IN MY OPINION
Andrew Plato
Recently, I opened my mailbox to an unsettling surprise: a cellular
telephone bill for more than $500. Of course, it was not my phone
bill, nor had I made any of the calls it listed. Like millions of
other Americans, I was a victim of identity theft.
The irony of my experience is that I am a computer-security
professional. I make my living helping organizations secure their
information systems from break-ins and theft.
The theft of my identity, like millions of others, was not because my
home computer was infected. It was not because I lost a charge
receipt. My identity was stolen from a large, multinational
corporation's computer database, similar to the recent theft of 40
million credit card numbers from a company in Tucson, Ariz.
When I called the police to report this crime, the officer was blunt
about my predicament. He said police get hundreds of identity-theft
claims every week, and almost all of them go unpunished. And because
credit firms don't hold consumers liable, these crimes are considered
victimless.
But there are victims: all of us. Identity theft has become the
perfect crime for crooks and drug pushers. With stolen identities,
criminals are getting a free ride while the rest of us get stuck with
the bill in the form of higher interest rates and expenses.
All crime has two components: motivation and opportunity. People must
be motivated to commit a crime and have the opportunity to do so. We
cannot do much about motivation, but we can surely do something about
opportunity.
It has become far too easy for hackers and thieves to access a network
and take what they want. Armed with a home PC and free software tools,
anybody with a little technical savvy can break into a network, plant
malicious software and walk away with valuable data.
In my line of work, I've seen the data centers for hundreds of
companies. I've seen large financial companies that have networks
infested with worms and viruses. I've also seen the development of
critical governmental systems outsourced to companies that are so
incompetent that the systems they built were broken into minutes after
being put online.
The fact is, our public and private organizations are ignoring their
security problems and by doing so are needlessly creating the
opportunity for identity thieves. Security is too often placed at the
end of projects as a luxury that never gets implemented.
But information security and privacy is no longer a luxury. It's time
for action. Unfortunately, the only way to get action these days is to
hit companies and governments where it really hurts: their wallets and
the voting booth.
We need to steer purchasing power away from organizations that cannot
secure information and toward those that can promise security and
privacy. And when data are stolen, there must be
accountability. There must be penalties. Class-action lawyers are
starting to sue companies for damages in such cases. My firm has
already assisted in one such lawsuit. The fear of lawsuits is a
powerful motivator for companies.
But we also need to make information security a priority agenda item
for our elected officials. Government technology spending is highly
flawed, often awarding contracts to incompetent low-bidders, many of
which are incapable of handling complex security issues.
Identity theft will continue to go on unchecked until there is a
serious effort on the part of public agencies and private companies to
make security an integral part of their information systems.
Let's face it: Identity theft is no longer merely an inconvenience.
And it is not acceptable for corporations and governments to continue
building and using insecure information systems.
Andrew Plato is president of Anitian Enterprise Security, a computer
security consulting firm in Beaverton.
Copyright 2005 OregonLive.com.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, OregonLive.com
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml