Thursday, October 24, 2024

Welcome to Online: risks, harms, and duty of care in the virtual high crime neighborhood we all inhabit

Author-generated photo montage of a "Welcome to Online" sign in front of photo of broken windows in Stehli Silk Mill, Lancaster County, Pennsylvania, a public domain image thanks to Wikimedia user Smallbones
Welcome to Online (see Alt text for credit)
Is the constant news of fresh cybercrimes getting you down? 
Has your personal information been shared with criminals, again? 
Are you sick of cybersecurity warnings and
annoying digital security measures? 

Welcome to Online, a place that is both risky and unhealthy,
a worldwide high crime neighborhood,
out of which it is very hard to move. 

Criminals have made Online a high crime neighborhood

Today, most of us have an online identity. We not only spend time online, our digital selves persist even when we are not actively using digital devices. Part of us now lives, and sometimes works, in a virtual neighborhood, a non-physical space we can we refer to as Online. 

Sadly, Online is a place where many crimes are committed. Warnings about crime, evidence of past crimes, and measures to prevent crime: all of these are seen and encountered all over Online. Today, Online can reasonably be described as what social scientists call a "high crime neighborhood." 

Unfortunately, Online is not only a high crime neighborhood, but it is a place in which we are increasingly forced to spend time, and out of which it is hard to move. And that is a serious problem because high crime neighborhoods are known to be bad for human health. 

That's right, we already know for a fact that living in physical neighborhoods with high crime rates is not healthy. Residents of high crime neighborhoods suffer more health problems and die younger as a result. This has been researched and documented over many years by criminologists, epidemiologists, doctors, population health experts, and environmental health scientists. 

I recently described this reality and the science behind it in a talk at Cyberhagen 2024, an annual cybersecurity conference in Copenhagen, Denmark. The title of the talk is: From Frontlines to Lifelines: How reducing cybercrime would make life healthier for us all. You can watch it here or on YouTube. (Feel free to skip to 8 minutes and 39 seconds if you want to dive right in.)
 

I have also made a handy page with a link to some of the related work I have been doing on this problem: Cybercrime & Health. If you want a short URL to share thex page, you can use tinyurl.com/cyberharm.

Why it's risky to tell people "just go online" 

To be clear, if you have a smartphone, email address, or Internet account, then you have an online identity, you have a presence online. This identity persists even when you are not using or connected to the Internet. 

That means there is 7x24 risk that digitally savvy criminals will target you, your devices, and your accounts. They may want to steal your money, take over your accounts, ransom your data, enroll your devices in criminal schemes, and so on. The threat of this happening does not go away when you log off and disconnect.

Yet, despite this state of affairs being well documented, many organizations still use the phrase "just go online" as though Online is a place that offers nothing but helpful and enjoyable experiences. Furthermore, some institutions are now requiring people to go online. This is the case in England where it is not uncommon for medical patients to be told they have to go online to book blood tests or "use the app" to order repeat prescription medication.

If you think about it, inviting or requiring people to go online is similar to some activities in the physical world. For example, when a hotel invites people to spend time on its premises it creates a responsibility to those people; this is commonly referred to as "a duty of care." 

In many countries, it is established in law that hotels have a duty to take reasonable steps to ensure that their premises are safe, secure, and free from foreseeable risks that could result in injury or harm to guests. Hotels also have a duty to provide reasonable security measures to protect guests from criminal acts. A hotel that fails to meet these duties could be exposed to legal claims for compensation by injured or aggrieved guests.

Similarly, a duty of care is created when an employer sends an employee on a business trip. In fact, a duty of care exists in many areas of modern, and I think it is reasonable to make going online another such area. 

In summary, it is my belief that a duty of care already applies to any entity that encourages or requires a person to go online. All that is missing is the right law or lawsuit to make this a concrete reality, one that can then be used to encourage or require serious upgrades in cybersecurity posture across society. In addition, this would create a new regulatory risk that companies would have address.



Saturday, July 20, 2024

Global IT Outages and Monoculture: The “potato famine theory” of information system insecurity

Painiting titled "An Irish Peasant Family Discovering the Blight of their Store" by Daniel MacDonald
Painting: An Irish Peasant Family Discovering the Blight of their Store, by Daniel MacDonald

The following article explains the problem of monoculture in IT systems, one of the root causes of the Global IT Outage of July 19, 2024. The article was originally published in August of 2003. Back then, Chey Cobb and I were writing a weekly cybersecurity column for the digital publication Newsscan (now defunct). 

In a column titled "Of Potatoes and Worms" we used the classic example of monoculture—the Irish Potato Famine—to explain why relying on one company or one operating system for all your IT needs creates a potentially catastrophic level of vulnerability to software-specific threats, such as as computer worms, viruses, supply chains attacks, and of course, bugs in software updates (c.f. Crowdstrike). We hope you find it helpful.

Of Potatoes and Worms
by Chey Cobb, CISSP
and Stephen Cobb, CISSP
August, 2003

During the last two weeks, the world has witnessed hundreds of thousands of computer systems falling prey to worms. As we write this, the Sobig-F worm is reaching epidemic proportions, threatening to rival the 2000 Love Bug outbreak in terms of disruption wrought. We give you just one example, a good friend of ours who headed to France this week for a vacation: after the flight from LA to Paris he turned on his handheld computer to check email and found 500 infected messages waiting.

A lot has been written on this topic, but we haven’t seen many references lately to the “potato famine theory” of information system insecurity. This theory is a favorite of ours and it holds that a lack of diversity in software can be a dangerous thing, at either the enterprise or the national level. This might ring some bells right now if you are a CIO responsible for tens of thousands of Microsoft Windows or Outlook users.

The theory gets its name from a tragic chain of events that struck the island of Ireland in 1845, killing—by some estimates—more than a million people. At that time, potatoes were the primary source of food for most people living there, due to the fact that potatoes produce more calories per acre than another other crop you can grow in that climate (back then, most people did not have a lot of land to work with because land use was controlled by English landlords, many of whom were, to say the very least, selfish). 

In fact, almost all the potatoes grown in Ireland at that time were of one particular strain, a strain that had been found to produce the most calories per acre. So when a potato fungus arrived in Ireland—possibly from somewhere in the Americas—its impact on the crop was exacerbated by the lack of diversity among potato strains. While some potato strains are more resistant to the fungus than others, the dominant strain in Ireland at that time was not one of them. [See: Great Famine: https://en.wikipedia.org/wiki/Great_Famine_(Ireland)]

The information system security analogy is this: reliance by an information system on one application or operating system, to the exclusion of others, [a monoculture] reduces the ability of that system to survive a vulnerability in that operating system or application.

Consider an organization that is using nothing but Microsoft products versus one that uses a mix of applications and operating systems. The Microsoft-only shop is more likely to have experienced widespread negative effects due to last week’s Blaster worm (which exploited a security hole in the Windows operating system) and this week’s Sobig-F worm (which exploits a Microsoft Outlook vulnerability)

We’re not sure how many people today are familiar with the Irish potato famine, so “fossil fuel dependence theory” might be a better term. The implications are the same: dependence on a single source of energy, or software, has inherent risks. What we particularly like about both analogies is that they encompass economics and politics as well as strategy and logistics. 

The Irish were not growing that single dominant strain of potato because it tasted better than others—apparently it did not—they were growing it because the politics and economics of the time made maximum yield appear to be the highest good. America’s dependence on fossil fuel and a single source of software also has economic and political elements (prices have been relatively low, producers politically powerful, and so on). 

Obviously, the dominance of Microsoft products in operating system and application areas has its own economic and political angles. However, while the reasons for Microsoft’s dominance, and the extent of the negative impact of that dominance on other companies, have been hotly debated, very few people have voiced the following argument: Regardless of how secure or insecure Microsoft software is—or has been, or becomes—we think that using it, or any other single source, to the virtual exclusion of all others, will never be good security.

In other words, even if Microsoft’s Trustworthy Computing initiative succeeds in making the company’s products more secure than they are right now, it would still be foolhardy for any organization to adopt them as a universal standard. Unfortunately, our opinion is not shared by the Department of Homeland Security and other 3LA’s that had best remain nameless.

And just to show how fair and balanced our coverage is, we will say the same of Adobe’s Acrobat format. This grows more powerful with each version. We use it. We love it’s convenience and the fact that most people with whom we communicate can read Acrobat documents. But the extent to which some government agencies are relying on it is now approaching scary. 

Notes: 

1. Portions of this column first appeared in a lecture we delivered in 2002 as part of the Master of Science program in Information Assurance at Norwich University, Vermont.

2. Crowdstrike has assured customers and the public that their software update, which led to the global IT outage of July 19, 2024, was not malicious. However, it is remains to be seen if this assertion will be confirmed by independent analysis.

3. The attack technique of placing malicious code in a software update has been used for many years, notably in the 2017 Wannacry incident that took down hundreds if thousands of systems and cost companies billions of dollars. Ironically, Wannacry did not impact organizations that were protected by some brands of endpoint protection software, the same category of software as Crowdstrike Falcon. [Disclaimer: In 2017, I was working for ESET, one of those brands that stopped Wannacry.]

Monday, April 01, 2024

Internet crime keeps on growing, as do efforts to understand the harm it causes

Internet crime losses 2014-2023, as reported to IC3/FBI,
 and compiled by S. Cobb
Losses from Internet crimes reported to the FBI's Internet Crime and Complaint Center in 2023 rose 22% above the record losses in 2022. 

This means that 2023 set a new annual record, just north of $12.5 billion, according to the press release announcing the latest IC3 annual report (PDF)

About the only good thing you can say about this news is that the annual Internet crime loss figure rose by only 22% in 2023. That is less than half the 49% increase in in 2022, which was well below the 64% surge in 2021. However, before anyone gets too optimistic, take another look at the chart at the top of the page. 

While there have been several years this century in which rate of increase in losses to Internet crime has slowed down, I see the general direction over the last decade as fairly relentlessly upward. And this is despite record levels of spending on cybersecurity and cybercrime deterrence.

This time last year I discussed the implications of these trends in an article over on LinkedIn. That was written in the hope that more people will pay attention to the increasingly dire state of Internet crime prevention and deterrence, and how that impacts ordinary people. At the start of this year, I wrote about the implications of digitally-enabled fraud reaching record levels, framing this as a public health crisis. 

During 2023, I delivered and recorded a well-received talk on cybercrime as a public health crisis. Here is the video, hosted on YouTube.

The talk was originally delivered at the Technical Summit and Researchers Sync-Up 2023 in Ireland. The event was organized by the European arm of APWG, the global Anti-Phishing Working Group. (Talks at that event were not recorded, so I made this recording myself; sadly, it lacks the usual gesticulation and audience interaction of my live delivery, but on the plus side you can speed up the playback on YouTube.)

Also sad is the fact that, due to carer/caregiver commitments, I had to cancel delivery of the next stage of my research at APWG's Symposium on Electronic Crime Research 2023 (eCrime 2023)

On the bright side, I did manage to write up my ideas in an article on Medium: Do Online Access Imperatives Violate Duty of Care? There I started building my case that exposure to crime online causes harm even to those who are not directly victimized by it, much in the same way that living in a high crime neighbourhood has been proven—by criminologists and epidemiologists—to be bad for human health. Basically, the article made four assertions:

  1. going online exposes us to a lot of crime, 
  2. high crime environments are unhealthy, 
  3. governments and companies that make us go online may be breaching their duty of care, 
  4. there is an urgent need to reduce cybercrime and increase support for cybercrime victims.

To explain these assertions I introduced my "Five levels of crime impact in meatspace and cyberspace" which are captured in this table:

Screenshot of Cobb's Five levels of crime impact in meatspace and cyberspace
I also introduced my take on a concept used by environmental exposure scientists and epidemiologists: the exposome. A key role of the exposome is to help us acknowledge and account for everything to which we are exposed in our daily lives that may affect our health. 

My article proposed using online exposome as a term for everything that individuals are exposed to when they go online. This builds on thinking by Guillermo Lopez-Campos et al. (2017) that there is a "digital component of the exposome derived from the interactions of individuals with the digital world."

In summary, as we look over the latest tabulation of reported financial losses due to Internet crimes I think we need to bear in mind that these are only a fraction of the total number of such crimes, and monetary loss is only a fraction of the harm these crimes cause. The stress and anxiety of victims has to be taken into account, as does the deleterious effect of having to spend time online where we are constantly exposed to, and reminded of, the many different ways in which digital technologies and their users are being abused. 

Postscript: Not all the news about online crime is bad. The last 12 months have seen some very impressive anti-cybercrime law enforcement efforts all around the world, including the recent disruption of "the world’s most harmful cyber crime group." I applaud those efforts and encourage governments to fund more of them. Here's to a drop in Internet crime losses in 2024!