Pre-emptive cyberwar, breach notification and trusted organizations: the people speak

LogRhythm asked 1000 UK consumers what they really think about cybersecurity: is enough being done, and if not, what should be done? The result shows that the UK public is in no conciliatory mood.

For example, while EU member states are considering a Europe-wide data breach notification requirement with strict monetary penalties (the UK currently only requires the public sector to notify breaches), 94% of the public believe they should be notified if any organization gets hacked and their personal data is put at risk. Seventy percent believe that this should apply to all data breaches, whether personal data is involved or not. Furthermore, only 7% believe that current penalties are adequate, with 46% believing that there should be more severe penalties across the board.

An interesting detail is in the speed of the required disclosure. Sixty-seven percent of respondents say it should be immediate, while only 19% say that investigative time should be allowed before disclosure. Noticeably, notification of last month’s hack of the South Carolina Department of Revenue was delayed by approximately two eeks – at the request of US law enforcement – to allow forensic investigation; and the Department is now being sued because of it. The UK is clearly saying that the ability of the public to take remedial action over its personal data is more pressing than law enforcement’s efforts to catch the perpetrators.

This is one area where Ross Brewer, VP and MD of international markets at LogRhythm, believes the public has got it right. “I’m a firm advocate for mandatory data breach notification laws,” he told Infosecurity. He points to the US experience, where most states have a compulsory breach notification requirement – and notes that it has had a clear effect on persuading organizations to improve their security. It’s not just a financial penalty from failing to notify; it’s the loss of reputation and brand image that gets results. Where he is not so sure, however, is in the public attitude to pre-emptive cyberwar.

Sixty-five percent of respondents believe that the government could be justified in launching a pre-emptive cyberstrike against enemy states. “I’m not saying we’re not already doing that covertly,” he said (just think of Stuxnet, Flame and Iran), “but to do that overtly would make the UK a target, and just make things worse.” We’re already in a covert cyberwar, but making that overt would, he suggests, be similar to changing a cold (cyber) war into a hot (cyber) war; and that would benefit no-one. “The typical knee-jerk reaction of blindly attacking the networks of potential perpetrators could incite disturbing consequences such as the execution of even more sophisticated attacks on the UK’s critical infrastructure,” he warns

It’s possible that the public is following and absorbing government publicity, which is putting considerable effort into increasing national infosecurity and preparing offensive capabilities. This response to public events seems to show itself in public trust: following all the bank scandals over the last few years, the UK public no longer trusts banks more than other organizations (although it still rates them highly). Greatest trust is placed in health providers, scoring 3.12 out of 5. Government itself rates only at 2.91, while the least ‘trustworthy’ are the social networks at 2.06.

This generates some concern over current UK plans to allow the public to log into government websites using their social network credentials. The problem is that social networks are businesses. “I don’t think security data is taken quite as seriously as the marketing data,” commented Brewer. “It would be a pretty serious concern if the government is going to let people use their social media IDs – which are controlled by somebody else with a different agenda – to log in and be the proof point for access to government data.”

The overall impression that this survey gives is that the UK public believes that neither organizations nor government are are doing enough in cybersecurity: they should do more and must do better.

What’s Hot on Infosecurity Magazine?