On June 8th, 2010, National Public Radio (NPR) broadcast a debate by the public charity Intelligence Squared U.S. (IQ2US) entitled "The Cyber War Threat Has Been Grossly Exaggerated." The show's format is based on the traditional Oxford-style debate, with one side proposing and the other side opposing a sharply-framed motion.
The broadcast pit Marc Rotenberg (executive director of the Electronic Privacy Information Center) and Bruce Schneier (a security technologist) against Jonathan Zittrain (a Harvard Law School professor) and former U.S. Director of National Intelligence Mike McConnell. Zittrain and McConnell rolled out the heavy security artillery, describing the threats and touting facts and figures, while Zittrain and Schneier questioned the seriousness of the threat and tried to cast suspicion on the C.I.A., claiming they want to spy on us.
The debate was both entertaining and informative, but it also shed light on an unusual dichotomy in our public subconscious regarding cyber security: as denizens of computer technology, we're as wary as Jason Bourne about where our cyber security threats are coming from. Are they coming from real terrorists and enemy spies? Is there really some vast criminal conspiracy afloat? Or are these threats coming from the very ranks of government itself? Who do you really trust and why?
Even the term "cyber" is a subconscious mnemonic to the old Marvel Comics supervillain of the same name. In the comics, Cyber, alias Silas Burr, was an agent of the Pinkerton Detective Service before he turned into a criminal mastermind. Why wouldn't we be suspicious of government representatives telling us that we're engaged in a kind of comic book war?
But data security is obviously not an issue about comic book supervillains or government conspiracies. For example, in the same month that IQ2US aired their debate, many received notices about a class action settlement. Countrywide Financial, the behemoth that sold mortgages during the real estate bubble and is now owned by Bank of America, had begun the process of contacting customers whose identities may have been stolen when their records were pilfered by an employee.
No, it wasn't Jason Bourne or Silas Burr, but a former Countrywide senior financial advisor who wanted to sell the names, social security numbers, credit information, employment history, and other personal information of mortgage applicants.
The U.S. District Court's remedy in the settlement will be to require Countrywide to provide free credit monitoring of all those involved in the class action suite for a period of 2 years, along with a potential liability against Countrywide of up to $50,000 for each incident of identity theft.
Isn't it time we, in our organizations, got serious about data encryption? Shouldn't we be stepping into this battlefield to fight back with a secure, managed file transfer system between our workstations and servers?
The cyber wars of comic books may populate our imagination, but our company's challenges are much more real. And if we're not mindful to use the right tools in our IT departments, we may all be faced with a customer base of angry Jason Bournes who have lost their identities through our security lapses.
(Listen or watch the televised debate produced by Intelligence Squared U.S. (IQ2US), entitled "The Cyber War Threat Has Been Grossly Exaggerated," here.)