One of the many pithy quotes attributed to Mark Twain is that “history does not repeat itself, but it does rhyme. So, as I sipped my coffee reading the paper this morning, I noticed an article in Washington Post that reminded me of just that – companies are no longer waiting for law enforcement to deal with hacking. They are “dealing with it” themselves.
Now, if you are from my generation, this conjures up movie visions of the lawless 19th century Wild West where the townsfolk are fighting off the merciless bandits with “vigilance” groups. No law enforcement to be found. The wrong guys, sometimes, get hung. There is always a regretful scene at the bar and someone speaks the awful truth of what happened. Film ends. You go home justified in your safe feeling that the bad old days is gone and we how have reasonably effective law enforcement.
In the 21st century world of the Internet, this vigilance movement strikes me as a very dangerous game. Not only does it appear that private citizens or corporations are taking the law into their own hands, but equally they may not have a clue at whom they are shooting. Even with the most sophisticated tools, it is hard to tell from where a hack is coming. An attack gone awry and hurting some innocent is just not acceptable.
Some people have even suggested the US Government rely on an 18th century concept addressed in the Constitution – letters of marque and reprisal. This quaint practice was essentially used to recruit “sanctioned” pirates to fill out the rank of navies. Blackbeard was a pirate sanction by the British to fight Spain and keep his treasure as reward. The new letters of marque advocates suggest we give companies a right to “counter hack” those who attack them under such an approval system. I can hardly wait to see the Department of Homeland Security and Congress dealing with that concept.
So what does this counter-hacking mean? It means people do not have faith that their government cannot do its job – protect them in their homes and businesses from Internet predators. Despite well-intentioned efforts by the Federal government, we have yet to fully crack the issue of security on an Internet never built to be secure. The days of open sharing are long gone. The days of security are yet here.
So, the solutions are hard coming from government tangled in privacy laws and the like. Still, a vast majority of Internet security problems boil down to individual cyber hygiene and cyber citizenship. Most hacks come from internal threat (your own people) and/or sloppy security done on the cheap. On the former, speaking as an old spy, this will always be a problem no matter. Increased internal monitoring is the best you can do.
As for cyber citizenship, you need to change your passwords, be careful how you store them and stop skimping on security. Like it or not, when you get out of bed in the morning, you are engaging in risk management. Am I going to get hit by a truck if I go outside? I’ll take the chance.
What people do when they skimp on security is take a calculated risk – whether they are deliberately calculating it or not. Having weak systems leaves you more vulnerable. Period. Do your job as a cyber citizen and try to decrease your risk with better protection.
The government has shown it can’t be everywhere on the vast and expanding Internet. Ultimately, it is up to us to defend our systems as best we can. However, resorting to the ancient solutions of vigilantism and marques of reprisal are hardly the way of the 21st century. They belong in the movies and the history books. Well thought out and responsible security measures must be the order of the day.