Bob Sullivan

The way Americans spend money is on the verge of its biggest change in decades, but the drumbeat of doubters continues to get louder.  New chip-enabled credit cards are slowly getting into consumers’ hands in advance of a looming deadline later this year. But a Walmart executive recently told CNN that U.S. chip cards are a “joke,” and a new report examining other countries’ changeovers suggests criminals around the globe merely switched tactics and kept right on stealing from consumers’ accounts.

The switch to chip cards goes by the shorthand EMV, which stands for Europay, Mastercard and Visa.  In Europe, when banks implemented the change, government rules forced consumers to start using credit cards like debit cards – requiring that PIN codes be entered each time a card is used. The change adds two important levels of security, or two-factor security.  To complete a transaction, buyers need to have in their hands a chip card, which is incredibly challenging to counterfeit. And they must know something — a PIN — that’s not on the card.

The U.S. is poised to implement only half this system.  Chip cards must be accepted by merchants by the fall deadline, but not PINs.  The so-called “chip & signature” system is a half-measure, according to  Mike Cook, Wal-Mart’s assistant treasurer and a senior vice president.

“The fact that we didn’t go to PIN is such a joke,” Cook told CNNMoney.com.

For example, a criminal who physically steals a chip & signature credit card will have no trouble using it to commit fraud in a store by faking the consumers’ signature.

Meanwhile, a report issued recently by analyst firm Mercator raises even more concerns that the switch to chip cards might not reduce fraud, but simply nudge criminals towards different fraud.

“Unless the payment industry tackles other growing concerns like lost and stolen card fraud, overall fraud losses will continue to spiral up toward pre-EMV levels,” the report says.

Why?  So-called “card-not-present” fraud is on the rise in places that adopted EMV long ago, according Mercator’s Tristan Hugo-Webb, who is Associate Director of the Global Payments Advisory Service.

For example, the United Kingdom was one of the first countries in the E.U. to complete the switchover to EMV back in 2006.  While counterfeit card fraud has shrunk — from 27 percent of all fraud in 2003 to 13 percent in 2013 — other kinds of fraud have soared.  Card-not-present fraud, which includes online and telephone sales, has climbed from 29 percent of fraud in 2003 to 67 percent in 2013.  Chip cards have no impact on online or telephone sale fraud because the chips cannot be used for authentication.

So as e-commerce has risen, online fraud has risen right along with it. In the U.K., there has been a sharp increase since 2011, Hugo-Webb says.

New technologies that would add a layer of authentication to online purchases, such as electronic tokens that help verify consumers remotely, have been invented but have not been implemented.

“The hope is that with the creation of new security technologies like tokenization, the industry can begin to play offense rather than always having to play defense against payment fraud attacks,” Hugo-Webb says.

The trickiest part of the migration is that the U.S. is so far behind – at least a decade behind the U.K, for example – that new payment forms, such as mobile payments, may have overtaken old-fashioned plastic cards by the time the EMV adoption is complete.  To some observers that lessons the urgency of the changeover.

But Hugo-Webb says the U.S. must still migrate, even if the step doesn’t reduce fraud. It’s more a matter of holding serve, he said.

“If the U.S. decided to skip EMV….it would be more of a target than it is today,” he said.  “There is still value in migrating….it’s going to take a lot longer than people expect for mobile payments to really become commonplace. ”

Because of the decade-long delay, however, the value of the upgraded security will be less in the U.S. than it was in Europe, however, where banks enjoyed at least a few years of reduced fraud before criminals caught up.   Here in the U.S., criminals already have quite a head start on their EMV workarounds.

That fact should help inform banks and merchants as they consider how much to invest in new forms of security for the coming generation of payment systems.

Sign up for Bob Sullivan’s free email newsletter. 

Larry Ponemon

If your company is like most, security has risen to the top of the agenda amongst C-suite executives and boards of directors. Rapidly evolving security threats pose an ongoing, central challenge, as companies and governments face an increasingly sophisticated threat environment. Large global organizations with industry presence and value may be of special interest for adversaries, whether they be individuals, organized crime or nation states. Forrester predicts that at least 60 percent of enterprises will discover a breach in 2015, but says the actual number of breached entities will be much higher–80 percent or more.

Accenture, in collaboration with the Ponemon Institute LLC, conducted a study to identify the success factors of companies that demonstrated a dramatic increase in security conditions during the past two years — the “leapfrogs” — to see what helped them move from laggard to leader.  The study unearthed six trends:

1. Security innovation is valued

Leapfrog companies have made significant increases to their level of security innovation, seeking out new approaches to emerging problems.
Leapfrog companies are more likely to have an officially sanctioned security strategy, and this strategy is more likely to be the main driver to their organization’s security
program.

2. Leapfrog organizations are proactive in addressing major changes to the threat landscape

They recognize that persistent attacks should change the company’s approach to IT security and adapt their security posture in response to threats. Different security threats continue to emerge—the research evaluated the level of impact those threats had on the organizations’ security ecosystem and how the organizations responded.
3. The CISO is important and influential

Both Leapfrog and Static organizations have a CISO; the important differences lie in how that role is viewed and executed. Across all organizations studied, the CISO has hiring/firing authority, holds responsibility for enforcing security policies and has authority over budget and investment decisions.  Within Leapfrog organizations, the CISO is more likely to directly report to a senior executive, set the security mission by defining strategy and initiatives, and have a
direct channel to the CEO in the event of a serious security incident.

4. Leapfrog companies excel in governance

Both groups of companies identified the importance of appointing a CISO for the organization, recruiting expert IT security personnel and background checks for all privileged users as critical to achieving a strong security posture. However, the Leapfrog companies believe disaster recovery and business continuity management practices are important. Static companies, on the other hand, are more likely to cite clearly defined IT security policies and standard operating procedures (SOP) than Leapfrog companies.

5. Certain technologies separate the two groups
Leapfrog companies exceed Static companies in viewing the following features of security technologies as very important: pinpointing anomalies in network traffic; prioritizing threats, vulnerabilities and attacks; curtailing unauthorized sharing of sensitive or confidential data; and enabling adaptive perimeter controls. In contrast, Static companies exceed Leapfrog companies in believing the following are more important features of security technologies: controlling insecure mobile devices including BYOD, limiting access for insecure devices and enabling efficient backup functionality.

6. Security budgets in Leapfrog companies include funding for innovations in information technologies

Leapfrog companies are more likely to have a dedicated budget for its security programs and have allocated more money toward security over the past few years (Figure 8). They also have a fund dedicated to innovations in information technologies.  These companies are more positive about having enough funding to meet their mission and objectives.

Methodology

To estimate the security posture of organizations, we used the Security Effectiveness Score (SES) as part of the survey process. The SES was developed by The Ponemon Institute in its annual encryption trends survey to define the security effectiveness of responding organizations. We define an organization’s security effectiveness as being able to achieve the right balance between efficiency and effectiveness across a wide variety of security issues and technologies. The SES is derived from the rating of 48 security features or practices. This method has been validated by more than 60 independent studies conducted since June 2005. The SES provides a range of +2 (most favorable) to -2 (least favorable). A result for a given organization greater than zero is viewed as net favorable, which means the organization’s investment in people and technology is both effective in achieving its security mission and efficient. Hence, they are not squandering resources and are still being effective in achieving their security goals. A negative SES has the opposite meaning.

For this research, we evaluated hundreds of companies that were previously benchmarked so that changes in the organizations’ SES scores could be measured and evaluated. Based on that
analysis, we divided the sample into the following groups:
Leapfrog sample: 110 companies that experienced a 25 percent or greater increase in their SES over a two-year period. The average increase in SES for these companies was 53 percent.

Static sample: 137 companies that experienced no more than a 5 percent net change in their SES over a two-year period, with an average change of 2 percent. This sample was matched to the Leapfrog sample based on industry, size and global footprint.

To read the full report, click here.

Bob Sullivan

I spent a year studying English Common law in college, and here’s the only thing I really remember: Law exists to prevent mob rule. It only survives when it’s considered effective by the masses. If it’s not, people start taking the law into their own hands.  This is the precipice on which Twitter dangles right now.

You probably heard about former major league baseball player Curt Schilling going all Wild West on jerks who harassed his daughter on Twitter.  I’m fine with what he did; in fact, I think it’s great.  It’s time people realized there are consequences for the stupid, vile things they say online.  It’s high time — past time — we cleaned up the neighborhood. I believe in free speech as much as the next Internet geek, but it’s also time the Internet grew up.  Folks like those who said God-awful things to Schilling’s daughter need to be kicked out of the bar, pronto, and forced to live with the consequences of what they’ve done.

Now, you can all expect a bunch of other folks to follow suit, with varying results, of course.  Curt Schilling can get justice — not to mention, protection from any potential response — because he’s famous.  You probably can’t.

That’s why this is Twitter’s problem.  After all, it’s their bar.  As a refresher course in free speech law, the government can’t make a law preventing you from saying things in public. A company sure as heck can do that with its private property.  You have no Founding Fathers-given right to be vile on Twitter.

I do appreciate the lovely parlor banter about chilling discussion and people’s rights to be assh**s, but save that for college, please. If you are an adult, you owe it to yourself to read the kinds of Tweets directed at people like Anita Sarkeesian, who campaigns against violence in video games. I won’t display them here — but however vile you imagine they are, triple that.    Click that link to see a Mother Jones story which describes 157 “hate Tweets” she received in a single week. They are enough to snap anyone out of a philosophy-induced haze about free speech and social media.

So I was delighted recently when a leaked memo seemed to suggest that Twitter management was starting to get it.

“We suck at dealing with abuse and trolls on the platform and we’ve sucked at it for years. It’s no secret and the rest of the world talks about it every day. We lose core user after core user by not addressing simple trolling issues that they face every day,” CEO Dick Costolo wrote in an internal memo that was published on The Verge last month. ” I’m frankly ashamed of how poorly we’ve dealt with this issue during my tenure as CEO. It’s absurd. There’s no excuse for it. ”

He then promised to start kicking users off Twitter “right and left” for mishbehaving. The Electronic Frontier Foundation, which also cheered the general message, paused on that last part. calling it a “dangerous sentiment.”  I know, that’s what the EFF has to say, and I’m glad they are saying it. But enough is enough.

Creeps are running circles around decent people while we continue the collegiate debate here. I’m ready to give Twitter the right to kick people off the service right and left, with a very big IF.  IF it doesn’t try to do this on the cheap, and IF it’s very transparent.

The real problem here is money, as it always is.  Here’s a brief history lesson. Back when eBay was just about the only profitable firm on the Internet, it had a massive problem that threatened its very survival.  Fraud was rampant. In some categories, such as expensive electronics, roughly half of all listings were fraudulent. After repeating the usual Internet BS about community policing (which is really discount policing), eBay finally got serious and hired a huge team of fraud fighters — human beings — who put in the heavy lifting of reviewing listings by hand and cleaning up their neighborhood.

Twitter has to do this. It’s not only the right thing to do, it’s absolutely critical for its survival. In fact, it’s critical for the entire spirit of social media and perhaps the Internet itself.  Twitter needs to grow up, grow a pair, and start investing in decency. What’s that you say, it’s not “scale-able?”  When then just turn off the lights. It’s your bar. It’s your job to keep it safe.  What we don’t want is a world of random justice doled out by Curt Schilling.

Why? Because Twitter can do this in a transparent, reasonable way.  We all know some of these things will be tough calls.  What is trolling and what is hate speech?  Trolls say crap just to start angry discussions. People who fall for their tactics kind of get what they deserve.  Hate speech is threatening.  Yes, there are gray lines. A computer will never do a good job of figuring that out.  But let’s get real — there is no confusion about the kinds of Tweets Sarkeesian often gets. Twitter did recently release improved tools for reporting problems, but we’ll see if there are improvements to response time. It shouldn’t take longer than a few minutes to get them removed. When there is a “false positive,” as there will be, Twitter should have a very prompt process for appeal.  Right now, complaints often go to black holes, and the creeps know this, and take advantage of it.  That’s the real problem, Twitter.

Your move. A million Curt Schillings are watching.

Sign up for Bob Sullivan’s free email newsletter.

Larry Ponemon

We are pleased to present the findings of the 2015 Global Megatrends in Cybersecurity, sponsored by Raytheon. The purpose of this research is to understand the big trends or changes that will impact the security posture of organizations in both the public and private sector in the next three years. Moreover, the study looks at the next generation of protocols and practices as the cybersecurity field evolves and matures.

We surveyed 1,006 senior-level information technology and information technology security leaders (hereafter referred to as respondent) in the US, UK/Europe and Middle East/North Africa (MENA) who are familiar with their organizations’ cybersecurity strategies.

The research covered a range of trends related to an organization’s ability to protect itself from
cyber threats and attacks. Some of the areas addressed in this report are: the critical disconnect
between CISOs and senior leadership, insider negligence, the Internet of Things, adoption of new technologies such as big data analytics, predictions of increases in nation state attacks and
advanced persistent threats and the dearth of cyber talent.

Based on the findings of the research, there are seven mega trends that will significantly impact
the cybersecurity posture of organizations in the following areas: disruptive technologies, cyber
crime, cost of compliance, the human factor, organizational and governance factors and enabling security technologies. Following is a summary of these seven mega trends and implications for companies.

1. Cybersecurity will become a competitive advantage and a C-level priority. As part of this study, we asked a panel of cybersecurity experts to predict changes to several normatively important characteristics concerning the role, mission and strategy of security.1 A total of 110 individuals with bona fide credentials in information security provided their three-year predictions.  Only 25 percent of respondents believe their organization’s C-level views security as a competitive advantage. However, 59 percent of respondents in the expert panel say C-level executives will view security as a competitive advantage three years from now.

2. Insider negligence risks are decreasing. Due to investments in technologies, organizations will gain better control over employees’ insecure devices and apps. Training programs will increase awareness of cybersecurity practices. A lack of visibility into what employees are doing in the workplace will become less of a problem in the next three years.

3. Cyber crime will keep information security leaders up night. There will be significant
increases in the risk of nation state attackers and advanced persistent threats, cyber warfare or
terrorism, data breaches involving high value information and the stealth and sophistication of
cyber attackers. In contrast, there are expected to be slight improvements in mitigating the risk of hacktivism and malicious or criminal insiders.

4. The Internet of Things is here but organizations are slow to address its security risks.
The Internet of Things is the expanding network of billions of connected devices that are
permeating our daily lives—from the computers inside our cars to our WiFi enabled appliances,
from wireless medical devices to wearable device.
Because consumers are embracing more connected devices, information security leaders predict that the Internet of Things will be one of the most significant disruptive technologies in the near future.

5. The cyber talent gap will persist. Respondents in three regional samples hold a consistent belief that their organizations need more knowledgeable and experienced cybersecurity practitioners (i.e., the cyber talent gap).

6. Big shifts in new technologies towards big data analytics, forensics and intelligence based cyber solutions. The following technologies will gain the most in importance over the next 3 years: encryption for data at rest, big data analytics, SIEM and cybersecurity intelligence, automated forensics tools, encryption for data in motion, next generation firewalls, web application firewalls, threat intelligence feeds and sandboxing or isolation tools

7. Despite alarming media headlines, cybersecurity postures are expected to improve. The majority of respondents say their cybersecurity postures will improve for the following reasons: cyber intelligence will become more timely and actionable, more funding will be made available to invest in people and technologies, technologies will become more effective in detecting and responding to cyber threats, more staffing will be available to deal with the increasing frequency of attacks and employee-related risks will decline.

To read the full Raytheon report, click here. 

Larry Ponemon

The year 2014 will long be remembered for a series of mega security breaches and attacks starting with the Target breach in late 2013 and ending with Sony Pictures Entertainment. In the case of Target breach, 40 million credit and debit cards were stolen and 70 million records stolen that included the name, address, email address and phone number of Target shoppers. Sony suffered a major online attack that resulted in employees’ personal data and corporate correspondence being leaked. The financial consequences and reputation damage of both breaches have been widely reported. Other well-publicized mega breaches in 2014 in order of magnitude were:

• ebay (145 million people affected)
• JPMorgan Chase & Co. (76 million households and 7 million small businesses affected)
• Home Depot (56 million unique payment cards)
• CHS community Health Systems (4.5 million people affected)
• Michaels Stores (2.6 million people affected)
• Nieman Marcus (1.1 million people affected)
• Staples (point-of-sales systems at 115 of its more than 1,400 retail stores)

This year is predicted to be as bad or worse as more sensitive and confidential information and transactions are moved to the digital space and become vulnerable to attack. Will companies be prepared to deal with cyber threats? Are they taking steps to strengthen their cyber security posture? Ponemon Institute, with sponsorship from Identity Finder, conducted 2014: A Year of Mega Breaches to understand if and how organizations have changed their data protection practices as a result of these breaches.

Respondents believe security incidents such as Target and other mega breaches raised senior managements’ level of concern about how cyber crimes might impact their organizations. We surveyed 735 IT and IT security practitioners about the impact of the Target and other mega breaches on their IT budgets and compliance practices as well as data breaches their companies experienced. The participants in this study are knowledgeable about data or security breach incidents experienced by their companies. They are also very informed about the facts surrounding the Target and other mega breaches. Following are key steps companies have taken because of mega breaches:

More resources are allocated to preventing, detecting and resolving data breaches.

According to respondents, the Target breach did have a significant impact on the their organizations’ cyber defense. Sixty-one percent of respondents say the budget for security increased by an average of 34 percent. Most was used for SIEM, endpoint security and intrusion detection and prevention.

Senior management gets a wake up call and realizes the need for a stronger cyber defense posture.

More companies have the tools and personnel to do the following: prevent the breach (65 percent of respondents), detect the breach (69 percent of respondents), contain and minimize the breach (72 percent of respondents) and determine the root cause of the breach (55 percent of respondents). Sixty-seven percent of respondents say their organization made sure the IT function had the budget necessary to defend it from data breaches.

Operations and compliance processes are changing to prevent and detect breaches.

Sixty percent of respondents say they made changes to operations and compliance processes to establish incident response teams, conduct training and awareness programs and use data security effectiveness measures.

Many companies fail to prevent the breach with the technology they currently have.

With new investments, companies will hopefully prevent more data breaches. However, 65 percent of respondents say the attack evaded existing preventive security controls. Forty-six percent say the breach was discovered by accident.

Companies confident of understanding the root cause of the breach had incident response teams in place.

They also had the right security management tools and the expertise of a security consultant to help determine the root cause. After knowing the root cause, these companies stepped up their security training and enhanced their security monitoring practices.

Another day, another massive computer hack that sets millions of people in a tizzy about something they can’t control.  The Anthem health data leak isn’t the Big One — that’s still coming, believe me — but it’s pretty big.  Perhaps 80 million people now have to worry that a criminal gang has their name, birthday, email, Social Security number, and perhaps even their employment history and salary.

It’s easy to imagine all the bad things that can happen to you if that data gets in the hands of a professional criminal. Sure, consumers will get *another* offer of free credit monitoring — handy, because the Target free monitoring just expired. But really, that’s a bit like telling a man to boil water when a pregnant woman’s water breaks. Busy work.

What’s broken here is the system.  What’s missing here is bold action.  While Washington D.C. bickers over a new privacy law that enacts technological-era change at a glacial pace, hackers are running circles around our nation’s companies. Nobody I know who works in cybersecurity thinks things are going to get better.  Last year’s Sony hack set the stage for this, and other stories you see this year. Computer criminals are about to abandon credit card database hacks. With the move to chip-enabled credit cards, stolen account numbers will soon have less value.  So that migration has already begun. As I often say, fraud is like a water balloon. Squeeze one end, and the other end just gets bigger.

But there’s more going on here than chip card change.  Sony taught hackers a valuable lesson: even data that might not seem valuable can be priceless if leveraged in the right way. The old thinking: Who cares about stealing a million emails? Most of them are boring drek. Get the payment card data.  The new thinking: Grab everything, and we’ll figure out how to monetize it later.  It only takes a few embarrassing emails to convince a CEO to stop a product launch, or cough up a few million dollars. Turning millions of credit card numbers into cash is hard work, involving an army of mules and real-world risk.  Turning private data into an extortion payout is much easier.

So we see with the Anthem hack that, according to the company, criminals didn’t even seem interested in the payment card data.  They wanted everything else. And now, like a hunter who uses every part of a dead pray, they will pick over the data and try monetize it in dozens of ways.  New account fraud. Phishing. Extorting consumers.  Perhaps, they’ve already tried to extort the company. Since victims do not have the option of canceling their birthdays or employment background, they will have to worry about this for a very long time.

Why? Anthem was warned. The FBI issued a warning last year that health care firms use archaic systems which are easy hacker targets.  Why would Anthem leave such data in an unencrypted state, lying around for the taking?  More important, why would Anthem have data on potentially millions of former customers, also sitting there for the taking?

The reason: Anthem didn’t see value in the data the way consumers do, and the way the hackers do. Notice that no medical information was stolen. That’s because it’s part of Anthem’s core business. Consumer information is not.  Maintaining that is merely a cost. You see this pattern again and again. Why was Target’s credit card database stolen? Because Target isn’t a bank, it’s a department store.  Why was Sony’s email stolen? Because it wasn’t a movie in production, it was just email.

Change must come.  Data is everyone’s core business now.  Firms need to actually take the protection of our data seriously, not merely say they do in letters revealing they’ve been hacked.  Meanwhile, it’s time to work with the reality that millions of Americans have now permanently been exposed to identity theft through heist of their Social Security numbers. The right way to deal with that is simple: We need to devalue the stolen information. One modest proposal you will hear is to simply make all Social Security numbers public, thereby ending once and for all their use as a unique and “secret” identifier.

That kind of fresh thinking is the only way through this problem. And that kind of bold step could only be taken with leadership from the federal government. We’re still waiting.

See you in another week or two when the next big hack hits.

Sign up for Bob Sullivan’s free email newsletter.

Another day, another massive computer hack that sets millions of people in a tizzy about something they can’t control.  The Anthem health data leak isn’t the Big One — that’s still coming, believe me — but it’s pretty big.  Perhaps 80 million people now have to worry that a criminal gang has their name, birthday, email, Social Security number, and perhaps even their employment history and salary.

It’s easy to imagine all the bad things that can happen to you if that data gets in the hands of a professional criminal. Sure, consumers will get *another* offer of free credit monitoring — handy, because the Target free monitoring just expired. But really, that’s a bit like telling a man to boil water when a pregnant woman’s water breaks. Busy work.

What’s broken here is the system.  What’s missing here is bold action.  While Washington D.C. bickers over a new privacy law that enacts technological-era change at a glacial pace, hackers are running circles around our nation’s companies. Nobody I know who works in cybersecurity thinks things are going to get better.  Last year’s Sony hack set the stage for this, and other stories you see this year. Computer criminals are about to abandon credit card database hacks. With the move to chip-enabled credit cards, stolen account numbers will soon have less value.  So that migration has already begun. As I often say, fraud is like a water balloon. Squeeze one end, and the other end just gets bigger.

But there’s more going on here than chip card change.  Sony taught hackers a valuable lesson: even data that might not seem valuable can be priceless if leveraged in the right way. The old thinking: Who cares about stealing a million emails? Most of them are boring drek. Get the payment card data.  The new thinking: Grab everything, and we’ll figure out how to monetize it later.  It only takes a few embarrassing emails to convince a CEO to stop a product launch, or cough up a few million dollars. Turning millions of credit card numbers into cash is hard work, involving an army of mules and real-world risk.  Turning private data into an extortion payout is much easier.

So we see with the Anthem hack that, according to the company, criminals didn’t even seem interested in the payment card data.  They wanted everything else. And now, like a hunter who uses every part of a dead pray, they will pick over the data and try monetize it in dozens of ways.  New account fraud. Phishing. Extorting consumers.  Perhaps, they’ve already tried to extort the company. Since victims do not have the option of canceling their birthdays or employment background, they will have to worry about this for a very long time.

Why? Anthem was warned. The FBI issued a warning last year that health care firms use archaic systems which are easy hacker targets.  Why would Anthem leave such data in an unencrypted state, lying around for the taking?  More important, why would Anthem have data on potentially millions of former customers, also sitting there for the taking?

The reason: Anthem didn’t see value in the data the way consumers do, and the way the hackers do. Notice that no medical information was stolen. That’s because it’s part of Anthem’s core business. Consumer information is not.  Maintaining that is merely a cost. You see this pattern again and again. Why was Target’s credit card database stolen? Because Target isn’t a bank, it’s a department store.  Why was Sony’s email stolen? Because it wasn’t a movie in production, it was just email.

Change must come.  Data is everyone’s core business now.  Firms need to actually take the protection of our data seriously, not merely say they do in letters revealing they’ve been hacked.  Meanwhile, it’s time to work with the reality that millions of Americans have now permanently been exposed to identity theft through heist of their Social Security numbers. The right way to deal with that is simple: We need to devalue the stolen information. One modest proposal you will hear is to simply make all Social Security numbers public, thereby ending once and for all their use as a unique and “secret” identifier.

That kind of fresh thinking is the only way through this problem. And that kind of bold step could only be taken with leadership from the federal government. We’re still waiting.

See you in another week or two when the next big hack hits.

Sign up for Bob Sullivan’s free email newsletter.

Technology is like money, it seems.  You need some of it…a decent amount, really…to be happy. But at a certain point, it might do more harm than good.

Microsoft released a fascinating global survey at Davos this week which unearthed another gap between the developed and the developing world.  Poorer countries have a lot more positive feelings about technology than rich countries, and the gap is widening.  In the developing world, tech has been a boon for journalism, social connections, and employment opportunities.  In the developed world, many folks feel just the opposite.

And it makes sense. Mobile phones have brought telecommunications to plenty of places that couldn’t afford to string landlines, for example. On the other hand, in the U.S. and other rich nations, mobile phones are often seen as communication killers — particularly by parents who can’t get the darn things out of their teen-agers hands.  A classic first-world problem.

I’ve written a lot of negative observations about the unintended consequences of technology as part of The Restless Project.   I hope no one misunderstands: I’m happy I can see my niece on Skype video calls, I can write books on the beach with my laptop, and I’m really thrilled by father has open heart surgery not long ago in the time it takes to get a tooth pulled.  Tech is good.  But tech also has its limits, and it’s become a bit of a false god.  It’s also really enabling some folks to take advantage of workers, like Uber.  There’s billions of dollars in marketing that extols the virtues of tech. Someone has to talk about the dark side. Microsoft’s survey suggests plenty of folks are concerned about that.

In fact, if there’s one thing consumers from all corners of the globe agreed on, it was this: Our very notion of privacy is at serious risk.  In eleven of the twelve countries surveyed, respondents said that technology’s effect on privacy was mostly negative. (India was the only exception.)

“Majorities of respondents in every country but India and Indonesia say current legal protections for users of personal technology are insufficient, and only in those two countries do most respondents feel fully aware of the types of personal information collected about them,” Microsoft said.

Countries included in the survey:  U.S., China, India, Brazil, Indonesia, South Africa, South Korea, Russia, Germany, Turkey, Japan and France

Here’s the data on the schism between developed and developing countries and their attitudes towards tech:

• Impact on Social Bonds. Fully 60 percent of respondents in developing countries think personal tech has had a positive impact on social bonds, compared to just 36 percent of respondents in developed countries.
• Sharing Economy Split. Fifty-nine percent of respondents in developing countries think technology-enabled, sharing-economy services — like Uber and Airbnb — are better for consumers than traditional services like taxis and hotels. But 67 percent of respondents in developed countries think the traditional services are better for consumers.
• In the Media We (Don’t) Trust. By a 2:1 margin, respondents in developing countries think personal technology has had a mostly positive effect on trust in the media. But in developed countries, the impression is the opposite: respondents believe by a 2:1 margin that the effect on trust in the media has been mostlynegative. These opposing views are born out in the two kinds of countries’ media habits: in developing countries, 70 percent of respondents get most of their news from social media, compared to only 31 percent in developed countries.
• Getting Fit. The difference in opinion about tech’s effect on fitness is striking: 57 percent of respondents in developing economies think personal technology has made people in their country more fit, thanks to apps for diet management, calorie counting, and exercise incentives – but 62 percent of respondents in developed economies think personal technology has made people in their country less fit, because of the amount of time people waste in front of their PCs, tablets, game consoles, etc.
• The Tug on Children. In developing countries, the majority of online parents (77 percent) want their children to have more access to technology, but in developed countries, the majority of online parents (56 percent) want their children to have lessaccess.
• STEM and Gender. Finally, there is a real split in engagement regarding the very topic of this survey: science and technology. Although large pluralities of respondents in all twelve countries believe the best jobs in the future will be in STEM, fewer than six in ten respondents in developed countries say they are interested in working in STEM, compared to 85 percent in developing countries. And while 77 percent of women respondents in developing countries feel encouraged to work in STEM fields, only a minority – 46 percent – of women respondents in developed countries do.

Bob Sullivan

Sony reminds me of the chaos theory in the hacking world. Yes, you should be very afraid of what’s happening at Sony right now. Here’s why.

Four years ago, I wandered the halls at the giant RSA security conference collecting scuttlebutt. Companies spend thousands, even millions of dollars, to make a splash at the annual geek-fest, but on this day, one company completely stole the spotlight. For free. And no one was jealous, because on that day, wanted to be government contractor HB Gary.

Hackers calling themselves members of the Anonymous group had hacked HB Gary servers, stolen the firm’s email, then made it public for all the world to see. Days of embarrassment and nightmarish news followed, from exposure of a less-than-comfortable relationship with Bank of America to incredibly uncomfortable personal emails from workers.

At the time, the smartest geeks on the planet were terrified over the news. These folks weren’t afraid of hackers hell-bent on stealing their intellectual property or their financial information. Most of them had fought off those attacks for decades. What they feared was chaos. The HB Gary hackers weren’t after money. They wanted revenge. And computer criminals who simply want to destroy things are the most frightening. Publishing entire email spools stolen from company servers gains hackers almost nothing. But it exposes everyone inside a company, and everyone who ever communicated with any of those workers, to tremendous embarrassment, or worse. It creates chaos.

It’s an unpopular thought, but it’s true: There is no absolute security. Spend money and time protecting this, and you will leave that vulnerable. That’s how it works at airports, and that’s how it works in networks. Folks who protect digital assets for a living are constantly making trade-offs. Email is often one of those trade offs. Most energy is focused on protecting money. A lot of energy is focused on protecting intellectual property. Four years ago, Anonymous realized email servers are often neglected. And they realized just how much chaos they could cause by publishing…and indexing for easy discovery…HB Gary’s email.

Back then, every confident security professional I knew had two burning questions in mind. One: was I in HB Gary’s email? And two: What about my email server? What would happen if someone published my all company’s email? How many ‘secret’ job searches … sexiest or racist jokes …illicit affairs…might be exposed with an email dump?

There was a great chill in the entire profession. People imagined the worst.

Now, the worst has happened. Execs have been forced to apologize to President Obama for racist comments. Sony has lawyers running around threatening journalists not to publish bits and piece of upcoming movie scripts. Journalists have been exposed for too-cozy chats with sources. Heck, Aaron Sorkin is actually attacking …not the hackers … but those who even looked at what was hacked.

Revenge. Chaos. A crisis that seems without end. Mission Accomplished.

Perhaps, these hackers ultimately have money in mind. Perhaps they are state-sponsored. Perhaps the attack is purely politically motivated. We’ll probably never know, though most certainly, someone in the middle of this simply wants money.

But clearly, the criminals here were out to wreak havoc. Folks who just want to break things are pretty hard to stop. And now the playbook, first established four years ago, has been darn near perfected. Out folks’ private communications, let curious onlookers go to town, and you have a full-fledged techno-disaster on your hands. The point can’t be overstated: In both HB Gary and Sony, hackers exposed their target companies and potentially anyone who had ever emailed with their employees. Publish the email of a big enough company, and you might very exposed a majority of Americans in one hack.

Stealing secrets and dumping them online is the hateful practice of “doxxing” — exposing private parts of victims’ lives online, such as their home address, with the intent to invite harassment — writ large. It’s pretty hard to stop doxxing. You should all just hope no one every finds a reason to do it to you. And it’s almost as hard to stop doxxing on a massive scale. Yes, shutting down a power plant or similar critical infrastructure hack could be a horrible disaster. But I think this kind of choas might ultimately be more damaging to the U.S. It’s certainly easier to fashion.

What’s the lesson here? I’ve said forever that any time you type anything into any kind of keyboard, you should be prepared for the world to see it one day, even if you think your communication is private. That’s good advice, but it has its limits. For starters, we all use chat tools, texts, and even email as casually as we talk now. It’s pretty hard to remember that you are always one co-worker’s stupid click away from your chatter being exposed to the world. A private note with one comment that could be described as racist, sexist, even elitist…..said to one person ….. could seriously tarnish your career or legacy. In that world, being 99.9 percent careful just isn’t good enough.

But the problem is scarier than that. Standards change all the time, but servers are forever. Imagine if we could read long email chats between political or corporate figures from 25 or 50 years ago. They’d all sound awful. It’s really, really hard to predict what something you say today might sound like 10 or 20 years in the future. The old “out of context” explanation doesn’t work any more. This is why the world of pack-rat programming alarms me. Companies (in the U.S.) reflexively save every piece of data for as long as possible. It will be the radioactive fallout of our time. We haven’t even begun to digest the implications of that.

Sony is a pretty good hint, however. Be very, very careful what you type.

Larry Ponemon

Consumers’ Perceptions about Privacy & Security: Do They Still Care? conducted by Ponemon Institute and sponsored by RSA is intended to understand what consumers think about privacy and information security. Specifically, how have recent mega-breaches affected consumer behavior and attitudes about privacy? Moreover, is the constant sharing of personal information online and with mobile apps diminishing the importance consumers place on their privacy?

We surveyed 1,020 consumers in the United States between the ages of 18 and 65+. Forty-nine percent of respondents say they have been victims of at least one data breach. However, 45 percent are not confident that they know of all instances when their personal information was lost or stolen in a data breach.

Read the entire study (PDF)

Based on the findings we conclude that consumers perceive a loss of control over their personal information because of data breaches, the lack of trust in the security of the mobile apps they continue to use and increased government surveillance. However, they still believe the privacy and security of their personal information is important.

The following seven findings reveal why consumers still care about privacy:

Privacy rights are believed to be at risk. Seventy-five percent of respondents worry that they will lose their privacy rights as the Internet progresses into the future and are very concerned about this happening. 

Privacy and security expectations are high for financial transactions. No matter what their privacy profile is, respondents have high expectations for privacy and security when filing a tax return, making mobile payments or banking.

Privacy and security on the Internet and when using social media is important.  Respondents are spending an average of 56 hours per week on the Internet and 27 hours using social networks, social messaging and other social media tools. They rate the importance of the security and privacy of these activities as very high.

Prompt data breach notification is important. Seventy-seven percent of respondents say prompt notification about the loss or theft of their personal information is either very important (56 percent) or important (21 percent).

Respondents worry about the theft of certain information. Most respondents are concerned about the theft or misuse of their Social Security numbers, passwords or PIN and payment information such as credit card number.

Strong online authentication procedures are very important. Fifty-four percent strongly agree or agree that the websites they use have strong authentication procedures that can be trusted to safeguard their sensitive or confidential information. They also do not trust systems or websites that only rely on passwords to identify and authenticate users or consumers (62 percent). Similarly they do not trust systems or websites when identity and authentication procedures appear too easy (62 percent of respondents).

Biometric authentication methods are viewed favorably. Seventy-eight percent of respondents say they would prefer authentication procedures that verify their identity without requiring them to share personal information such as a name, address, email and so forth.