In a recent article, Dr. Loren Thompson of the Lexington Institute says that the idea that the U.S. would be able to “curb internet criminality without limiting the freedom of everyday users” is not borne out by past experience.
During the Prohibition era, organized crime flourished to provide a good that, despite being illegal, was bought and consumed by millions of Americans. Additionally, drug violence is fed by the millions of citizens who continue to purchase and use illegal drugs, Thompson writes.
The lesson here, according to Thompson, is that the behavior of ‘every-day’ users needs to change in order for nations to effectively tackle cyber crime. Users are commonly the weakest link in a security setup, particularly in cyberspace, where one user who clicks on a malicious link could endanger an entire network.
“Most of the major penetrations of government networks result from careless computer users reaching out into the internet and coming back with something unsavory,” Thompson writes.
Another central feature of the Internet is the anonymity it provides. In the case of rights activists operating in nations with oppressive regimes, this can be a real asset.
In the world of cyber crime and cyber attacks, anonymity makes cybersecurity increasingly difficult.
“The challenge of curbing illicit on-line activity is made worse by the anonymity of the internet,” Thompson writes. “[However]…the real issue is controlling the traffic moving through portals, a problem that is exacerbated by the propensity of users to surf the web and freely engage in on-line socializing.”
In a recent paper, Raytheon’s CISO Jeff Brown wrote “There is no way to prevent a determined intruder from getting into a network so long as one allows e-mail and web surfing –and no business today can long survive without these two bedrocks of the information age.”
Therefore, “Raytheon believes the best way to address this new reality is to recognize that attackers will get into your network and expand our defensive actions to detect, disrupt, and deny attacker’s command and control (C2) communications back out to the network.”
Utilizing this mentality would allow organizations the ability to better defend themselves despite user failings.
However, for Thompson “the larger reality is that we will not be able to defeat cyber threats unless we change our attitude that the internet is a friendly place where there are no rules.”