Even so, Bono Mack pushed ahead with a closed-door meeting today at which Google deputy general counsel Mike Yang and public policy director Pablo Chavez briefed her and nine of her colleagues. Rep. Joe Barton, R-Tex., came away unsatisfied.

Barton

“I asked specifically about Google’s deletion policy and got some disturbing answers. I may hit delete, but that doesn’t mean the material goes away immediately,” says Barton. “It was obvious to me, as I left the room, that this company has established this policy so instead of the consumer being the master of the Internet, Google is the master of the consumer. I think that is just wrong.”

Also attending were Representatives G.K Butterfield, D-NC, Cliff Stearns, R-FL, Marsha Blackburn, R-TN, Charlie Bass, R-NH, Adam Kinzinger, R-IL,, Henry Waxman, D-Calif, Ed Markey, D-MA and Diana DeGette D-CO. Here are excerpts from an interview Bono Mack granted Last Watchdog  not long after the closed-door briefing concluded.

Bono Mack

LW: How’d the briefing go?

Bono Mack: I don’t know that I got any more clarity than what I’ve been reading in the press. I’ve been following it pretty closely, and I think Google is trying very hard to calm a nervous public about what they’re doing.

LW: What did Chavez and Yang convey?

Bono Mack: They conveyed that they believe they are giving consumers the tools to protect their privacy. I think the predominant message out of the members who asked questions was, ‘We recognize you say you have the tools, but are they easy enough for consumers to use, are they easy to find, and is it truly, in fact, protecting consumers?’

LW: Did you get any more clarity on how long Google stores user profiling data?

Bono Mack: One of the things I really pushed Google on is, ‘If you want to delete your data, what are the technical challenges?’ They’re not very clear on that. We’re pushing them further on this. Because they say, at one point, that immediate deletion is not always practicable due to the way the archiving systems operate.

I don’t believe that they are as strong on data deletion as they need to be. When you as a consumer try to delete any data that you input in your machine, and you hit delete, you really want to believe that it truly is deleted, wiped out, erased, gone.

But Google says immediate deletion is not always practicable. It says it might be deleted in a reasonable period of time, and ultimately they say they can hang on to it until the storage medium is actually destroyed.

So I asked if that means until you actually take a hammer to the hard drive? And this is the crux of the issue to me. Its’s very problematic, that if the consumer hits delete, then it needs to be deleted.

LW: Did you get into the privacy implications of how Google plans to cross-reference profiling data from search, Gmail, YouTube and its other popular services?

Bono Mack: We got a very nuanced answer from them. They’re saying there are tools at the users’ disposal that give you the ability to opt out. But say you do a Google search for cervical cancer and you forget to sign out. Are you being tracked across all of the other products, and if so, that’s a violation of HIPPA. We’ve gone to great lengths in our society to protect people’s medical information. That question was raised.

LW: That’s a big question. How did they answer and were you satisfied with their answer?

Bono Mack: This is the grayest area of it all. They are saying that they do not track sensitive data like that. I don’t know who determines what’s sensitive and what’s not. And that’s probably another question on another day and a more extensive hearing.

Whether you sign in or you don’t sign in, they know your machine, they know where it is, they basically know who it is. Cookies is the reason they know. But the truth of the matter is, they have the ability to know who your are, whether you’re logged in or not.

LW: Sounds like you still have concerns.

Bono Mack: The biggest concern I have is that the consumer, when they hit delete, they mean delete. And that when the consumer has done a search on something that might be sensitive, whatever it is, when they erase that search, it really is erased. And this is what the Congress and the FTC is going to have to watch.

LW: What happens next?

Bono Mack: We had already planned to have more hearings on privacy on different angles and aspects of the debate. We will have privacy hearings, and I pressed Google to be at the table to help Congress understand what they are doing, and for Google to certainly understand Congress’ concern.

On Wednesday, the European Union formally proposed strict rules that could restrict much of the systematic tracking and profiling Google and Facebook routinely do of Internet users, as part of delivering targeted ads to them.

If Europe’s new rules are implemented as expected in 2013, the tech rivals could face hefty fines, up to 2% of annual revenue, for any violations. In Google’s case that translates into a maximum penalty of $800 million.

On Tuesday, Facebook Chief Operating Officer Sheryl Sandberg delivered a statistics-filled speech at a tech conference in Munich outlining how Europe’s proposed rules are very likely to stymie the global economy. She reiterated those themes on Wednesday and Thursday while participating in the World Economic Forum in Davos, Switzerland.

Sandberg called for a “regulatory environment that promotes innovation and economic growth.”

Google spokesman Chris Gaither echoed Sandberg’s argument. He says the search giant “supports simplifying privacy rules in Europe to both protect consumers online and stimulate economic growth.”

Cross-device tracking

Meanwhile, refinements announced this week by Google and Facebook, about how each tracks and profiles Internet users, added heat to the domestic debate over the need for new data privacy rules here in the U.S.

Google signaled that it will begin cross-referencing user data compiled from its most popular services, including search, Google Apps, Gmail and YouTube, as well as across all browser PCs and any device using Google Android operating system.

The stickler: Users won’t be permitted to “opt out” of having their Google activities correlated.

Pociask

“The reports of Google’s privacy changes, which will allow no opt out, raises grave concerns for consumers who are growing increasingly concerned about their privacy online,” Steve Pociask, the president of the American Consumer Institute. “Google’s dominance of online search and its history of disdain for privacy protections and consumer transparency makes these changes even more worrisome.

“Whether it’s illegally collecting user data through its Street View product, hiding its privacy policy or settling with the FTC for violating its own privacy policy with Google Buzz, the company has proven that it has little regard for the privacy rights of consumers.”

Both Google and Facebook  are moving to extend intelligence gathering and behavior profiling to mobile devices. Google’s Android operating system runs the popular Droid series of smartphones, and Facebook Timeline features a digital GPS system, says Alisdair Faulkner, CEO of computer-security firm ThreatMetrix.

Meanwhile, the non-profit group SafeGov, which monitors security issues for federal, state and local government agencies, is alarmed that Google’s new policy could put workers who use Google Applications for Government, a paid service, at heightened risk.

“Google should not be data-mining information in e-mails, text messages, searches and documents that workers are putting into Google services,” says Jeff Gould, SafeGov security analyst. “It’s a matter of not making government workers unnecessarily exposed to hackers and to inadvertent disclosures of information.”

Not thinking it through

Google Vice President Amit Singh says Google’s new privacy policy for consumer data is superceded by data privacy provisions in contracts with government agencies and other organization who use the paid version of Google Apps.

“As always, Google will maintain our enterprise customers’ data in compliance with the confidentiality and security obligations provided to their domain,” says Singh.

Gould

But Gould checked the city of Los Angeles’ contract with Google and found that the data-privacy provision referred back to Google’s policy for consumers. “They didn’t think through the consequences for government users,” Gould says.

Meanwhile, Google is busy fielding inquiries from a handful of politicians who’ve proposed legislation that would restrict online tracking and establish rules for data privacy.

“Amazingly, we still don’t have a law that sets the rules of the road for fair information practices that everyone collecting, using, and distributing people’s personal information must adhere to,” says John Kerry, D- Mass.

Kerry and Sen John McCain, R-Ariz., continue to work for passage of the Commercial Privacy Bill of Rights. “Until Congress acts, Google and the rest of its competitors will continue to set that standard themselves. ”

Rep. Ed Markey, D-Mass., notes that “Googling is like breathing for millions of kids and teens – they can’t live without it.” Markey, who has also been critical of Facebook’s tracking practices, is calling on the Federal Trade Commison to review Google’s new no-opt-out policy.

“Consumers – not corporations – should have control over their own personal information, especially for children and teens,” says Markey.

Timeline risks

Facebook is drawing more scrutiny too. It is making mandatory a new, glitzier user interface, called Timeline, that chronologically displays a member’s preferences, contacts and online activities. And its new Open Graph services promotes more and richer preference data to move across  third-party applications to ultimately get integrated into Timeline.  Facebook insists that Timeline does not present any new information nor alter any current privacy settings.

Evans

But Karen Evans, National Director for the US Cyber Challenge, a nationwide program focused specifically on the cyber workforce, says Google and Facebook’s latest advances in the science of indexing and profiling Internet users  could make richer information more readily accessible to ID thieves and cyberspies, as well as to parties motivated to use such data unfairly against consumers.

Online profiles, for instance, are already being used to deny insurance coverage and as a basis for not hiring someone. And political campaigners would love to get their hands on the richest data available to help sway voters during the upcoming presidential elections.

“The consumer should know exactly how the information is to be used and the potential impact it could have them especially younger Americans,” says Evans. “ Many of them play games, watch videos and search on the internet for class projects. The collection and use of the information could have adverse impact on their daily lives. For example, they could be conducting a search because this is an election year for a classroom project. The data could be later used to assume there is a political affiliation when in fact they were preparing for class.”

Gould puts it this way: “If you take the new Google policy and combine it with Facebook Timeline, the danger of hacking attacks for government users is multiplied by ten.”

Gould worries about the all-too-common scenario where an intruder e-mails a government worker pretending to be an acquaintance. “They can put information in an e-mail which they can get from your Facebook Timeline, and trick you into downloading a piece of spyware,” he says.

Heightened cross-referencing of an individual worker’s Google search, Gmail and YouTube activities poses similar risks, he says.

“If you have Facebook Timeline and you have tens of thousands of people using Google apps in government you’re going to get a lot more of these cases accidently disclosing their password, or downloading some kind of spyware, because they got an e-mail they thought was from a friend or acquaintance, and the e-mail seems to know about their past life or interests or concerns, “ Gould says

–By Byron Acohido

For the past two years, each company has experimented with different ways to divine more and more about how people live their lives on the Internet, without sparking a revolt.

But the plans the rivals announced on Tuesday, which critics say could dramatically rev up their respective abilities to gather intelligence on individual Internet users, seem to have struck a chord. An informal and unscientific survey of Web users by USA TODAY found a majority speaking out against the new business practices announced by Google and Facebook.

“It’s dangerous for two companies to have so much personal data, regardless of whether the specific threats of that data consolidation are immediately clear,” says Sarah Downey, a privacy analyst at software maker Abine.

Compelled to tap what many experts predict will be the next big Internet mother lode — online advertising — Google and Facebook laid down very big bets, during a week when European regulators are hashing out strict new rules that could prevent much of what the tech giants seek to do.

Google signaled its intent to begin correlating data about its users’ activities across all of its most popular services and across multiple devices. The goal: to deliver those richer behavior profiles to advertisers.

Likewise, Facebook announced it will soon make Timeline the new, more glitzy user interface for its service, mandatory.

Timeline is designed to chronologically assemble, automatically display and make globally accessible the preferences, acquaintances and activities for most of Facebook’s 800 million members.

Google and Facebook have repeatedly insisted that the changes are intended strictly to improve users’ experiences.

“Facebook works the way it always has,” says spokeswoman Meredith Chin. “There is no new information on Facebook as a result of Timeline, and no privacy settings have been changed with the introduction of it. It’s simply an updated version of the profile.”

But the changes have stirred anger from many consumers. Some, such as Joyce Norman, a writing consultant from Birmingham, Ala., are considering ways to limit their exposure to Google’s and Facebook’s new business practices. “Mine is not a lone voice crying in the wilderness,” says Norman.

Benjammin Gaultney of Montague, Mich., sees it differently, looking forward to the possibility of more appropriate ads coming to his screen. “You have to deal with ads all over the Internet either way,” he wrote on USA TODAY’s Facebook page. “Advertisers could at least try to sell me something I’m actually interested in rather than life insurance.”

Meanwhile, a high-stakes lobbying effort is unfolding in Washington aimed at shaping policies favorable to U.S. tech companies and blunting any potential move to follow Europe’s more conservative proposals to limiting online tracking by companies.

The tech giants sharply increased their lobbying spending last year. Google spent $9.7 million in lobbying in 2011, up from $5.2 million in 2010, says the Center for Responsive Politics. Facebook spent $1.4 million in 2011 vs. $351,000 in 2010.

The driver: advertising revenue. The global online advertising market is expected to swell to $132 billion by 2015, up from $80 billion this year, according to eMarketer. Google and Facebook are putting their abilities to index individuals’ online activity and behaviors into high gear to tap into this market, analysts say.

“If they can make the ads more relevant, the logic goes, they can increase the number of advertisers and the price they can charge per click (on each ad),” says Alex Daley, chief investment strategist at Casey Research. “Because the click will be from more qualified leads — customers who are more interested in the product — they can grow the revenue base.”

But security analysts, privacy advocates and technologists say consumers probably should be very concerned. While making richer behavioral data more readily available to advertisers, Google’s new data-correlating practices and Facebook’s new Timeline and Open Graph, a more powerful way to express preferences on third-party websites, also tend to aid and abet more unsavory uses.

Beware of cybercrooks

Richer personal details are very beneficial to identity thieves and cyberspies, as well as to parties motivated to use such data unfairly against consumers, such as insurance companies, prospective employers, political campaigners and, lately, hacktivists, security analysts say.

“What these unilateral decisions by Google and Facebook demonstrate is a complete disregard for their users’ interests and concerns,” says John Simpson, spokesman for Consumer Watchdog. “It’s an uncommonly arrogant approach not usually seen in business, where these companies believe they can do whatever they want with our data, whenever and however they want to do it.”

Google has a long history of running into privacy problems.

Its Gmail raised hackles early on when the search giant decided to mingle advertising alongside users’ e-mail. The move initially concerned people because the ads’ relevancy was linked to e-mails inside users’ accounts. For example, if a person was writing about buying a car, ads for cars could appear alongside that individual’s e-mail. To many, that felt like a privacy intrusion.

The search giant maintains that such contextual ads, where advertisers can bid on keywords that relate to a users’ content, don’t reveal personal identities. Gmail users can turn some of the ads off, but adjusting the feature requires some work.

Much of this type of product development is the result of Google taking a very engineer-focused approach to mining data rather than serving consumer interests, say industry experts. Google engineers want to play with technology first, but they think about how the product plays with consumers and privacy second, says IDC analyst Karsten Weide.

When Google tried to build its Buzz social network in 2010 from Gmail contacts, it ran into privacy problems. It began publicizing users’ contacts without asking. The Federal Trade Commission last year charged Google with “deceptive privacy practices” in the handling of Buzz.

Google “did not respect” consumers’ expectations of privacy, says Helen Nissenbaum, a professor of media, culture and communication at New York University. “They (Google) seem to be doing the same thing here” with the privacy update.

Under terms of the FTC consent order, Google agreed to a 20-year independent review of its privacy practices.

But the changes announced Tuesday may again set it on a collision course with the FTC.

“We do believe the proposed changes . . .  violate the FTC consent order,” says Marc Rotenberg, executive director of the Washington, D.C.-based Electronic Privacy Information Center. Those changes could subject Google to monetary damages under Google’s agreement with the FTC, says Rotenberg.

But Rachel Whetstone, Google’s senior vice president for public policy and communications, says the company would not have proposed privacy updates that run afoul of the FTC settlement.

“We try to be transparent about the data we collect and give meaningful controls about how data is used,” says Whetstone.

There are also concerns about Google’s recent move to roll activities on its Google+ social network into users’ search results. The opt-in integration of those two Google products mingles profiles, photos and posts of people a user follows on Google+ into the user’s search results if they choose.

Whetstone says it doesn’t raise privacy issues because the information is viewed only by the user.

Facebook’s issues

Facebook has had its own issues, most recently in November when the FTC announced a broad settlement that requires the company to respect the privacy wishes of its users and subjects it to audits for the next 20 years.

The order, which claimed Facebook engaged in “unfair and deceptive” practices in December 2009, stems largely from the way Facebook handled information its users deemed to be private information.

On Tuesday it announced that Timeline will become the default user interface for all members over the next few weeks.

Combined with the addition last week of some 60 apps specifically written for Timeline, consumers can provide a detailed account, often in real time, of the music they listen to, what they eat, where they shop — even where they jog.

The deeper personal data of Timeline — which Facebook users willfully share — are potentially online advertising gold for marketers and advertisers. This is especially crucial, analysts say, as Facebook steamrolls toward an initial public stock offering this year.

The company is under pressure to increase sales and profits to meet the lofty expectations of shareholders, and online advertising is the most logical place to do that. Facebook gleaned 89% of its estimated $4.3 billion in revenue last year, or about $3.8 billion, from online ads, according to eMarketer.

“If Facebook has richer behavioral targeting data than Google, then it has an edge up in relevance,” says Casey Research’s Daley. “And an edge up in relevance is an edge up in revenue.”

Some Wall Streeters believe the changes made by Google and Facebook will have only an “incremental” effect on the battle between the two giants in going after online advertising dollars.

Both companies continue to be dominant in their markets, which “tend to be winner-takes-all markets,” says Ryan Jacob of the Jacob Internet fund. Google continues to hold strength in online search and is a strong player in online video with YouTube and in mobile with its Android operating system, he says.

But “Google has a long way to go before it can be considered a credible competitor to Facebook,” he says.

Google’s moves, if anything, are “somewhat defensive,” he says. “For them (Google) to maintain their position in search, it’s important for them to be players in other areas,” he says.

Channing Smith of money management firm Capital Advisors, which owns shares of Google, is more optimistic. “If it continues to put up numbers for Google+, it can be a competitor to Facebook,” he says.

Rep. Ed Markey, D-Mass., who has already been pressing Facebook to explain its tracking systems, said on Wednesday that he would ask the FTC to take a close look at Google’s new privacy policies.

“Google’s privacy policy changes mean consumers can’t say no to sharing their personal information across Google’s websites,” Markey said. “Consumers, not Google, should be able to make these decisions.”

By Byron Acohido, Scott Martin and Jon Swartz

Contributing: Mike Snider, Roger Yu, Matt Krantz

Orginally published 26 Jan. 2012, USA TODAY print editions. P1B

Caution is spreading among popular file-sharing services known for letting users circulate pirated Hollywood content.

FileSonic, FileServe and Uploaded.to have abruptly cut off the sharing of movies, games and other software just days after the Justice Department closed down Megaupload, the largest such site.

“It looks like the chilling effect has already started,” says Dennis Fisher, editor in chief of security blog Threatpost. “Maybe one of the reasons the U.S. government is going after companies alleged to be hosting infringing content is to serve as a deterrent for others engaging in similar activity.”

Fisher

FBI and Department of Justice officials do not discuss ongoing investigations.

File-sharing services, also referred to as cyberlockers, enable users to easily upload, store and share large files on a server in the Internet cloud. This includes movies, music, gaming applications, software tools, multimedia presentations and the like.

But cyberlocker companies have not come up with a good way to consistently stop copyright infringement. “As soon as you let users trade files back and forth, you really don’t have much control,” says Wade Williamson, senior security analyst at firewall supplier Palo Alto Networks.

The motion-picture industry, for one, has been pushing U.S. regulators to enforce copyrights with respect to film content showing up in cyberlockers.

One recent measure of how widespread the problem is comes from Palo Alto Network’s recent analysis of the Internet traffic at 1,636 companies, with more than 4 million employees, in the second half of 2011.

The analysis found employees at six in 10 companies used Megaupload to download large content files. Overall, 25% of corporate traffic to and from cyberlockers came from Megaupload, which specialized in entertainment content. Some 22% came from Dropbox, a workplace productivity and collaboration service, followed by 15% from MediaFire, another entertainment-oriented service. The next three most-active cyberlockers in corporate settings were entertainment oriented: FileSonic, 4shared and FilesTube.

FileSonic is noteworthy because it has recently begun to establish formal distribution agreements with artists. Those contracts could be frozen if the authorities were to pursue copyright-infringement actions against FileSonic.

Cyberlocker traffic: yellow=MegaUpload; green=FileSonic; grey=RapidShare. Source: Sandvine

FileSonic couldn’t be reached for comment.

“They appear to be able to deliver files in an above-board way,” says Williamson. “In shutting down the ability of their users to trade files back and forth, they may be moving to protect their flank.”

FileSonic, based in the U.K., posted a message on its website: “All sharing functionality on FileSonic is now disabled. Our service can only be used to upload and retrieve files that you have uploaded personally.”

Last December, FileSonic began scanning user uploads in an effort to stop copyrighted material from going on the site.

Meanwhile, Derek Labian, co-founder and CEO of Shenandoah, Texas-based MediaFire, says what’s happened with Megaupload is “concerning” but won’t stop MediaFire from continuing business as usual. MediaFire has 25 million account users.

“We’re a U.S.-based company and follow U.S. law. It’s pretty much that simple for us,” says Labian. FileSonic’s move to disable certain downloads is “pretty drastic,” he says.

It is troubling that legitimate digital storage services should feel compelled to monitor their users, says intellectual property director Corynne McSherry of the San Francisco-based Electronic Frontier Foundation. “In terms of privacy, that should be a concern,” she says.

The popular online shoe retailer, a division of Amazon, disclosed on Sunday that hackers cracked its customer database to steal records for some 24 million customers.

The data thieves did not get any payment card numbers, because that data was encrypted, as required under the Payment Card Industry Data Security Standard.

But as is a common practice with many online retailers, Zappos did not encrypt its customers’ e-mail and shipping addresses, phone numbers, the last four digits of the payment card numbers and the account passwords.

Feinman

Retailers do not typically encrypt any data beyond what is required under PCI-DSS rules, which is enforced by VISA and Mastercard, because doing so can degrade a website’s performance, says Todd Feinman, CEO of database security firm Identity Finder.

Feinman says it’s technically trivial for corporations to extend encryption beyond payment card numbers to other consumer data known to hold value in the Internet underground. “Visa and Mastercard fight to protect credit card numbers, but there’s no one fighting for the individual consumer whose e-mail address falls into the possession of hackers,” says Feinman.

E-commerce has come to revolve around account usernames based on a valid e-mail address, and most consumers aren’t aware of the inherent risk that arrangement engenders. Many use the same e-mail address and password to create financial transaction accounts across multiple websites. Cybercriminals know this and are expert at taking full advantage.

Zappos customers should be on high alert for “phishing” e-mail crafted to lure them into divulging sensitive information, such as a Social Security number, or to clicking on a seemingly trustworthy weblink that actually installs a virus.

And they should be aware that the hackers are likely to attempt to use their Zappos account e-mail and password to attempt to find and  access their other online accounts. “The hackers will be crunching the password data to identify where weak passwords have been used – as those users often re-use passwords,” says Stina Ehrensvard, CEO of authentication hardware maker Yubico. “We’re highly likely to see the data being used elsewhere on the Internet in the coming days.”

(UPDATE 17 Jan 2012: Zappos did not store any clear text passwords. What the thieves took were password hashes, alphanumeric strings  substituted for the actual passwords. Free tools, called hash tables, can display password hashes as the associated password. Hash tables are widely available for free use, and particularly effective deciphering hashes for passwords that use simplistic combinations of letters and number.)

The crooks can also make productive use of the last four digits of a victim’s payment card numbers. “It’s one more piece of information to make the consumer think the phishing message is authentic,” says Feinman.

Zappos itself is sending e-mails to its customers asking them to create new passwords for their Zappos accounts. The company recommends users change passwords on any other website where they use the same or similar passwords.

Hsieh

“We’ve spent over 12 years building our reputation, brand, and trust with our customers,” CEO Tony Hsieh said in a blog statement. “It’s painful to see us take so many steps back due to a single incident.”

Notice of the Zappos breach follows the disclosure of the Christmas Eve break-in of Strafor.com, in which hacktivists stole, then posted online, credit card numbers and account logons for more than 50,000 of the online publications’ subscribers.

And 2011 proved to be an unprecedented year for headlines about major database break-ins at Sony, Google, Bank of America, RSA, Lockheed, Epsilon, Nasdaq Directors Desk and the U.S. Chamber of Commerce, among many others.

Security experts and technologists point to several developments that suggest the pattern is likely to continue in 2012.

Example of a hash table

Many corporate system break-ins begin by tricking one employee to click on a corrupted web link or open a poisoned attachment.

Such poisoned messages arrive by e-mail, seemingly from a trusted associate, or, increasingly, circulate in Facebook and Twitter. The increasing use of sharing applications — on workplace computers and mobile devices — multiplies opportunities for clever hackers. Even the largest, most sophisticated corporations are vulnerable.

“This is a harbinger for 2012” says Feinman. “This is the type of thing were going to see all year round.”

Ehrensvard

Yubico’s Ehrensvard agrees. “Until CEOs realize the cost of doing nothing, and ask difficult questions of their teams, we expect to see regular reports of breaches,” she says. “It’s no longer acceptable for a CEO to leave the security of their customers data to others. It is their responsibility when it’s stolen.”

The Zappos breach underscores a need for corporations, especially online retailers, to reassess the risks associated with routinely amassing mountains of customer data, and to consider beefing up database defenses, security experts say.

“As more consumers choose to shop online, it becomes even more critical for retailers to monitor for malicious activity and protect their customer information,” says Mandeep Khera, chief marketing officer at data monitoring firm LogLogic. “This diligence helps protect their brands, and helps avoid compliance penalties.”

Cenzic CEO John Weinschenk at least gives Zappos credit for  transparency.  “Zappos’ response to their loss of customer data should be emulated by other organizations,” he says. “They outlined for their customers exactly what happened, what was stolen, and what it meant for them.

“Zappos took the first step by making this attack and data losses transparent. Now they need to prove to their customers they can be trusted in the future and protect personal information. That will be an ongoing process.”

Hacking technology has become so accessible, and social network-based rabble rousing so prevalent, that hacktivists espousing confused motives can lash out indiscriminately — and cause crushing damage.

That’s the upshot of the Christmas Eve Stratfor.com escapade widely attributed to members of the Anonymous hacking collective. The online global affairs publication relaunched its website today, three weeks after hacktivists posted sensitive data for 50,000 Stratfor subscribers, then shut out the lights. The company has had to hire teams of forensics experts and security consultants to restore operations, including moving its entire e-commerce process to a third-party system, and eliminating the storing of credit information.

Stratfor CEO George Friedman acknowledged that the company had not encrypted customer information. “This was our failure,” Friedman said in a statement. “I take responsibility. I deeply regret that this occurred and created hardship for our customers and friends.”

Friedman believes the attack serves notice about a troublesome new strain of unpredictable censorship arising on the Internet. He elaborates on that notion in this exclusive LastWatchdog interview:

Friedman

LW: What exactly happened?

Friedman: What happened to us was the credit card information was stolen earlier. We knew about that from the FBI. What they did on the 24th was nuked our servers. . . they went into the servers and rooted them, which meant that they destroyed the file structure, which normally means you can’t reover the information. They did that  not only to our primary data bases, they did that to our backups too. They were trying to make it impossible for us to re-emerge.

LW: Why did you become a target?

Friedman: If we’re to believe (the hackers), the reason was that we were the hub of a government-corporate complex, getting information from these people and, I gather, propogandizing. They had built a fantasy image of us as being part of a very powerful group. From our mailing list  they selected all the corporate subscribers, and created this image of us as being an incredibly connected, powerful entity, and that was their justification.

LW: How valid is that profile of you?

Friedman: Not very valid at all. We certainly know people in Washington and all over the world. We have sources. That’s our job. But we have no access to classified or corporate information. That’s simply not what we do. We’re a publishing company.

LW: You’ve been doing this a while.

Friedman: We started Stratfor as a consultancy in 1996. After the Kosovo War we started moving into publishing because we found there was an appetite for international news. At this point, we’re almost entirely a publishing company. There is an audience that wants to understand international affairs more deeply from a non-ideological standpoint, and that’s who we serve. We’re careful and militant about not having an ideology, nor recommending any policy.

LW: What’s a recent representative article?

Friedman: A recent story predicted that there would be a major crisis in U.S. – Iranian relationships because of the vacuum created by the U.S. withdrawing from Iraq and how Iran was in the process of filling the vacuum. . .The point is we do pretty complex stories. We try to do the play-by-play of global affairs without rooting for any team.

LW: Bradley Manning allegedly  leaked a specific set of documents, presumably for deeply-held reasons of conscience. How was this leak any different?

Friedman: It was an attempt to undermine our capacity to do our work. And it has a technical basis, they destroyed our servers and our back ups. One part is the (leaked) credit card information, which were very sorry about because it affected our customers. Another part is the (leaked) e-mails, which will not show much. But the most serious thing is the attempt to destroy our digital capacities.

Individuals now have the ability, with full anonymity, to decide who they like and dislike, and if they dislike them, use their technology to destroy them. We’re lucky in that we have the financial and staff resources to recover. But there are other organizations that can be completely silenced, and never know who silenced them or why they did it.

LW: So we’ve turned a corner?

Friedman: If you want the definition of a new fascism it is faceless people, setting the rules, not forgetting, not forgiving and promising that they’re coming. That’s really a frightening vision of what’s going on. Imagine if this becomes a general activity.

We are entering a very dangerous space now. Anyone can have the skill and knowledge to do this. Any ideology can to it. It’s not as if this is a particular threat from the left or from Wall Street. It can come from anywhere, and anyone who disapproves of you can wreak havoc.

LW: Was spear phishing a contributing factor in the initial breach?

Friedman: I actually can’t talk about that because of the FBI investigation. As soon the lid is off this, I’d love to talk to you about it.

LW: You were offline for three weeks. To what degree have you been able recover?

Friedman: With a great deal of effort we have managed to recover enough to go live today, but without the entire archives. We’re functioning, and the archives will be built back in over the coming weeks. We’re spending a substantial amount of money both on our customer support and recovery. I can’t give you the number because we don’t know what it’s going to be. We’ve got three or four sets of consultants in here. It is going to cost us.

LW: Have many of your subscribers lost faith in you?

Friedman: When I looked at the e-mails we’ve received, and even looking at Twitter today, there was overwhelming support from our subscribers. In one narrative, we’re the saps for letting this happen. In the other, we’re the victims. And it’s interesting that our subscribers are the ones who regard us as the victims. My sense is we have the same relationship with our readers as we had before, regardless.

LW: Anything else you’d like to add?

Friedman: Implicit in the First Amendment is the idea that we all owe each other the right to be heard, and what Anonymous has done is to try to deny us that ability. There used to be a village commons , where everybody gathered to do business and talk. Everyone knew each other. There was no anonymity.

Now we have this global commons. And in the global commons, there is this element of anonymity, which I support. I think it’s a good thing. But it carries with it a responsibility, without which, there’s no accountability.

The attack on Strategic Forecasting — which supplies its subscribers with independent analysis on global affairs — capped an unprecedented year for online shenanigans fueled by ideological ire.

Crippled website

Much like the Occupy Wall Street protesters, members of the loose-knit Anonymous and LulzSec hacking co-ops — so-called hacktivists — were motivated by political and personal beliefs, and sought no financial gain.

And their hacking escapades seemed to spontaneously combust in private online chat rooms and on Facebook and Twitter.

“We saw groups of like-minded individuals banding together to make their voices heard,” says Michael Sutton, research vice president at security firm Zscaler. “Technology played a critical role in allowing hacktivist groups to communicate, share ideas and quickly act – something that was not always possible.”

News of the Stratfor caper broke on pastebin.com, an open website where programmers store and share code. (Interestingly, pastebin last week had to defend itself against a denial of service attack.) In what has become a familiar pattern, the Stratfor hackers posted a breezy “press release,” claiming to be from Anonymous.

As proof of the hack, the culprits disclosed credit card details for thousands of subscribers to Stratfor’s daily newsletters. Three separate lists contained payment card data for 3,956, 13,191 and 30,726 customers, respectively, says Mikko Hypponen, senior research and antivirus firm F-Secure.

Digital Robin Hood

Next, the hackers used stolen card numbers to make large donations to Red Cross, CARE, Save The Children, the African Child Foundation and other charity groups, posting screenshots of the transactions. However, the credit card companies in most cases retrieved the cash and hit the charities with chargeback fees.

“At first this looked a bit like the actions of Robin Hood,” Hypponen says. “In this case, the poor didn’t get a dime.”

The hackers’ sole whimsical demand: a “delicious” Christmas meal for Bradley Manning, the army solider being held since May 2010 on suspicion of supplying the WikiLeaks website with classified material.

“While the rich and powerful are enjoying themselves with all their bourgeois gifts and lavish meals, our comrade Bradley Manning is not having that great of a time in federal custody,” the press release states. “We want him out on the streets at a fancy restaurant of his choosing, and we want this to happen in less than five hours.”

Manning has emerged as a hacktivist touchstone. In December 2010, Anonymous temporarily crippled the websites of Visa, MasterCard, PostFinace,and PayPal in retaliation for those companies refusing to process payments from Wikileaks. Those refusals stemmed from Manning’s arrest and the detention of Wikileaks founder Julian Assange.

Hacktivists gone wild

In the 12 months since then hacktivists have gone wild. A wise-cracking splinter group, LulzSec, emerged in early 2011. After Sony sued a young man for hacking the programming in his PlayStation gaming console both collectives jumped into action.

Anonymous pilfered and posted payment card data for 77 million PlayStation Network and 25 million Sony Online Entertainment subscribers. LulzSec and others disrupted Sony websites in Canada, Japan, Europe and the Middle East.

Attacks followed against Bank of America, the U.S. Chamber of Commerce, government and law enforcement agencies, financial institutions, media companies and even a Mexican drug cartel. During the summer, Anonymous and LulzSec merged into a co-op referred to as AntiSec.

“In-your-face arrogance backed up by stunning success made Anonymous and Lulzsec big tech news stories all year long,” says Josh Shaul, chief technology officer at Application Security. “Recruits were lining up, and hackers were teaching classes to get more people in on the action.”

Harms

And hacktivists’ level of skill advanced apace, says Kris Harms principal consultant at network security firm Mandiant.

“Hacktivists today are as capable as organized crime groups and nation states were in years past,” says Harms. “In 2011, we saw organized crime groups using malware than was historically used by nation state sponsored attack groups, and we’ve seen hacktivists using techniques more common to organized crime.”

Lessons learned

Harms says the lesson for corporations and governments is obvious: “Today’s hacking groups will only get better, and most likely at a rate that exceeds most organizations’ defensive improvements. This is because they are learning from each other. Corporations and governments need to recognize break-ins are inevitable. 2012 will be the year of detect-and- respond for organizations desiring to stay out of the spotlight.”

Sutton

Zscaler’s Sutton opines: “Arrests will be made and hacktivists will be outed, but it will have limited impact on the movements going forward. We’re not dealing with a structured entity where it is possible to cut the head off and slay the beast.

“Each subsequent attack discussed in the media inspires another wave of hactivists to conduct their own efforts. Whether the attacks are carried out in an ‘official’ capacity or by a rogue entity acting in the name of another, is of little consequence – the outcome is the same. Enterprises and government organizations are having the networks breached and confidential data that they were entrusted with, displayed for the world to see

“These attacks should serve as a wake up call to enterprises everywhere to revisit what they are doing to secure their data. Anonymous should be the least of their worries – at least Anonymous is letting them know about the breach once it is discovered. For every Anonymous, how many criminal enterprises are out their stealing data for profit and it is going undetected for years?”

Shaul

AppSec’s Shaul agrees: “All the success the hacktivists had using low-tech attack techniques in 2011 makes it clear just how vulnerable our sensitive data is. Attackers have turned their focus directly on to the databases, where the vast caches of information are stored.

“Information security teams need to shift their efforts to protect databases directly instead of the endless pursuit to seal off every endpoint and port on the network perimeter. While we’re all far more aware of the presence of hacktivists and the threat they represent, by and large, organizations continue to be far from ready to protect themselves in case of an attack. Anonymous is on everyone’s mind, but the it-won’t- happen-to-me attitude remains prevalent.”

Upon reading recent news stories about how Facebook tracks almost everywhere he goes on the Internet, Jim Kress grew outraged.

The business process consultant from Northville, Mich., subsequently learned Google, Microsoft, Yahoo, Adobe and many other companies also exhaustively track his online activities. “I was very unnerved to discover the extent of all the other tracking that was done by nearly every site on the Web,” he says.

So Kress, 61, did some homework about a powerful class of online tools and services — most of them free — designed to block online behavioral tracking. He began using a new free service called Do Not Track Plus from Internet privacy start-up Abine.

Kress is part of a grass-roots movement that began to swell late in the year and is expected to continue growing in 2012: consumers taking online privacy into their own hands.

Suppliers of the best-known anti-tracking tools — Ghostery, Adblock Plus and TrackerBlock — all reported big jumps in usage in the second half of 2011. Ghostery, for instance, is being downloaded by 140,000 new users each month, with total downloads doubling to 4.5 million in the past 12 months, says Scott Meyer, CEO of parent company Evidon.

Adblock Plus has been downloaded more than 140 million times and is currently in daily use by more than 17 million Internet users worldwide, managing director Till Faida says. TrackerBlock usage continues to steadily rise, with total daily users numbering in the hundreds of thousands, says Jim Brock, founder of parent company PrivacyChoice.

Kerrigan

Meanwhile, the goal of newcomer Abine, supplier of Do Not Track Plus, is to make anti-tracking as common as anti-virus for personal computing devices, says CEO Bill Kerrigan, who formerly headed anti-virus giant McAfee’s global consumer business.

Abine projects the number of Internet users in North America using anti-tracking tools and services will be 28.1 million by the end of 2012, up from 17.2 million today. “We want to drive the next level of adoption,” Kerrigan says. “No one is suggesting don’t use Facebook or Google. At the same time, we are suggesting there is a better way for consumers to experience those type of products without necessarily being tracked at every step they take in their digital life.”

Privacy hot potato

Online tracking has been a privacy hot potato for more than a decade. The relentless collection, correlation and selling of tracking data take place to help advertisers deliver more relevant ads to individual Web users.

Online tracking undergirds the burgeoning online display ad market, which is expected to swell 36% to $34.4 billion by the end of 2012, up from $25.3 billion in 2011, according to online marketing firm Zenith Optimedia.

Yet, despite this growing mountain of tracking data and the free flow of advertising dollars, the delivery of behaviorally targeted ads continues to be clunky, at best, says Aleecia McDonald, a resident fellow at the Stanford Center for Internet and Society. “Ad practices like retargeting, where you click on a pair of shoes once, and ads for the shoes follow you around the Web, make people wonder how that could have happened,” McDonald says.

Meanwhile, social networks and Web app developers are getting into the tracking game, exploring novel ways to derive fresh revenue from tracking data.

As digital shadowing escalates, so too have concerns about the erosion of traditional notions of privacy. Privacy advocates have long fretted that health companies, insurers, lenders, employers, lawyers, regulators and law enforcement could begin to acquire detailed profiles derived from tracking data to use unfairly against people.

Indeed, new research shows that as tracking technologies advance, and as more participants join the burgeoning tracking industry, the opportunities for privacy invasion are rising.

Facebook says it currently uses tracking data strictly to boost security and improve members’ online experience. But it also has sought patent protection for technology that includes a method to correlate tracking data with advertisements.

These developments have heightened concerns about the co-mingling of sensitive information that consumers often naively disclose at many websites they visit. The Federal Trade Commission and several lawmakers took major steps in 2011 toward curbing how far companies can go to collect and share tracking data.

The FTC called for a Do Not Track mechanism that would enable Internet users to request not to be tracked. And Sen. Jay Rockefeller, D-W.Va., proposed a Do Not Track bill that would compel companies to heed such requests.

But tracking and online advertising companies lobbied intensively to maintain industry self-policing as the status quo. They’ve argued that unregulated tracking is necessary to help pay for free Web content and services that consumers have come to expect.

“Basic tracking of a user’s displayed behavior is an effective way for publishers to earn more revenue for their ad space and for advertisers to see greater returns on their marketing spends,” says Will Riegel, a New York City-based tracking data analyst.

Evidon CEO Meyer elaborates on the political posturing in this video:

As this debate extends into the new year, consumer backlash appears to be gaining grass-roots momentum. More and more average Web users, such as Doug Toombs, 25, a quality assurance engineer from Cambridge, Ontario, are discovering and using available anti-tracking technologies while the global privacy debate continues.

Toombs recently started using Do Not Track Plus and marveled at how the tool automatically blocked more than 13,000 attempts to track his online activities in the course of a few weeks. “Being able to counteract it (tracking) absolutely made me feel much better,” Toombs says. “People need to fight back and not get bullied around by these big companies that think they can do anything they want.”

Flaws and improvements

Anti-tracking technologies have been around for several years, but most tools and services — including the anti-tracking features built directly into Microsoft’s Internet Explorer, Mozilla’s Firefox, Google’s Chrome and Apple’s Safari Web browsers — have earned a reputation for being complicated and confusing.

A study titled “Why Johnny Can’t Opt Out,” published last month by Carnegie Mellon University’s CyLab, found serious usability flaws in nine top anti-tracking systems.

“Our research found that these tools are difficult for consumers to use properly,” says CyLab professor Lorrie Faith Cranor, who conducted the research.

One complexity, for instance, is that anti-tracking tools must be configured to work with specific browsers. Another is that if you try to use multiple tools, things can go haywire.

Even so, more consumers appear to be looking for direct ways to control tracking, Stanford’s McDonald says.

“A sizable proportion of Internet users want to protect their privacy,” she says. “Better tools and more knowledge would do nothing if there were no demand for privacy.”

In response, anti-tracking software makers are hustling to deliver more accessible and flexible systems.

The latest version of Ghostery, for instance, is very quick and simple to download. And what the consumer gets is a blocking mechanism that is much more effective than simply issuing Do Not Track requests and hoping companies obey, as the FTC has called for, Evidon’s Meyer says.

Ghostery automatically blocks all tracking mechanisms issued by several hundred companies on an extensive list that includes two of the most expansive tracking networks: Google’s DoubleClick and Microsoft’s Media Network.

It also stops Facebook from amassing data about every Web page you visit that has a Facebook Like button or the Facebook Connect log-on service.

Ghostery’s blacklist is continually updated with help from a panel of some 300,000 of its users who voluntarily permit Evidon to continually analyze fresh attempts at tracking. “People love being part of the Ghostery community,” says Meyer. “It’s a very powerful group of sophisticated Web users who like having direct feedback into the product.”

TrackerBlock and Do Not Track Plus also rely on continually updated lists to block tracking mechanisms issued by ad networks and social networks, as does Adblock Plus, the most widely downloaded tool.

Adblock Plus is best-known for its ability to block online advertisements from being visually displayed on Web pages. But it can also be configured to block tracking mechanisms, and more users are setting it up that way, Faida says. “Our tool provides easy control over who is allowed to track you,” Faida says. “We are aware that some people have trouble using Adblock Plus as a tracking blocker, and therefore are going to make it much easier to use Adblock Plus as a privacy and security tool.”

In control of your privacy

Meanwhile, average consumers who’ve already figured out how to use the current anti-tracking tools say the trouble is well worth it.

William Morris, 55, a custom car restorer and home remodeler from Elk City, Okla., discovered that the performance of his older Windows XP desktop PC improved considerably once he curtailed the tracking communications constantly taking place in the background on his browser.

One evening, Morris spent two and a half hours researching a physics topic online, keeping an eye on the tally of tracking attempts blocked by Do Not Track Plus. The total: 4,076. “It’s unbelievable that there are that many entities out there on the Internet poking their nose into whatever I’m doing,” Morris says.

Kress

Kress, the consultant from Michigan, says the main benefit he reaps “is knowing that my browsing and Internet activities are much more private and are not being pirated by a collection of miscreants intent upon benefiting themselves, at my expense, without my knowledge or permission.”

Many users of TrackerBlock feel the same way. In a recent PrivacyChoice survey of 668 TrackerBlock users, 87% of the respondents said the reason they use an anti-tracking tool is because they do not want anyone collecting data about what they do online.

Consumers generally feel more comfortable being in control of who gets to analyze their browsing habits, PrivacyChoice founder Brock says.

“That feeling of control is something that the industry needs to deliver in order for behavioral targeting to be a sustainable marketing method,” Brock says. “The more you honor consumer preferences, the more consumers will be willing to accept tracking technologies.”

And tech security journalist Brian Krebs in October shed light on a list (presented to Congress) of 760 organizations that were similarly hacked, including a who’s who of the Fortune 100.

That’s just one subset set of successful breaches, albeit a big one. Sony, Epsilon, Bank of America, HB Gary, DigiNotar, and, most recently, the U.S. Chamber of Commerce also disclosed major data thefts.

RSA, a division of EMC, deserves kudos for disclosing details about how it got penetrated. Such post-event sharing has traditionally been rare among the good guys.

Arthur W. Coviello Jr, RSA’s executive chairman, just sent LastWatchdog this  year end review of key lessons learned and what to expect in 2012.

Coviello

By Art Coviello

I just came back from a five-week trip of meeting with customers around the world and never in my entire career have CEOs and corporate boards been as interested in security as they are now. The common theme throughout these conversations was that we are facing a new reality – one of persistent, advanced and intelligent threat.

This new reality was reflected in the headline-grabbing attacks throughout 2011, from the attack on RSA to Sony, Epsilon and Google just to name a few. Organizations around the world today are dealing with a deluge of digital information. The velocity of sharing information is skyrocketing as well – driven by web-based applications, mobile devices, social networks and cloud computing. As a result, we all are interconnected as never before.

This new openness to computing infrastructures is creating greater opportunities for collaboration, communication and innovation; but it’s also creating new vulnerabilities that cyber criminals, hacktivist groups and nation states have learned to exploit. Attackers are taking advantage of gaps in security created by complex and disparate technology with increased speed, agility and cunning….easily outflanking perimeter security defenses such as anti-virus software and intrusion detection systems.

If there is a silver lining to this rising threat, it is that the furor around the attacks in 2011 has reached a crescendo; it’s no longer about awareness, it’s about action. I believe that 2012 will be a year of action in which we’ll focus on key areas of improvement and innovation.

Real-time intelligence sharing will become a priority

In the era of advanced threats, greater situational awareness is essential to effectively detect, deter and to defend against cyber attacks. The industry needs better frameworks for communicating threat information and strengthening the security posture of all interconnected parties. In my conversations over the past months, people were united in their call for private and public sectors to work on establishing a common framework to share information dynamically and at line speed. Today’s attackers are better at sharing real-time intelligence than their targets, and fixing this should be a top priority in 2012.

Security professionals will bridge the boardroom gap

Never before has information security captured the mind share of board members than it has this past year. Information risk management must be integrated into an organization’s overall enterprise risk management strategy. Now is the time to make security a board-level conversation.

Education and training of our cyber workforce will become front and center

As cyber threats escalate, we need to invest in building the cybersecurity workforce with the requisite skills to defend our enterprises, government and critical infrastructure and help drive continued innovation. Efforts are underway and should receive our full support for cybersecurity programs that graduate more individuals with expertise in computer sciences, risk assessment, analytics, digital forensics and human behavior.

National governments will prioritize cyber security

Across the globe we are seeing governments prioritize cybersecurity as both a national security and economic security issue. The growth in cyber-crime, the rampant theft of IP and other sensitive information from corporations, and the penetration of defense systems and critical infrastructure by cyber attackers have all contributed to the urgency placed on cybersecurity by national governments. In the U.S., a bill on cyber threat intelligence information sharing between government and industry is expected to pass the House of Representatives, and in the Senate the Majority Leader has said that he will bring a comprehensive cybersecurity bill to the Senate floor by January or February. Shoring up its own defenses, the U.S. Federal Government is ramping up its cybersecurity workforce plans, and forecasts for spending on cybersecurity initiatives top $13.3 billion by 2015.

Organizations will begin to change the way they think about security

Outpacing the advances in today’s cyber threats will take a new approach to information security. Security must evolve from conventional frameworks of uncoordinated static point products to more advanced security systems that are risk-based and capable of meeting the challenges of dynamic threat environments.

Learning to live in a state of compromise, organizations will shift their security budgets away from traditional prevention technologies to detection technologies designed to limit exposure and mitigate damage from threats. The pervasiveness of virtual desktops will grow as organizations struggle to protect endpoints. And the adoption rate of technologies such as tokenization will take off as companies find new ways to protect sensitive and regulated information.

I believe 2012 also will be the year in which security management meets big data – enabled by advances in data storage, compute power and analytics. With this big data capability, security teams will be able to gain real-time access to the entirety of information relevant to the detection and remediation of security problems.

If 2011 was the year of the attack, then I believe 2012 will be the year of resiliency and adaptation within the industry. Our experiences of this year have indeed made us stronger and smarter. Our society has made unimaginable progress over the past 20 years through advances in information technology. It’s our responsibility to sustain this advancement through a trusted digital world.

A flurry of mega databreaches rocked the Internet in 2011. They included RSA, Epsilon, Bank of America, HBGary, the U.S. Chamber (twice), Sony (multiple breaches) and DigiNotar. Meanwhile, the most sophisticated attack campaign yet seen, Duqu, has now likely burrowed deep inside dozens of corporations.

Meanwhile, new variants of tried-and-true consumer attacks — ranging from drive-by downloads, to clickjacking to phishing campaigns — have made the Web as infectious as ever. In this LastWatchdog guestpost Simon Crosby, co-founder and CTO of virtualized security start-up, Bromium, argues that a big part of the problem lies in the good guys’ reluctance to share what they know about how they’ve been hacked. It will probably take new laws to change that, he argues.

Crosby

By Simon Crosby

For the last decade, we have been basking in the benefits of the Internet as a platform for democratization and commerce. Our society is now dependent on Internet connectivity. But we have blithely ignored the need to protect ourselves from its darker side. The public perception of cyber-criminals is of spotty faced, anti-social pranksters.

Unfortunately, we are in an extraordinarily vulnerable position, and every aspect of our on-line society and critical infrastructure is being actively probed for vulnerabilities. This year has delivered more compelling evidence of the potentially crippling economic consequences of cyber-attacks by nation states and wealthy crime syndicates, such as various attacks deriving from China which occurred throughout the year:

• in February, Chinese hackers broke into the systems of five multinational oil and natural gas companies to steal corporate information
• in August a highly coordinated five-year campaign launched in China resulted in the hacking of 72 networks including the United Nations and US Government
• in October, a man in China successfully breached the networks of at least 48 chemical and defense companies stealing design documents, formulas and details on manufacturing processes.

Some loss projections could be  over-hyped. But  it is clear  that the Internet is already a key battleground in international conflicts

Attack details needed

It’s time to get serious about the need to protect our society and our economic and national infrastructure.  None of us want to admit to losses, and we don’t share information about attacks. The only way to change this behavior is to impose legal requirements that place national interest above the interests of a single company.

Just as we require enterprises to comply with accounting regulations such as Sarbanes Oxley to protect all investors, we ought to require them to disclose information relevant to cyber-attacks – successful or not – and we should impose penalties on those that fail to adequately protect individuals or critical infrastructure; after all, technologies do exist that ensure network security.

If a nuclear facility fails due to poor engineering, we have every right to be upset. We need to recognize that an “insecure network” is an example of poor engineering, and define the consequences for those responsible.

Earlier this year, the White House proposed a new national cyber security plan that, in theory, seems to be focusing on appropriate tactics and measures. Among other specifics, the proposal mandates that private companies notify all customers of any and all data breaches and their potential for identity theft. It also would require organizations where breaches would result in the greatest impact to the nation – such as federal networks, power grids, water systems and other critical systems – to maintain the highest levels of network security and submit to annual third-party audits to ensure they are in compliance.

Laws with teeth

To take it one step further, the government needs to also focus on the individual protection of the general public. To do so, any company chartered with ownership of private data that is accessible over the interview needs to be held responsible for the security of that data, and in order to enforce this, there should be heavy penalties and/or fines imposed.

To this end, the government should create both an addendum that defines the minimum standard of protection required by any provider that hosts data, and create a separate law stating the punishment.

The easy part is proposing these changes, the difficulty will lie in the implementation and with how quickly the plan is put in effect and how thoroughly the mandates are followed. Crucially, we must ensure that compliance requirements are not couched in terms of today’s technologies. Leave it to the industry to advance the state of the art as fast as possible to meet the needs of enterprises subject to regulation. We are about to witness a profound change in favor of a more secure infrastructure.

Thanks to hardware-assisted virtualization and trusted execution, I am confident that in 2012 we will see security technologies that are a thousand times more robust, and whose creation is the result of the positive benefits of the Internet.

About the essayist: Simon Crosby is the co-founder and CTO of Bromium. Prior to co-founding Bromium, he was the CTO of the Data Center and Cloud Division of Citrix, which he joined after the acquisition of XenSource where he was founder and CTO. Previously, he was a principal engineer at Intel, where he led strategic research in distributed autonomic computing, platform security and trust. He was a member of faculty at the University of Cambridge Computer Laboratory and Fellow of Fitzwilliam College.