NORTHFIELD — It’s getting harder to tell the difference between online crime and terrorism, cybersecurity professor Peter Stephenson told an audience at Norwich University on Monday.
As government and private businesses become more dependent on the Internet to transmit data, they must demonstrate that they know how to identify and fight cyber attacks.
That was the message of Two Steps Ahead: Protect Your Digital Life, an event held Monday at Norwich University. Sponsored by the National Cyber Security Alliance, the event was the first stop on a 10-city tour.
The public-private partnership aims to raise awareness among consumers and businesses about how to keep sensitive information safe. It parallels efforts by the U.S. military to secure critical data and physical infrastructure.
Julie Brill, a Federal Trade Commissioner and former assistant attorney general in Vermont, said the scale of data breaches has kept pace with Moore’s Law. That’s the axiom that computer processing power doubles every two years.
“And at the same time, we’re putting more and more sensitive information online,” Brill said. “This means that the stakes in the security game are constantly increasing.”
The stakes likely will continue to rise as most services and products migrate toward an “Internet of Things,” Brill said. The term refers to heightened adoption of “smart” technology in a dizzying array of products — from bridges to trash cans, watches to washers and dryers, milk cartons to clothes — that track your interactions and transmit the data harvest to an untold number of computer servers around the world.
Brill thinks the innovations are great, but she believes consumers need to be better informed and be given more choices about how their data is collected and used.
Consumers don’t bear the full responsibility; businesses that collect data must keep it secure. The FTC will closely monitor how well manufacturers of “dumb” products transition to the higher levels of responsibility that come with “smart” merchandise, Brill said.
According to a recent report by Hewlett Packard, Brill said, 90 percent of devices that connect to the Internet contain personal data, but only about 30 percent of them encrypt that data as they transmit it.
FTC enforcement looks at deliberate misrepresentations and systemic failures to follow best practices. She called it a “flexible standard of reasonable security,” predicated on five steps a business should follow to mitigate the risk of exposing consumer data:
- Conduct a thorough risk assessment of the data you store and how it’s protected.
- Minimize the amount of personal information a company collects, limiting it to what is necessary to fulfill legitimate business purposes.
- Implement technological and physical safeguards that limit access to the data.
- Train employees to handle personal information properly.
- Have a plan in place for responding to any security incidents that occur.
And the landscape isn’t just changing for private sector operations, as evidenced by the event’s location at Norwich University. The private school for military cadets and civilian students started its cybersecurity program about 15 years ago, Norwich president Richard Schneider said.
“Non-kinetic kind of fighting is going to be where the future is for these students,” Schneider said.
Students in undergraduate and graduate programs are trained on cybersecurity software used in the field by private professionals and military personnel, alike. One cadet on Monday morning described a recent internship experience at Booz Allen Hamilton as “human detection and rescue.”
Nonmilitary government data security also is at the forefront of many people’s minds. One audience member prodded Brill for a response to the public’s interest in keeping its data safe not only from devious businesses, but also from probing government agencies.
“I am not disagreeing with you,” Brill said after a pause, which garnered a chuckle from the room. “We (the FTC) focus on the commercial space.”
Brill also declined to comment on many Vermonters’ concerns that data they uploaded to Vermont Health Connect may have been compromised. She said she was not familiar enough with the details to comment.