The recent breach of Anthem’s health insurance computer network provides a compelling backdrop for President Barack Obama’s Friday appearance at a White House cybersecurity conference on the Stanford campus.
The high-profile attacks on Sony Pictures, Target and Home Depot, to name just a few, show the various ways corporations and their customers are vulnerable.
In an interview with CBS’ “60 Minutes” last year, FBI Chief James Comey described the international threat posed by cyberhackers as “an evil layer cake.” At the top are nation-state actors, most notably the Chinese, along with terrorists and international crime syndicates. Then you’ve got your garden-variety hacktavists.
Yeah, the Internet has turned into a pretty rough neighborhood. And the bad guys are pretty much everywhere. And even if you think you're not vulnerable, well, you are. We all are, really.
On San Francisco's Valencia Street this week, there were mixed reactions to the question, “Do you feel that your information online is safe?"
"Not really, not really," said Robert Fujii. "I've always felt that it's inevitable, so we just need to come up with a better security system. But, no, I never feel that it's safe, my information.”
Fujii's biggest concern? "That they might hack into our cars, things we cannot have any control over, that's what I'm very, very concerned about. But big companies, I think they do have their backup. I think we're doing pretty well with security in this country. So I'm not really that paranoid, but I know it's not safe."
John Martin of San Francisco was also somewhat sanguine.
"I can't say I worry about it [getting hacked], but I can say it's a real possibility," Martin said. "The way I manage it is, I'm pretty good about passwords, I'm pretty good about keeping passwords different for different websites. Either you participate in this world that has a lot of stuff happening online or you don't. And I prefer to participate.”
That said, Martin admitted he's on the lookout for vulnerabilities.
"If I go to a restaurant and hand somebody my credit card, what’s going to happen to the credit card, you know?," Martin said. "I think if you're going to live in a world where you're not paying with cash in this kind of an exchange, then there's a certain amount of risk and you have to accept that risk. It's inevitable."
Near the top of Obama’s agenda at the Friday summit on cybersecurity is getting companies that are hacked to share that information with the federal government and each other. The idea: a coordinated effort to prevent cybercriminals from disrupting their networks.
But Jennifer Granick, with the Center for Internet and Society at Stanford Law School, says before that can happen the president needs to build trust. She sees a huge disconnect between Washington and California.
“When I talk to people in D.C.,” Granick said, “they really do approach the cybersecurity issue with a default belief that government has something to offer and that government's going to be helping. And when you talk to people out here in Silicon Valley, they approach it with the default belief that the government has no idea what they're doing when it comes to computer security and can't be trusted.”
Exhibits A & B -- that little debacle called healthcare.gov and the disastrous rollout of the Affordable Care Act website, and revelations by Edward Snowden, the former NSA contractor, that one of the biggest cyberhackers around is the federal government.
“The tech libertarian instincts about government have been reinforced by the government's inability to improve its own security and by the news that the NSA is hacking American Internet companies,” Granick notes.
The Stanford law professor says the White House needs to convince tech companies that if they share information, the government will use it responsibly. In other words, be part of the solution and not part of the problem.
Of course, not everyone sees the government as a hostile threat. Hitesh Sheth, CEO of Vectra Networks in San Jose, thinks the federal government -- with all its reach and resources -- can add a lot of muscle in the fight against cyberattacks.
“That said, we should not for a second delude ourselves into thinking that the government is going to be the answer to this problem,” Hitesh adds. “It really is not. Ultimately, the people that are going to have to solve this are going to be the private enterprise."
Sheth, whose company helps clients understand and combat their cybervulnerabilities, says there are basically two kinds of companies: those that have been hacked, and those that have been hacked but don't know it.
“People like Sony and Home Depot and Target, they hired smart people,” Sheth says. “It's not like the security organizations they had were inept. On the contrary, they were really hard-working, smart people. But fundamentally, they are completely outgunned.”
Let alone, says Sheth, small- and medium-size companies that are also vulnerable to hackers but don't have the ability to defend themselves.
“And they will never have either the resources or the means to hire an army of cybersecurity experts,” Sheth notes. “What are they to do?”
And what are we to do, since many of those corporate vulnerabilities trickle down to us? Sheth compares our personal vulnerability to a social disease that finds its way into our lives not just from enemies but also via clueless friends whose networks are infected without knowing it.
Nonetheless, Sheth is confident this problem represents such a huge business opportunity for Silicon Valley companies that they’ll find an innovative solution to make this global neighborhood safer.