Competition and Complacency: Why the Cyberwar Against Hackers is Being Lost
The recent news of Heartbleed - a massive security flaw affecting more than two thirds of all websites on the internet - has once again brought the question of cyber security to the fore.
The general consensus from security experts and analysts commenting on Heartbleed has been that a broad and long-standing negligence and underestimation of risks relating to web security was the root cause of the bug which affected two-thirds of all active websites on the internet.
Many were surprised to learn that the root of the problem, the OpenSSL software, is currently maintained by only one full-time employee and a team of dedicated volunteers. It represents a complacency that's endemic across governments, organisations and even ordinary web users.
The president of the OpenSSL Software Foundation (OSF), Steve Marquess, recently made a plea for greater support from governments and companies to recognize and support preventative measures to avoid another Heartbleed.
"The mystery isn't how a few overworked volunteers missed this bug, it's why it hasn't happened more often," Marquess told IBTimes UK. "The OpenSSL team has thanklessly been doing a lot with very little for a long time,"
Cyber security is just an afterthought
Despite increased publicity surrounding high-profile hacks on major companies and organisations like the New York Times and US retail giants Target, some security experts believe that IT security is still just an afterthought for most companies.
Ilia Kolochenko, CEO of Swiss security firm High-Tech Bridge, claims that vulnerabilities and threats are often ignored by major organisations who still focus on more traditional business concerns.
"These companies and organisations are focussed on performance, profit revenue, new business opportunities, while ignoring IT security," Kolochenko tells IBTimes UK. "When the New York Times was hacked, over 90% of publications with potentially similar flaws simply ignored the threat."
Even when warned, high profile organisations like Nasdaq, the BBC, and even the World Economic Forum in Davos have often failed to heed free advice from security experts to fix fundamental flaws in their system.
When a security flaw in the website for the World Economic Forum at Davos was discovered and reported by Kolochenko earlier this year - acting as a concerned citizen rather than in a professional capacity - nothing was done about it for five days. The vulnerability that allowed hackers to easily access the personal contact details of all those attending, including world leaders, was only fixed after press attention forced the site to act.
Competition between companies
To protect against cyber threats, Kolochenko argues that companies and businesses need to share information related to breaches they encounter. Unfortunately, it is not in a company's or organisation's interest to share threats with rivals.
"It's a competition between companies," Kolochenko says. "Companies and governments need to be sharing all the information about advanced threats. As it stands, hackers are simply better at attacking than a company's defenders are at defending.
"Courses teaching people about cyber threats and other such diplomas are not useful because they are too simple. The problem is that the really advanced threats are not made public."
A recent illustration of this lack of cooperation came through recent reports that the National Security Agency (NSA) knew of the Heartbleed bug long before it became public, but used it instead for their own purposes.
Keeping security threats a secret in this way means that no matter how much money is spent, or how many people are employed to safeguard against them, the issue could still continue to get worse. If it were termed a 'cyberwar', Kolochenko states: "It's one we are definitely losing."
© Copyright IBTimes 2024. All rights reserved.