If I had to sum up the 2019 RSA Security Conference in three key words they would be: trust, cybercrime, and victims. Let’s start with trust. Here’s how the opening keynote of the conference was reported: “To avoid a potentially cataclysmic future reality, RSA Security President Rohit Ghai sees a future that requires a strong trust landscape” (eWeek).
This message was both encouraging and frustrating. Why? Mr.Ghai is right, but other people have been saying this same thing for some time and so far not enough people appear to have been listening. Whether or not people will listen this time remains to be seen; I hope they do, but if they don’t, we will continue to see more and more people victimized by cybercrime – a topic to which I turn in a moment.
It’s all about the trust
So, who were those other people who sounded warnings about the negative impacts of poor security on trust in technology? Well, two of them were my wife and me. We both became CISSPs in the 1990s and toward the end of that decade we started saying that failure to deter the growing abuse of digital technology would lead to the erosion of trust in ecommerce and other emerging industries. We saw the risk of trust erosion as a motivator to address the problem of under-investment in information system security relative to the growth in the size of the attack surface and the number of attackers.
By the early 2000s we were writing things like that in articles. We had both experienced what it was like to try and defend information systems at large companies and government agencies, and we endeavored to share what we had learned from those experiences whenever could. My wife wrote Network Security for Dummies in 2002. That same year I wrote a book about data privacy for businesses.
By 2011 it was clear that cybercrime had established itself as a viable alternative to traditional crime and was rapidly evolving a market-based system for selling stolen data and buying the skills and tools needed to feed a growing range of data-based crimes. I decided to join ESET at that point because it was clear that the company understood the seriousness of the problems in cybersecurity and was committed to solving those problems (as opposed to just selling security software, regardless of how good that software might be).
In 2014, with ESET’s encouragement and assistance, I started researching the cybercrime problem in an academic context, enrolling in the Criminology Department at the University of Leicester in England. I referenced those studies in my 2015 TEDx talk where I framed the challenge of cybersecurity in terms akin to those of Ghai’s keynote: “Ones and Zeroes: A Tale of Two Futures.”
Of these two futures I said this: “One of these futures is bright and shining, a triumph of technology over adversity, the other is dismal and disappointing.” I suggested that unless we took the right steps – of which I listed three: a better job of deterring cybercrime, demanding digital products that were more secure, and increasing diversity in the tech workforce – we would end up with a future that was, as Ghai put it, ”less than ideal for humanity.”
So, now it is 2019 and I would argue that trust erosion is already happening. Last year, ESET surveyed 2,500 US adults who use the internet and found that the percentage of people who said that they are less likely to shop or bank online due to security and privacy concerns was significant (19% and 20% respectively). Furthermore, 44% of Americans surveyed said that they were giving out less personal information on websites these days, for similar reasons.
Clearly, trust is not something that companies or governments can simply assume when dealing with the public online. Eight out of 10 people we surveyed agreed with this statement: “I am concerned that my online personal information is not kept secure by websites.” Breaking that down: 46% tended to agree and a solid third totally agreed (34%). Our survey also asked people if they agreed with this statement: “I am concerned that my online personal information is not kept secure by public authorities.” More than three quarters of US respondents (76%) either tended to agree or totally agreed.
Cybercrime and its victims
That same survey produced a strong indicator that reversing trust erosion is going to take a lot of effort: 87% of respondents thought that the risk of becoming a victim of cybercrime was increasing. On the bright side, so to speak, the 2019 RSA Conference seemed to reflect a growing sense that cybercrime is weighing on the minds of many companies and consumers.
In hallway and booth conversations I found that more people were talking about the need to act on cybercrime than in previous years. The February edition of SC Magazine – widely distributed in the RSA exhibit halls – featured cybercrime on the cover and in six articles. The Infosec Institute booth had “fighting cybercriminals” as its theme and staff were helping people make stickers saying “Fighting cybercriminals since ____” (mine said 1987 based on the first computer crime to which I responded in a paid capacity).
Another positive development that I encountered at RSA – although it was not part of the official agenda – was vigorous lobbying for programs to support of victims of cybercriminals. These range from the revamped Cybercrime Support Network website to a planned upgrade of 2-1-1 services around the US in order to handle calls from cybercrime victims.
As things stand right now, the 9-1-1 service is not properly resourced to respond to reports of cybercrime. And while some parts of America – such as the San Diego area – do have coordinated law enforcement programs for dealing with cybercrime, there is no consistent coverage of this type across the country. Many cybercrime victims currently feel they have nowhere to turn for help, and that in turn means law enforcement and other relevant government agencies are not capturing valuable data about the size and nature of the victimization.
Historically, crime statistics have been a key driver of crime response, from government spending on law enforcement to programs that alert the public. While “reported crime” does not equal all crime, and not all crime reports are the result of actual crimes, the current lack of cybercrime victim support clearly means we are missing a lot of useful and actionable data.
Consider this crime statistic: 300,000 victims reported incidents to the FBI/IC3 in 2017, with financial losses amounting to $1.4 billion. IC3 stands for Internet Crime Complaint Center and it has been doing sterling work for many years. Now consider that the Barometer survey conducted by ESET found that over 30% of respondents – all of whom were US adults age 18 and over – had experienced identity theft. Based on 2017 population numbers, that 30% could mean over 75 million people. I’m not saying it does, but bear with me here: there is a huge discrepancy between 75 million and 300,000, one that demands attention.
So, I left RSA 2019 feeling hopeful. Some positive changes are underway and – thanks to Mr. Ghai – there is renewed appreciation for the stark choice we face: a bright tomorrow of technical delight, or a dismal future of digital dysfunction in a society bereft of trust.