Internet Fear Factor

[Richard Forno]

(c/o pogowasright.org)

Cybersecurity Researcher Takes On Internet Fear Factor
http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1166782004301

The Privacy and Data Protection Legal Reporter
December 26, 2006

The Privacy and Data Protection Legal Reporter spoke recently with professor
Fred H. Cate, distinguished professor of law and adjunct professor of
informatics at Indiana University, in Bloomington, Ind., about what he sees
as the hyperbole that, at times, overtakes the public discussion about ID
theft and electronic security. As the director of Indiana University's
Center for Applied Cybersecurity Research, Cate is a leading researcher and
consultant on issues such as phishing, consumers' use of passwords and
cybersecurity.

Privacy Reporter: In The Washington Post in October, you wrote that the
general public and lawmakers are developing an overblown and misplaced fear
about security breaches. Can you explain what you mean?

Cate: "Misplaced" is a very good word to reflect what is going on today.
This is not to say that the threat of identity theft isn't real, nor that
the impact for the people who really suffer from having their identities
stolen isn't terrible. But identity theft is not occurring with the
frequency we often hear about in the press; in fact, studies suggest it is
actually declining.

Look at the high-profile case of the theft of the laptop computer from the
Veterans Administration with information on 26.5 million veterans. Nobody
suffered identity theft. The laptop has been recovered with the data
untouched -- but only after weeks of hand-wringing, promise of impending
doom and a request to Congress to provide $160.5 million to cover the cost
of one year of credit monitoring for the veterans.

Privacy Reporter: Why are we hearing more about these types of theft if they
really are rare?

Cate: Some people have pretty obvious motives to jump on the issue, such as
if they are selling electronic security services. But others have
motivations, too. Politicians like the issue because it's fairly simple to
explain and to use to generate attention; then they can pass legislation to
"solve" the problem. The press likes the idea of millions of records and
billions of dollars of potential harm from runaway ID theft because that's
more exciting than run-of-the-mill fraud or the subtleties of changing fraud
patterns.

Privacy Reporter: You mentioned Congress. What do you think about the need
for a national privacy breach notification law? What about the state laws
now in place?

Cate: State notification laws have served some useful purposes by
embarrassing companies that now have to admit publicly when their systems
have been breached. To put it crassly, previously many companies did not
internalize the value of personal data that they are holding. When they lost
personal data, the companies were not hurt. Yet most companies did a far
better job of internalizing the value of the confidential corporate
information they are holding, and so they took stronger steps to protect
that data. So the notification laws have created an incentive to improve
data protection and housekeeping for consumer and employee information.

But these state notification laws have caused problems too. The public has
been inundated with notices where frankly little risk was presented and
where there was little they could do in any event. Moreover, some state
legislatures think they have solved the ID theft problem by passing these
laws, and that's all they have to do. To the extent that these laws are
leaving other problems unaddressed, this is a major concern.

Privacy Reporter: Well, what are those unaddressed concerns?

Cate: I see three issues: One that is here now, one that is clearly emerging
and one that is starting to emerge.

First, all the data we have now tell us that the biggest threat to our
personal information security is the people we know. It's the same with many
violent crimes. Most ID theft is committed by people you know. So laws that
focus on strangers -- such as notification laws -- actually misfocus our
attention. It would be better to tell people to lock up their checkbooks,
look at the balances on their bank statements and to look out for themselves
rather than to tell them to fear outsiders. Politically it's unfeasible to
say that, but there is a lot that individuals can and should be doing to
protect ourselves.

Second, I see a problem that's starting to emerge, and has arrived in some
sectors. This is phishing. But this problem is a lot broader than just the
fraud that gets people to expose some information about themselves. The
bigger problem is that there is little that industry can do right now to
stop it. This is dangerous because people are giving personal information
that can be used in so many damaging ways, and as people realize this, they
stop trusting the Internet and e-mail. When I get an e-mail from eBay now, I
just delete it, because I have no way of knowing if it's genuine. And more
and more people are starting to act the same way. The result is that this
very cheap, fast way to communicate is being undermined -- and that will
cost all of us a great deal of money and convenience if it's not solved.

The third thing is just starting to become a problem, but it's growing. This
is very organized fraud that uses "synthetic identities." ID Analytics
reported recently that it is seeing more of this, and chief security
officers at banks are reporting increased incidences. The idea is: Why
should a thief steal my identity to commit financial fraud? He doesn't know
if I have good credit. It is more profitable to just create a totally new,
"synthetic" identity and give it good credit and use it to perpetrate fraud.
And what's worse, this fraud can be perpetrated much longer because there's
no one whose identity was actually stolen -- so no one is filing a complaint
or report. This is a good example of where current legislation is not
helping to solve the problem. The FACT Act, through which we all can get a
free credit report once a year, won't catch synthetic identities.

Privacy Reporter: Given these many issues of concern, where do you see the
primary vulnerabilities?

Cate: It might sound obvious, but everyone is vulnerable. One interesting
question is to look at where the law places liability. Individuals are
almost never held liable for ID theft perpetrated against them, and that is
good. Congress has basically said that you won't be held liable personally.

Yet the vulnerability goes right to the heart of our digital economy.
Congress and the states have no idea how to address the problem. Because as
we move to faster and faster electronic commerce, fraud can move faster and
faster. Meanwhile, the law is always behind. Think about getting a mortgage
two decades ago, when you might have to visit the bank three times and then
wait for weeks for approval; but the [delays in the] system made it arguably
harder to commit fraud. Compare that to getting a loan to buy a new car in
10 minutes at a dealership today, but fraud is easier.

So if fear of phishing causes even a 3 percent or 5 percent reduction in
people's willingness to work online, that is huge as it is multiplied across
the economy. If we combine that impact with the more draconian scenarios for
false identifications, fake driver's licenses and so on, that can enable a
person to get onto an airplane or into a secure building, then we see an
impact that goes beyond financial.

Privacy Reporter: What's the solution to the problems you outline?

Cate: What worries me is that I don't see Congress appropriating money to
study and research these issues, and to fund others to study them. You might
expect the academic community to help, too, by advancing research. But this
has been inadequate.

Industry is struggling, too. In some situations, the problem is beyond their
control. For example, you can open a bank account by showing your driver's
license. But since driver's licenses can be easily faked, the bank can't
protect itself perfectly from fraud. Companies also face numerous other
financial priorities, and they also have the problem that they are
competitors in many arenas, but this is one where they need to cooperate.

I think there is potentially the need to re-engineer the Internet to address
some of these problems. We need to find ways for messages and packets of
data to be linked to specific send-ers or other sources. Similarly, we
probably have to rethink forms of identification so that they are more
reliable than drivers' licenses and more useful online.

Privacy Reporter: Tell us about your research and the work of the Indiana
University Center for Applied Cybersecurity Research. How are you tackling
these types of problems?

Cate: The Center addresses these issues in a number of ways. We conduct
research on fraud, such as phishing, to understand the problem today,
anticipate new types of attacks tomorrow and develop countermeasures. We
study how people use computers and how security tools, such as passwords,
can be designed to be more useful and reliable; it isn't just a question of
designing better mousetraps, but of making sure those mousetraps can be used
by real people. We do research on viruses and other forms of malicious code
and how they spread through networks. We examine threats to handheld
devices, computers in cars, home medical monitoring equipment and other less
traditional technologies.

The Center also does a lot of work helping to educate policymakers,
journalists, industry leaders and the public about identity theft and its
causes, steps we can take to protect ourselves and future threats. And we
help train the next generation of cutting-edge computer scientists, business
leaders, policymakers and others who will have to deal with cybersecurity
threats in the future.

Subscribe to The Privacy and Data Protection Legal Reporter.