Hackers, Consumers, or Regulators: Who’s to Prevent Cyberattack?

The three pieces for Tuesday’s class present varied strategies for preventing future cyberattacks on U.S. citizens, industry, and infrastructure. O’Harrow Jr. (2012) describes a virtual training site that allows hackers the opportunity to practice defending against cyberattacks. This particular “cyber range,” operating out of New Jersey and founded by upcoming guest speaker, Ed Skoudis, is one of hundreds of sites across the country used to train government personnel to identify potential cybersecurity breaches and efficiently combat cyberattacks. Like the virtual-reality environments used in Tamara’s work to explore various nuclear verification procedures, these simulation exercises may be particularly helpful in identifying and developing better safeguards against potential cyberattacks (e.g., industry protocols, personal device security measures). However, if these simulations are primarily used to train personnel to retroactively address cyberattacks, they are not an effective mechanism of preventing the possibility of cyberattack.

Skoudis (RSA Conference 2017) suggests prevention strategies that consumers and leaders of industry may adopt in order to protect their devices (i.e., those on the “Internet of Things”) from crypto-ransomware attacks. Unlike the aforementioned expert-driven approach to combating cyberattacks, Skoudis demonstrates a grassroots approach, that educates and compels the public to engage in cyberattack prevention. While his talk does a nice job of explaining the intersection of crypto-ransomware attacks and Internet-connected devices, the specific suggestions he provides to safeguard personal devices and networks are technical and not accessible to less-technology savvy consumers (such as myself). Just as public ignorance about non-proliferation treaties will likely negate the role of the public in treaty verification, the complex and quickly-evolving technicalities associated with cybersecurity measures may make it difficult for the general public to meaningfully join in cyberattack prevention efforts.

Further, the KrebsonSecurity piece (2016) highlights that it may be impossible for consumers to change the factory-default passwords hardcoded into the firmware of their personal devices. The piece suggests that cheap, mass-produced devices (e.g., by XiongMai Technologies) are most vulnerable to Internet of Things device attacks (i.e., by Mirai malware) and will pose a risk to other consumers, industries, and infrastructure so long as they are not totally unplugged from the Internet on a wide scale. This piece recommends that some sort of industry security association be developed to publish standards and conduct audits of technology companies in order to prevent the proliferation of devices that are extremely susceptible to cybersecurity attacks. This prevention approach, if effective, would be most proactive (relative to the two previously mentioned strategies) in stopping vulnerable devices from reaching the hands of consumers. However, it is extremely difficult to imagine how this sort of regulatory agency would operate (i.e., intra or interstate) and whether any agency would have enough leverage to overcome opposition to increased industry regulation.

Ultimately, these three pieces discuss cyberattack prevention measures that require the efforts of three vastly different actors (i.e., trained government personnel, the general public, a state-run governmental agency). Whether any of these strategies is particularly feasible and/or effective (or at least more so than the others) deserves further attention. — Elisa