Sunday, October 23, 2016

The massive cyberattack or a chronicle of a strike foretold

(Español acá)
During the last Computer Law Conference organized by ADIAR (Argentina Computer Law Association) and the Universidad Nacional de Sur, I gave a conference on the Internet of Things, cybercrime and the dangerous situation presented by the lack of proper regulation, topic in which I have one of my research projects. At the moment some people argued that I was talking about something that might happen in a relatively distant future, dissenting with my view that the possibility was imminent...yesterday massive cyberattack only showed the scenario to which I referred to that day.
Reports talk about the huge DDoS attack being conducted using multiple devices connected to Internet, devices that are more vulnerable to malware due to lack of security measures in them, devices that form what is known as the Internet of Things.
Even if we forget that too many users don't even have antivirus software in their computers, most users have no knowledge nor capabilities to secure Internet enabled devices, only the connection itself, which is not always enough in these cases. So, what is the authorities response to it?
Different jurisdictions are dealing with the issue in different manner, but there is deafening silent about putting forward some kind of compulsory security regulatory framework directed to manufacturers and vendors, and too many talks about educating consumers and hopes of self regulation, and attacks like the one on Thursday show how insufficient those approaches are.
Like many thing in the Information society, things are left to self regulation with the highly ideological basis that the technology in question is too dynamic to be properly regulated and that, taking into account the need to keep consumers' trust, the companies would do what is proper. The problem with that idea, not usually supported by facts like we've just seen, is that it forgets that companies in general, also those in the IT sector, are there to make profits and, regardless how much “do no evil” they can try to promote, they may have the legal obligation to maximize profits for shareholders even if it means doing some evil (like censoring sites in some jurisidctions like China). So, understandably, in the same way manufacturers and vendors will spend in security no more than what is strictly necessary to avoid the potential lawsuits, which currently represent quite less than what it would take to make their devices more secure than what they are today.
One of the arguments to not regulate IT has been the possibility that such a regulation would stifle its development, but it can be strongly said that it is time to leave that argument aside. IT and its companies have resulted in one of the fasted and biggest concentration of income in recent memory and new billionaires have been popping like mushrooms after the is hard to believe that strong regulation forcing companies to produce and sell secure Internet-connected devices would disincentivize too many of those companies to develop more of them, having -as worse case scenario- just fewer luxury items sold to IT-billionaires around the world in exchange of a more secure digital environment...

No comments: