Cybersecurity goes beyond changing your password
Reports of an Anthem network breach remind us all of the vulnerability of our digital personal information. Online records that provide accurate and complete identity information are more lucrative than credit-card data on the black market, and health-care providers and insurers are frequent targets of cyberattacks despite federal protections to prevent medical identity theft. While a shredder and a black marker used to be appropriate tools to ensure the privacy of personal information, security measures now may include a password manager, two-step authentication, and the trust that the companies that store our data are using the best security tools available.
However, even with the most advanced technology, security is a moving target.
To address these vulnerabilities, we need to move beyond the digital arms race to an interdisciplinary understanding, including knowledge from the fields of law, economics, computer science and the social sciences, of what constitutes a secure digital identity. From there, we can explore how to encourage individuals, companies and governments to act in our best interests to maintain that security.
The trade-offs involved in providing security show that cybersecurity has come to imply more than protecting a PC from hackers. Cybersecurity encompasses monitoring medical treatment decisions, financial and recreational activities, and social behavior. Formerly the purview of government laboratories and software manufacturers, cybersecurity is now a concern, and a responsibility, of every individual. As our lives migrate to the Internet, we face problems of commercial and personal security, international security, and the societal effects of technological innovation that are the realm of sociologists, economists, political scientists and lawyers, as well as computer scientists.
The consequences of trusting an external entity to provide cybersecurity are readily apparent: leaked credit-card information from a major retailer or a widely publicized vulnerability like Heartbleed warn us to change passwords and check credit reports. In other cases, however, the consequences are less explicit. From cyberbullying and online impersonation to the real-time tracking of drivers with traffic apps and shoppers with cell phones, parties sharing information online — knowingly or not — are increasingly open to attack. The collection and use of data in unanticipated ways undermines the security and control of our digital identities. As an example, recent projects studying the de-anonymization of publicly available data revealed that individual purchasers can be traced in databases of credit-card transactions that have been scrubbed of names, specific timestamps and card numbers. Laws regarding consent to the disclosure of personally identifiable information are behind the curve of what constitutes identification.
Another common misconception is that the costs of cyberattacks are borne exclusively by the companies they target. For users of networked medical devices, such as pacemakers or insulin pumps, the convenience and utility of these devices come at the expense of software and network access protocols that can be unsophisticated and difficult to patch, and the consequences of a hacked medical device could be life-threatening. The FDA provides security guidance and continues to address these issues, but many medical device interfaces were developed using software that is no longer supported by its manufacturer; securing these devices would require replacing them outright. The costs to replace or secure all the devices on a network, including “edge” devices like printers and heating panels, must be weighed against the consequences resulting from a breach, such as fines and lost revenue. Then there is also the added time and expense of heightened security protocols that are transferred to the consumer.
To help further define and address these complex questions, the William and Flora Hewlett Foundation recently awarded $45 million in grants to Stanford, UC Berkeley and MIT to establish major new academic centers for cybersecurity policy research. These interdisciplinary initiatives are committed to better understanding the short- and long-term effects of digital technology on global society. Viewing cybersecurity as a human and a technological problem means acknowledging that securing digital identity involves shaping behaviors, managing incentives and developing responsive and useful technology that accompanies us throughout our daily lives, at a doctor’s office, in the car or in front of a computer.