Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
You’ll see this message when it is too late : the legal and economic aftermath of cybersecurity breaches
Wolff J., The MIT Press, Cambridge, MA, 2018. 336 pp. Type: Book (978-0-262038-85-0)
Date Reviewed: Aug 7 2019

It seems not a day goes by without a media headline of some cybersecurity breach somewhere. Whether espionage, financial attack, or theft of personal data, we see a brief burst of hysteria followed by assurances that the problem is fixed, and then the media moves on. Of course, the problems haven’t been fixed and cybersecurity attacks continue to multiply in number. This book is part of the MIT Press “Information Policy” series, which publishes research and analysis covering significant issues in the areas of law, regulation, and decision-making principles in the field of information policy.

Wolff begins with an introduction to the legal and financial fallout of cybersecurity breaches. Although the technical mechanisms of recent attacks may have changed, the underlying consequences remain largely the same. Wolff introduces the issues that organizations, legislators, and law enforcement face when defending against cybersecurity attacks, and describes in detail nine cybersecurity incidents that occurred between 2005 and 2015. The studies are split into three parts, each covering three significant incidents in a particular area, followed by a final section of analysis and policy recommendations.

Part 1 details the theft and misuse of credit card details from the TJX Companies in 2005; the fraud and theft of personal identity details from the South Carolina Department of Revenue in 2012; and the compromise of an estimated one million computers during 2012 and 2013 by the Gameover ZeuS botnet and CryptoLocker ransomware attacks of Russian hacker Evgeniy Bogachev. Although these three cyberattack campaigns differed in technical detail, there was the common goal of illicit financial gain. The financial and political consequences are discussed in detail.

In the second part, Wolff turns to cybersecurity attacks motivated by espionage, looking first at the 2011 compromise of the Dutch firm DigiNotar. This company was an issuing authority for digital certificates used with transport layer security (TLS), which web browsers used to confirm the legitimacy and security of Internet connections. The compromise and subsequent generation of rogue security certificates allowed perpetrators to spy on the Google accounts of Iranian citizens. Next to be examined are several examples of economic espionage attacks against US firms in the early 2010s, and attributed by US law enforcement to Chinese military groups. Although several of these episodes have resulted in indictments in US courts, there is little likelihood of those responsible being brought to trial. Wolff goes on to discuss responsibility for the failure to effectively protect the compromised systems involved. The last case in this section is a detailed examination of the cyber espionage attacks on the US Office of Personnel Management over several years, beginning in 2012. Wolff highlights and discusses these extended attacks by presumably foreign government agencies, as well as the ineffective responses of recalcitrant management, which eventually led to the theft of significant personal information of tens of millions of American public servants.

Part 3 covers cybersecurity attacks aimed at public humiliation and revenge. The first example: the distributed denial-of-service (DDoS) attacks, in 2013, by the Dutch hosting company CyberBunker (who embraced clients of questionable ethics) against Spamhaus (an organization devoted to fighting spam and cybercrime). The involvement of Cloudflare in defending against the attack, and the lenient sentences for those determined to have been responsible, are all covered in detail. Wolff next looks at the 2014 virus attack on Sony Pictures Entertainment. Initially compromised through phishing emails, the attack resulted in the theft of employee data and the wiping of Sony computers, with the goal of publicly embarrassing the company. The subsequent legal efforts of several parties, all largely ineffective, are discussed in detail. The last case in this section is the 2015 theft and release of client details from Ashley Madison, a dating site, and its parent company, Avid Life Media. The poor security posture of the company and the subsequent legal action initiated by its clients against it are discussed.

In Part 4, Wolff looks at those responsible for protecting data. Chapters cover the responsibilities of each of the application designers, the organizations that process and store data, and the policymakers and legislators that make cybersecurity responsibilities into law and define control and compliance regimes. Wolff provides recommendations for how each of these three responsible parties can singly and collectively work to reduce cybersecurity attacks, rather than abdicate responsibility to others.

There is a good table of contents, a concise index, a thorough bibliography, and a good section of notes by chapter. Overall, this well-laid-out and easy-to-read book is a concise, interesting, and thought-provoking discussion of the issues facing organizations and policy makers in the murky field of cybersecurity--issues that have plagued “cyberspace” since the term was first coined by William Gibson back in 1982 [1].

More reviews about this item: Amazon, Goodreads

Reviewer:  David B. Henderson Review #: CR146644 (1910-0364)
1) Gibson, W. Burning chrome. Omni 4, 10 (1982), 72-77, 102-107.
Bookmark and Share
  Reviewer Selected
Featured Reviewer
 
 
Privacy (K.4.1 ... )
 
 
Law (J.1 ... )
 
 
System Management (K.6.4 )
 
Would you recommend this review?
yes
no
Other reviews under "Privacy": Date
Handbook of personal data protection
Madsen W., Stockton Press, New York, NY, 1992. Type: Book (9780333569207)
Nov 1 1993
Privacy and security issues in information systems
Turn R., Ware W., Wadsworth Publ. Co., Belmont, CA, 1985. Type: Book (9780534042578)
Nov 1 1985
Data bases
Burnham D., Wadsworth Publ. Co., Belmont, CA, 1985. Type: Book (9780534042578)
Nov 1 1985
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy