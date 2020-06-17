It’s a never ending battle: understanding, defending, and managing the internet’s worst actors and their hijinks. That’s just a fun word to use, but what the black hats, hackers, criminals, and even the nation-state-backed teams of sophisticated, online disrupters are doing to us in civil society is far from mere hijinks. Lives are lost at one extreme, such as when medical records and devices are tampered with. Fortunes are stolen through online financial scams. Children are being exploited. It can get really ugly, suffice it to say.
Law enforcement provides one solution. However, fighting cybercrimes and malicious online conduct takes the proverbial village. Your duty, or I should say the primary duty you bear, as part of the online community is to be aware. It’s not a big burden to bear, but it’s critical. The thing that we all connect to is a network where, potentially, everyone is participating together. The chain, we all know, can only be as strong as its weakest link. Every single virus, malicious software, poisoned app, or ransomware attack begins its existence when one person drops the ball. If zero people clicked the phishing email’s link that sneakily downloads a password backdoor, then no backdoors would ever be available to the hacker who later comes in and wreaks havoc. We’re way past that ideal, as we see every day, but let’s agree in theory that user awareness of cybersecurity issues could thwart many (thousands?) threats that travel online.
Back to law enforcement. They, in the worst cases where online activities offend the criminal code, are the components of the system that can ultimately bring justice to the party. Their training must therefore have been expanded from the good old days of solving analog crimes to nowadays knowing about how their foes operate online. They need to understand how criminals, and more than just the hackers sect, are leveraging the anonymity of the internet; utilizing technological tools that let them break into computers all over the world; preying on uninformed and underdeveloped public populations who don’t or cannot recognize cybercrimes. These sworn agents of public service have to continually hone their chops in the technologies, and examine and perfect the science of digital forensics. Pulling a fingerprint, or analyzing blood spatter, are still important forensics acts for the police. Add to those, though, an entire array of tools and techniques to investigate crimes that involve digital devices. Only then can they continue to be effective. That’s a heavy lift because, among other things, like always the cops chase the robbers. The bad guys in the digital world stay ahead of the good guys. By the time the Israeli computer firm developed a workaround for the FBI after Apple refused to write a program that would let them into any iPhone, hackers had already created means to avert its effectiveness.
Now, you may start to see the spectrum. At the one end, the billions of computer and device users throughout the world must take some responsibility in the prolific battle against the black hats. Your piece of the puzzle is critical, but easy enough, which is to say that you need to simply know what bad actions online look like, use decent passwords, and when something’s hinky enough to pause then maybe go in a different direction. At the other end, the police powers and prosecutorial discretion of law enforcement also plays a critical albeit much more challenging role. They need to know what you do, but also who’s putting you at risk, how they did it, and how to find and try them in court. Those two endpoints are far afield.
Between the mass public and the governmental powers of prosecution sit so many other institutions. Businesses, educators, legal professionals, consultants, cyber engineers, and the list goes on. Sure, we’re all users, us in the middle. But we bear more responsibility that the user role does. We cannot reach the ultimate ends that law enforcement does because we do not have the policing power. Still, that middle is imperative. How then do we manage and mitigate cyber threats? The answers are endless, but I’ll share just one example, one day’s work, one small slice of that vast middle.
Last Friday I attended, in a virtual manner as things go these days, the 4th Annual TALK CyberSecurity Summit. That’s the Technology Association of Louisville KY. They do much, much more than talking, by the way. It’s one of a handful of local groups, and one of hundreds nationwide, that convenes to brainstorm, learn, and talk and plan about cybersecurity incidents. Another excellent summit goes down at Northern Kentucky University. Others happen all around. These summits, aptly named, gather all walks of cyber-concerned groups and individuals, oftentimes including police and national security representatives. It takes this wide swath of subject matter expertise to fight the hackers. Institutions of higher education, where we teach the next generation cyber experts, not-for-profits advocating for those targeted by cybercriminals, and businesses intent on helping society defeat online fraud and abuse all bring their best talents together. It’s a day of collaboration, sharing knowledge, and discussing best practices.
To shed a little more light and let you get a better sense of what this big batch of the middle players in cybersecurity are doing, I’ll share that the day’s topics covered enterprise-level cybersecurity; a cry for collaboration in the field; new regulations about cybersecurity; end user importance (that’s you); a ransomware update; and mobile and cellular security. Maybe a bit yawn-y to you at first blush, but to me and the attendees this is just another of countless ways that we try to stay alert and aware of the bad guys.
I’m trying to emphasize the constant, widespread care that’s needed from all. We’re all prone and thus we’re all responsible, wherever on the spectrum you sit.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
