Americans are getting “security theater” instead of genuine protection from attacks by cybercriminals and cyberterrorists, according to a former U.S. Navy investigator who spent seven years tracking down threats to the nation’s defense establishment.
Marie-Helen Maras, author of a new book on “Cybercriminology” and now an associate professor at John Jay College of Criminal Justice, said that unless mandatory federal cybersecurity standards are applied to the private companies that dominate our online lives, U.S. consumers will be increasingly vulnerable to the theft or misuse of their personal information—as well as to sabotage of energy and transportation grids and other parts of the nation’s critical infrastructure.
“I don’t think consumers understand how little they are protected in the U.S.,” Maras said in an interview with The Crime Report.
Even the strongest passwords at best just slow down would-be cyber criminals, and the assurances offered by online firms that they will be compensated for losses amount to “security theater,” she told TCR’s executive editor, Stephen Handelman.
Her comments came during an interview on “Criminal Justice Matters,” a monthly program produced by the John Jay College of Criminal Justice. The program was aired on CUNY-TV in the New York Metro region last week and is now available on YouTube channels.
“It looks like security, but it isn’t,” Maras said, pointing out that while certain health, educational and financial records can secured, the “vast majority of the rest is up for grabs.”
The principal reason for our mounting cyber-vulnerabilities, she added, is the resistance by private companies to any form of government-mandated protection.
Recommended federal standards for cyber-security were published in 2014 following an Executive Order issued by then-President Barack Obama, but a strong lobbying effort by Web firms ensured they remained voluntary. In another step away from consumer protections, Congress voted to nullify FCC privacy rules in March, giving broadband and telecommunications carriers the right to sell and share private consumer data.
“Ideally, we need a law in place where user data is protected,” Maras said. “If companies collect data, use it, sell it, they should be held liable if it is lost.
“The reality is, this isn’t the case today.”
But one trend that may add pressure is a rising awareness that much of the U.S. “critical infrastructure” – water, energy, finance, transport, information technology, and similar systems that affect our daily lives—is now at risk from cybercriminals or cyber-saboteurs. In the U.S. all of those systems are operated by private companies—and many have already experienced serious cyber attacks, said Maras.
According to Maras, federal authorities have identified 16 critical infrastructure sectors that require protection.
Ultimately, she said, the most fail-safe protection is to transform individual components of our infrastructure to “stand-alone” systems. Many of these components are now linked across nationwide networks, so gaining access to one could give would-be saboteurs access to all of them. This is true, for instance, of nuclear plants hooked up to the larger energy grid, said Prof. Maras.
Similarly, the nation needs a new and stronger former of personal identifier than social security numbers, which are easily compromised by identity thieves.
But she conceded that efforts to increase cyberprotection take a second place to Americans’ increasing eagerness to take advantage of the “Internet of Things”— linking their appliances, personal alarm services, lights, mobile phones, and even the locks on their front doors.
“We’re creating a surveillance society that [anyone] can hack into,” she said, noting that many Americans–especially Millennials–are already “de-sensitized” to online threats to their privacy.
Even so, she said, consumers can still make a difference.
“If they demand better protection, they can drive change,” she said.