Return to site

Punishing cybercriminals might be more effective than beefing up security systems

Cybercriminals need to face legal repercussions that would deter them from committing the crime in the first place

As the lines blur between computers, software and things, protecting an entity from security threats shouldn’t be dependent on implementing software for protection. Instead, the criminals themselves should be punished, which could be a better deterrent.

Turning Award winner Professor Butler Lampson, who is Technical Fellow at Microsoft and adjunct professor at MIT, has long argued that against any given investment in preventative measures, it is impossible to measure the degree of security, or the consequences of less than perfect security. If benefits are uncertain, then what takes priority is to spend on that which returns visible benefits.[1]

In a presentation to the 2015 Cyberforum participants[2], Professor Lampson said that there has not been much evidence of actual harm from cyberattacks. From a security standpoint, we can ‘secure something simple very well’ and we can ‘protect complexity by isolation and sanitisation’, but what we can’t do is ‘make something complex secure’ or ‘make something big secure’ or even ‘keep something secure when it changes’. We can’t even ‘get users to make judgments about security’.

A veteran of the computing industry, Professor Lampson is credited with having co-created the Xerox Aalto in 1973, considered the world's first personal computer. As Technical Fellow in Microsoft Research, Professor Lampson is working on improving security, privacy, fault-tolerance and other systems that are important in computing today.

In 2004, in his paper Computer Security in the Real World[3], Professor Lampson said that most disruptions caused by cybercrime are minor and companies are of the view that the high cost of setting up security does not justify the damage done.

Twelve years later, things haven’t changed radically. According to The State of Cybersecurity and Digital Trust 2016 report by Accenture and HFS Research, global budgets for cybersecurity are not unlimited. The report surveyed senior and executive IT managers around the world who are overseeing or directly involved in their companies' cybersecurity infrastructures.

The report notes that 70 per cent of respondents cite a lack of, or inadequate, funding for either cybersecurity technology or security talent, even though 64 per cent of IT personnel said executive management regularly asks for updates on the companies' cybersecurity systems.

Cyberattacks are getting increasingly complex

In December 2016, the CIA reported that the US elections had been compromised by hackers that stole confidential emails from the Democratic National Committee (DNC).

In October 2016, an unusual, coordinated DDoS attack, short for Distributed Denial-of-service, targeted internet traffic management company Dyn. Dyn issues domain name server addresses (DNS) to companies such as Twitter, Amazon, Paypal and Spotify and many of these huge companies suffered outage across the Americas for hours after the attack. Cybercriminals used hundreds of thousands of internet-connected devices that were previously infected with a malicious code, gaining access through common devices such as webcams and digital recorders, news agencies reported. Dyn said that the complexity of the attacks was what made it challenging to resolve, as the breach came from millions of internet addresses.

Since he wrote his 2004 paper, Professor Lampson has lobbied for heavier punishments to deter cybercriminals. In the real world, he says, security is retroactive and about deterrence, not about locks. The cyber world should be no different, but on the internet, it’s hard to find and see the bad guys, so deterring them is not always feasible.

Moreover, for most companies, setting up effective security systems is ill affordable. Instead, Professor Lampson says that authorities should be tasked with ensuring that cybercriminal activity cannot and will not be tolerated, be it from internal parties or from external sources.

“Like any security, it is only as strong as its weakest link, and the links include the people and the physical security of the system. Very often the easiest way to break into a system is to bribe an insider,” Professor Lampson highlighted.

He suggests that in terms of security, rather than requiring prevention, those that manage security should focus on reacting and thereby working on real problems rather than spending money on anticipation or possibilities. Deterrence needs punishment and punishment, in turn, needs accountability.

End nodes, he illustrates, can enforce accountability. For example, if an entity receives messages that aren’t accountable enough, you can strongly isolate those messages he says. The senders of those messages can be made accountable if you can punish them, be it fiscally, or with ostracism, by terminating their employment or with jail time.

Professor Lampson will be in Singapore to inspire young scientists at the Global Young Scientists Summit 2017, from 15 to 20 January 2017.

Image: Prof Butler Lampson (2011)

http://research-srv.microsoft.com/en-us/um/people/blampson/BWL2011.jpg

Credit: Prof Lampson

About the Global Young Scientists Summit 2017

Organised by the Global Young Scientists Summit (GYSS) @one-north (GYSS@one-north) and taking place 15 to 20 January 2017, the fifth iteration of the event will welcome over 300 of the world’s most outstanding science graduates and post-doctoral fellows under the age of 35. Young scientists will have the privilege of attending live plenary lectures, panel discussions and interactive group sessions with 22 highly distinguished speakers. Highly respected in the science and technology community, these speakers comprise Field Medal holders, Millennium Technology Prize winners, Turing Award holders, as well as two special guest speakers.

Speakers new to GYSS@one-north in 2017 include Turing Awardees Vinton Gray Cerf (2004), Barbara Liskov (2008) and Butler Lampson (1992. Nobel Prize for Physics laureate Yang Chen-Ning (1957), the second Chinese Nobel Laureate, will also attend. The special guest speakers are Chairman of the Lindau Foundation and Council Member for the Lindau Novel Laureate Meetings, Heinz-Jürgen Kluge, and Juha Ylä-Jääseki, President and CEO of Technology Academy of Finland (TAF).

The theme for GYSS@one-north in 2017 is "Advancing Science, Creating Technologies for a Better World". The summit covers a range of disciplines in science such as chemistry, physics, medicine, mathematics, to computer science and engineering.

[1] Risk Management and the Cybersecurity of the U.S. Government https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf

[2] http://research.microsoft.com/en-us/um/people/blampson/Slides/Resilience%20slides%20for%20Cyberforum.pdf

[3] http://research.microsoft.com/en-us/um/people/blampson/64-SecurityInRealWorld/Acrobat.pdf

text here.

All Posts
×

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!

OKSubscriptions powered by Strikingly