But is phishing a threat to national security?
I think there's cause for concern when you consider the potential nexus between hacking for profit, organised crime and extremist or terrorist elements.
A lot of people, when they speak of cyberterror, are speaking in limited terms about people launching cyberattacks — mainly denial-of-service scenarios. I'm not pushing that off the table, but this other idea may be far more serious. And I frankly don't feel that we have a good handle on that. We have to know what that nexus is. One of the individuals implicated in the Bali terrorist bombings released a book, and the last chapter talked about using cyberfraud as a means to fund operations. We have to wonder if Americans are already funding the next terrorist attack.
Can I draw a direct line between all that right now? I can't. But we need to put two and two together and begin to figure out ways to make sure this isn't going to happen.
So the threat is real, and people should worry about it?
Right now, I think it's mainly a threat to consumers. It's a threat to e-commerce in how much money is being lost because of cyberfraud. And then there's the idea that it could be a threat to national security. But I don't want to cast cyberfraud specifically in terms of a homeland security issue. If you do that, you make the mistake of thinking that this is all Uncle Sam's problem.
There is some good news, in terms of ISPs doing a better job of protecting consumers. There are a lot of things that private industry can do as well as consumers. But the government does have a lot on its plate to consider.
Microsoft recently filed 117 suits against phishers, and one of the main reasons they did so was to find out who the people running these sites were. Should others follow suit?
If you look at the ability of federal law enforcement to respond to these issues or handle complaints, frankly what happens at the Federal Trade Commission is that all these complaints go into a central database, and that is searched to find patterns in behaviour. The cases or individuals that prove to be most problematic get passed on to law enforcement to pursue. That leaves the average consumer with not much that they can do, and not a lot of recourse. As a result, I think that Microsoft's move is not a bad idea.
The recent consumer data losses at ChoicePoint and elsewhere are getting a lot of coverage, and generating legislation. What is CSIA doing to that end?
We're looking at the legislation that's already been proposed, and we're trying to lay out some of the technical issues and how companies can be smarter about securing such large volumes of data. We're also going to come out with a list of recommendations for Congress to consider. For example, looking at the existing requirements out there, in pieces of legislation such as HIPAA (the Health Insurance Portability and Accountability Act), and how those are working, before new requirements are created.
At the end of the day, we are going to see legislation addressing data warehousing issues and protection of personably identifiable information. In this context, as Congress pulls together a framework, we want to talk about the technical solutions that are available.
Technical solutions are available to secure and protect data. Again, it's not a panacea, but as Congress considers new laws, it's important that they're given all the right information to consider.
Talkback
There's one thing to consider too. Many of the newer software products have a small clasue in the user agreement where it tells the user that it will install spyware, or "monitoring software" as they seem to call it.
I realize that one can choose to simply click no and refrain from installing the program, but is it not wrong that one has paid money to a company, for a product that you cant use? Especialy if it is a program that ahs no subscription fees. This means that the firms get theyre cash but people can use what they payed for.