North American governments & companies need to do better

I love technology. It fascinates me and I always yearn to learn more. I love to learn about new Operating Systems (OS), use the latest mobile devices, create social media accounts. In general I just love technology and the possibilities that it brings. I have zero hacking ability though it’s something that I’ve never learned. I do know about computer and internet security and how to keep myself secure.

I’ve been watching some documentaries on YouTube about hackers. I have to say that living in North America and as an investor I’m depressed and surprised by what I see happening. Everything is now connected to the internet. Electricity, Gas, Water, Emergency services, Banking/Finances, Transportation, Defense. I mean if anyone can find me a critical system that is not connected to the internet I would be speechless. The scary part is that all of these systems and more are vulnerable to attack. The corporate world is no different with all of those big companies connected to the internet and scarily vulnerable. The TJX hack, the Target hack, the Sony hack are all scary lessons of how these companies are all vulnerable. 5 of the biggest ever credit card hacks, TJ Max theft believed biggest hack ever. So not only are our critical systems vulnerable but so are the, if I could borrow a term, “too big to fail” companies as well. I find all of that very scary. By the way as an investor the fact that a company doesn’t disclose it is hacked doesn’t make me feel any more confident. What makes me feel confident is if they gave a report each year or quarter of how much was spent on actually securing their networks. If they showed initiative in developing a system where outside hackers can help point out security flaws.

Open wireless networks, weak passwords, exploits, these are just a few of the problems. In all the time that technology has changed at a rapid pace why are some of these even still problems? You would think by now that users, companies, governments, IT departments would get the importance of a secure password. Also why are critical systems not on infinitely secure networks or not connected at all? Personally I don’t think it’s for convenience but because of greed. Why spend large sums of money to ensure that hardware and software is as impenetrable as possible. Why spend money that would otherwise be profit. There haven’t been any massive intrusions. But the keyword that should be at the end of that sentence is Yet! If something does happen on a massive scale and planes are grounded, transportation is halted, emergency services are offline, etc, etc. The damage both financial and personal will be incalculable. Those profits that are saved now will pale in comparison to the losses then. This is why I’m baffled that these issues are being ignored. Perhaps it’s just ignorance on the part of the people in charge. I’m not sure but ignorance won’t be so blissful if something tragic ever happens.

The next sad thing highlighted in the documentaries is the ignorance by governments and companies when it comes to hackers.There are grey hat hackers out there pointing out the security holes and problems in these important systems. Yet they are being ignored and even worst prosecuted. Hackers who haven’t used the exploit for financial gain or destruction. I mean why isn’t there a method for them to inform the government and companies? Some of them don’t even want compensation. Even if they do I’m sure it is a far smaller price to pay than if the system were compromised. I get that in the 90s there was some fear and that lead to persecution, prosecution and a tainted image. However why is there a distinction between white hat and grey hat hacerks. In my mind there should only be white hats and black hats. If the grey hat exists then we have failed. Perhaps if the “grey hat” had a mechanism to submit the exploits they find and it’s actually taken seriously. Maybe they wouldn’t go to great lengths to make sure that the government or Fortune 500 company takes notice. I think if there are people in power who have an ill conceived or outdated notion of hackers and the systems in use. Well they should be brought up to speed because how effective can they be without that knowledge? In one of the documentaries I was watching. A guy says that the system admin whose network has just been exploited by a hacker. That system admin is not going to be thrilled because he’s probably going to lose his job. Personally I thought looking at it that way was just completely missing the point. The real point here is that the network should be secure. This is the system admin’s job and if that system admin is not doing his job properly then he should be fired. It’s a mechanic’s job to fix a car properly. If the wheel flies off the car after leaving a garage because he forgot to put two bolts on it. I’m pretty sure we would all agree that the mechanic should be fired.

Albert Einstein once said the definition of insanity is doing the same thing over and over while expecting different results. Since the 90s the governments and companies have been prosecuting and vilifying hackers. It hasn’t stopped hacking or prevented growth in the number of hackers. Perhaps it’s time to change the strategy in order to get a different outcome. Perhaps it’s time to try and find a way that government agencies can trust hackers who want to help. Perhaps giving them an avenue to work with the government agencies and companies would prevent them from trying to prove their point the only way they think will work. Imagine a scenario where a “grey hat” hacker finds exploits and gains access to a company’s network. They know from experience or media coverage that they will be ignored and also possibly prosecuted and sent to jail. They move on and forget about the exploit. Another hacker comes along perhaps from another part of the world or with bad intentions. They use the same exploit except this time they do serious damage, steal critical data or put services offline. I’ve heard that companies or government officials are embarassed when a 15 year old or another hacker is able to intrude their networks. This is business, critical infrastructure and services. It is no place for human emotions, for pride or embarrassment. If I was the CEO of a large global company and some 15 year old sends me information on how they were able to gain access to data. Why would I feel embarassed? I would want to meet with them ASAP with IT professionals who could determine the validity of their information. I mean why are customers ok with a company losing 94 million people’s personal information. Credit card numbers and driver’s licenses. Information that is being sold on the black market. Information that leads to identity theft and financial loss. North America is such a great place, with resources and freedoms. Yet one of those resources are being squandered. These hackers have knowledge and some want to help. Why are the ones who want to help being ignored or worst threatened? In no way am I saying that it’s ok to deface a site or take information to prove a point. I’m simply saying that perhaps if they were taken seriously that might not happen.

The level of knowledge of computers and online security could definitely be raised in North America. I have always wondered why there isn’t a free resource out there for users. A resource to teach users how and why to create strong, secure passwords, how to use password managers, the importance of using different secure passwords for all online accounts, etc. There are sites like itpro.tv which have many different tech certification courses. Videos hat teach users what they need to know for the certifications. Why isn’t there such a resource to teach general users about computing. A resource that is free for everyone? If there is then why isn’t it mainstream and common knowledge. It should be on TV and freely available to anyone. It should be a requirement for employees of all levels in Fortune 500 companies, critical infrastructure and critical services. The cost will pay for itself many times over when these places are able to increase their employees’ knowledge and thereby network security. I setup my home network and most of my family member’s networks. Here’s the thing I’ve learned. Getting a user to create a secure password will result in complaints about the process being complicated. Yet they still do it and surprisingly remember it because they have no choice. I’ve also wondered why computer use is not taught in schools from an early age. A curriculum should be developed and introduced when children are old enough to understand but young enough not to already be negatively influenced. Children would be taught why a secure password is important, how to make a secure password, how to be careful online, etc. The lessons would progress and involve different aspects based on the grade and childrens’ understanding. How many teenagers’ lives have to be ruined when they send naked pictures out onto the internet. Before we start trying to educate them and give them a better understanding of computers and the internet. These children will grow up to become the next generation of adults. If we don’t start teaching them now the problems we face will probably never go away.

Advertisements