Major crimes usually shake us into action. A London fire that killed five women ultimately led to the creation of 999, a precursor to our own 911 emergency system. The rape and murder of Kitty Genovese, meanwhile, inspired the creation of the neighborhood crime watch system. Yet while the Sony Pictures Entertainment email breach is a different sort of crime, it is a crime nonetheless, and one that was perpetrated in a neighborhood where almost all of us are resident these days — the Internet.
So where is the anger? The letters to congressmen? Part of the reason is that the reporting has focused on celebrity feuds rather than the fact that what happened to Sony could happen to any of us — emails of a personal nature allegedly being held ransom or released as payback. In fact, if you add up the number of victims of the most notable known breaches this year, it’s clear that a troublingly high percentage of us will have had some sort of information hacked. The other reason is that few of us feel like we’re paying a price for cyberbreaches — companies that are hacked typically eat the costs, at times without even informing customers.
SONY hack an act of cyber-terrorism? Who’s behind the SONY hackings? Oprah: Don’t judge out-of-context emails
But lost in the reporting is another fact: We are, in a very real sense, responsible for such attacks. Not simply because we are the audience for the hacker’s seedy releases, but because we are the inadvertent moles that provide the hackers access to large computers networks.
Hackers often enter networks through simple phishing attacks, attacks that these days are actually simpler but more insidious than the infamous Nigerian phishing scams.
Now, instead of trying to persuade you to part with your money in exchange for a nonexistent financial windfall, emails from trusted sources ask you to check out a photograph, click on a hyperlink to an interesting story or enter your login on an official-looking webpage. Complying with any of these requests provides varying degrees of access to your devices and accounts, and it is these simple ruses that have been responsible for launching malware and “backdoors” that have ultimately compromised major networks.
The apparent simplicity of these attacks conceals a sophisticated understanding of people’s online behavior that is surprising even to the many academics who have spent years studying human behavior.
The reality is that many of us fall for these scams because of our email habits. Simple actions such as frequently checking email or Facebook status updates have become part of the daily rituals of Internet use. The human brain overtime automates such routines, which leads to people clicking on hyperlinks, opening attachments and providing credentials without really paying attention to what they are doing.
Smartphones and tablets have only exacerbated this. After all, smartphones, which the majority of us now use to access the Internet, are designed for media consumption, not deception detection. Their apps are programmed to optimize smaller screen sizes and restricted data-caps, often by reducing the prominence of elements such as a website’s URL or a sender’s email address that could highlight the deception. Throw into the mix the fact that many of us are accessing these devices while talking, texting or even driving, and it’s hardly surprising that we don’t notice something nefarious.
Making things worse, even some people who suspect a deception open such emails anyway because of flawed assumptions about the security of their devices and operating systems. Others might report the intrusion to their employer, but the reporting either comes too late or is lost in organizational silos.
This is not surprising — there are so many different arms of federal and state governments, along with organizations such as the Anti-Phishing Work Group, that collect complaints and disseminate information on cyberattacks that it is hard to keep track of where to send details of a complaint, much less go through the process of finding a contact address.
Besides, there is no incentive for reporting a suspicious email unless someone has actually become a victim of an attack, in which case, it is generally already too late.
So, what can be done?
A simpler fix would be to develop a single nationwide gateway — an email address or a phone number similar to the 911 system — where anyone suspicious of a cyberthreat can quickly report it. In addition, it would be a welcome development to see the proliferation of organizations akin to neighborhood watch groups — cyberwatch groups, if you will — where people can routinely report suspected attacks and receive immediate feedback.
From Aurora to Regin and the Nigerian scam, most cyberintrusions are named after the codes written into them or the hacker’s fake persona, which cedes power to the very people who perpetrate these crimes. Instead, wouldn’t it be better to highlight the names of the people who help detect an attack?
This would be just one way that we could encourage people to feel they are more invested in protecting our cyberinfrastructure.
Ultimately, the Internet is an online extension of our own neighborhoods. It’s time for us to take their protection just as seriously.
(A version of this post appeared in CNN on December 17, 2014)