Security

Why Doesn't Anyone Get in Trouble Anymore?

By Elevate posted 12-11-2013 11:03

  

Copley_13_Boomerangcover1.jpgI'm reading a book by Michael Lewis called Boomerang.  It was written about a year and a half ago in the aftermath of the stock market crash and the U.S. subprime mortgage mess.  The book goes through the impact of the financial crash from the perspective of four different countries (Iceland, Ireland, Greece and Germany) and a couple of small local U.S. governments (San Jose and Vallejo).  It's a fascinating read and, like his other books, take a complex subject and turns it into something understandable.  

 

If you haven't read his other book on this topic, The Big Short, it's worth a weekend to understand what happened in sub-prime.  But this blog isn't meant to be an advertisement for you to buy Michael Lewis books; it's about a thought that occurred to me while reading that relates to security.  

 

In each of the examples Michael Lewis gives, there is this underlying thread of no one really being held accountable or getting in any sort of trouble.  In fact, at the end of the book, he talks about the lack of an obvious specific avenue for people to get riled up about and focus their attention on.  There is some of aspect of this in the Tea Party and Occupy Wall Street, but you have to ask, “What are they trying to accomplish?”

 

Both seem to be pretty frustrated and vocal (less lately), but it's hard to tell exactly what they want or who they want to get in trouble.  I think this is similar in security.  

 

We all know that attackers continue essentially unabated to attack our companies and our government.  There are infrequent news alerts that a botnet being shut down or the plans for one stopped, but those news items are usually met with disinterest at best.  And rarely does anyone get in trouble.  

 

Just like in financial mess, no one really got in trouble for the massive losses sustained around the world.  A very small percentage of people may get a fine or short jail time.  If a fine was paid, it was more like by the companies, but no one really got in trouble.  They just paid the fine, admitted no wrongdoing, and moved on.  As Jon Stewart said in one of his segments, “They broke the law, made a bunch of money, got caught and paid a small portion of the profit back.”  

 

In security, we know people are doing bad things.  They are likely breaking the law.  Why don't more people get in trouble?  If there is no potential downside for an action, people will continue until the risk is too high.  And risk varies. It's why some people still try and smuggle drugs.  The downside is low for them, all things considered.  

 

As it relates to security, have we just accepted that it's ok for attackers to steal stuff?  If we don’t care and there really isn't much downside, why would it ever stop? Maybe we're in the middle of a natural lifecycle where there is nothing to influence a change in direction.  At some point, the risk will be too high (they will get in trouble) and people will move to other things.  But we're not there yet and people are committing cybercrime with relative impunity.

 

1 comment
0 views

Permalink

Comments

12-12-2013 09:06

Michael,

Reading your blog, the quote that comes to my mind from of all places, believe it or not, is one of the Batman movies: "Criminals thrive on the indulgences of society." Unless and until we, as a society, dedicate the effort to make the punishment (fines, jail time, etc.) outweigh the benefits of committing the crime, nothing will change.

As you rightly point out--regardless of how adroitly folks like Jon Stewart, Stephen Colbert, et. al., express the obvious--no one seems to care enough to do something about this.

 

What if we (Juniper) were to take a stand by banding with others in our industry focused on cybersecurity, and raise these issues compellingly and persuasively to lawmakers. Surely both sides of the political aisle could come together on such an issue. (Yes, I know how ineffective Congress has been and continues to be). But, unless laws change, law enforcement is powerless and the department of justice can't mete out any punishment. And we, as individuals, are left to clean up the devastating personal aftermath of "hackers stealing our stuff."

 

My two cents.