Words like “privacy” and “confidentiality” and “cyber-security” are thrown around frequently in discussions of technology, but many people consider these issues more idealistic than essential. It may be widely accepted that confidentiality is better than no confidentiality, but few people would go out of their way to protect their information at the cost of convenience or practicality. The question becomes whether or not most of these people who give away their private information haphazardly realize the danger and ignore it, or are ignorant of the severity of the ramifications altogether. Unfortunately, some of those people will probably learn of the severe ramifications first hand- and there’s a significant chance that will happen when their fiscal situation takes a hit because of a financial cyber attack.
On April 14, 2011 the New York Times reported on the Federal Bureau of Investigation’s investigation of a botnet’s theft network that “is estimated to have commandeered some 2.3 million Windows PCs in homes and businesses around the world, including 1.8 million in the United States” (Richmond). The network collected usernames and passwords for online financial accounts, and stole an estimated $100 million. The botnet drained bank accounts of hundreds of thousands of dollars, decimating the financial situation of millions of individual users and small businesses.
Even social networks like LinkedIn and familiar names like Apple’s iTunes have come under scrutiny in the last year for providing platforms off which important personal and financial information can be stolen (Silverstein).
One of the problems is that these attacks occur inconspicuously and by the time their presence is evident the damage has been done. Microsoft was involved in the botnet takedown, and advised the FBI based on their past experience with similar situations. One Microsoft employee stated that the company recommended that best approach to stop an attack is to “‘hit them simultaneously and … hit them hard’ before they have a chance to move their operations” (Richmond). The same employee stated “‘we can really disrupt crime on the Internet through these types of tactics. We’re all glowing here.’” (Richmond). While they may have been right on about the best way to handle the aftermath of the attack, it seems a bit uncouth to be “glowing” after $100 million has been stolen. Regardless of how effective the attack on the botnet was, the fact remains that significant damage had already been done, and acting retrospectively can only undo so much damage, thus lending to the argument that security tactics should start gravitating more toward preventive measures.
The difficulty therein becomes predicting what kinds of attacks should be prevented. While it is by no means a simple process, much like countries spend time analyzing who their enemies are, what their enemies would target, and how their militaries would undo such an attack, security experts need to attempt to anticipate what data would be most valuable and what method of attack would be most likely. While those plans might not always work, being prepared for some of the potential threats that may arise is far better than not attempting to anticipate any threats at all.