Laws, ethics complicate the battle for cybersecurity
Share with others:
First they came for the video games, launching an attack in April that siphoned millions of users' personal information from Sony's PlayStation Network that shut it down for weeks.
Then they came for the banks in May, purging the names, account numbers and email addresses of 360,000 Citibank customers.
They came for the government organizations this month, attacking the U.S. Senate and the International Monetary Fund over the course of a single week.
The question is: Are hackers coming for your organization's system next? If they haven't already gained access, security experts say, there's no doubt they're trying.
"I've never been in a time where I got asked by a corporation's board of directors, 'Will we be next?' " said Kevin Richards, president of the Information Systems Security Association International, headquartered in Portland, Ore.
"There's certainly a fair amount of consternation and fear. This is something that's a very real economic issue, and organizations are struggling with that."
A recent study of security professionals by the Ponemon Institute in Michigan said 90 percent of professionals at large companies in the United States, Britain, France and Germany had seen at least one breach in the past year and that 59 percent had two or more, according to a New York Times report.
Eric Irvin, a Houston-based security analyst with Alert Logic Inc., says it's time to fight fire with fire when it comes to cyberattacks.
His theory is that security experts are held back from catching the bad guys by ethical obligations imposed by security certification organizations such as ISSA, in addition to being bound by laws and their own moral reservations.
He presented his idea under the provocative title, "Nice Guys Finish Last -- Why Doing the Right Thing Sucks," at the BSidesPittsburgh computer security conference held on the North Side on June 10.
"The strange juxtaposition of being in security is you're expected to be as talented and good as the bad guys, then you're expected to put one arm behind your back when you're fighting the bad guys," he said.
But there's good reason for setting standards of conduct, according to Mr. Richards.
He defended the security association's six-point code of ethics, which tells professionals to stay in compliance with the law, promote current best practices, maintain confidentiality, avoid conflicts of interest, avoid intentionally damaging an individual or company's reputation and to conduct duties with diligence and honesty.
First Published July 1, 2011 12:00 am
