Rising tide of cyber-crime shows why we need Web regulation
Michael Barrett is the Chief Information Security Officer at PayPal. He is on the advisory board of StopBadware.org, an anti-malware “neighborhood watch” led by Harvard University’s Berkman Center for Internet & Society.
In less than five years, Internet crime has changed from an anomaly of teenage vandals into a multi-billion dollar industry. Just one form of cyber crime, “phishing,” where criminals masquerade as trustworthy entities in e-mails and instant messages to steal private data, reportedly amassed $3.2 billion last year. Another form, spyware, where software surreptitiously monitors a victim’s online activity, prompted 850,000 U.S. households to replace their computers and inflicted damages totaling $1.7 billion, reported the Consumer Reports National Research Center State of the Net Survey.
At the same time, Internet usage has skyrocketed worldwide with 20 percent of the world’s population, or about one billion people, online today. It’s not hard to understand why the Internet’s popularity has continued to grow in the face of its threats. Could you get through your workday without e-mail or search? Could your kids make it to dinner without checking Facebook or sending a text? If you’re like most people I know, the answer is likely, “no way.”
We are socially and economically dependent on the Internet – a fact that makes us vulnerable in tough financial times. So, it may surprise you to know that no single entity is responsible for regulating the Internet or keeping its users safe.
Historically, Internet safety has relied on the goodwill of a few small actors such as non-profits like StopBadware.org, an anti-malware neighborhood watch led by Harvard’s Berkman Center for Internet & Society. Within the federal government, the Federal Trade Commission monitors Internet fraud and the Department of Homeland Security oversees a national cyberspace response system. The private sector, offering a host of cyber-security products and tools, and consumers also play a powerful role in keeping us all safe online. Companies such as my own employer, PayPal, invest substantially in the security of our own applications and infrastructure; we have state of the art fraud management systems; we work with law enforcement to catch, prosecute, and convict criminals whenever possible. But the persistence of the cyber-crime industry continues.
Although this deregulated approach to Internet safety has largely served us well over the past 15 years, some question whether it’s enough to tackle today’s burgeoning Internet crime industry. Indeed, what’s distressing is there is no reason to believe that Internet crime is under any effective control. This is not due to inertia or lack of interest. All of the trend lines reported by private industry and government continue to show growth “up and to the right.”
President Obama has said that he’ll make cyber security a top priority in his administration and appoint a National Cyber Advisor who will report directly to him. In a speech at Purdue University last July, Obama said: “We’ll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information – from the networks that power the federal government, to the networks that you use in your personal lives.”
Obama’s desire to administer a national cyber-security policy will surely open one or two Pandora’s boxes in the worlds of Washington and business, where many would prefer for the Internet to remain untouched by government. In the longer term, I predict we will start to see Internet governance follow the same legislative paths as automobiles and airplanes.
The Ford Model T’s introduction in 1908 revolutionized the way Americans viewed cars, and innovations in the speed of manufacturing put an unprecedented number of vehicles on the road, followed by an unprecedented number of safety concerns. Out of a need to prevent accidents, the federal and state governments initiated road regulation with speed limits, traffic lights and signage.
Aviation followed a similar history. The Wright Flyer of 1903 set forth a wave of government regulations of airspace and the aviation industry, with the National Advisory Committee for Aeronautics in 1915, the Airmail Act in 1925, and the Air Commerce Act in 1926. Less than 25 years after the Wright brothers’ first flight, the U.S. government had put in place an extensive regulatory infrastructure. Why? To prevent accidents.
The forcing function that accidents represented for road and air transportation has not existed for the Internet – until perhaps now. As cyber-crime continues to rise, I believe that citizens will increasingly request that their elected representatives do something to “make the Internet safe.” It was citizens’ complaints in the early 20th century that forced initial regulation of roads and aviation – they didn’t like carnage on the roads, and bodies and aluminum raining from the sky. The same pressures are starting to rise again for the Internet.
Internet safety should be a shared responsibility among government, private industry and consumers. But almost none of these regulatory elements are in place today. The rise of cyber-crime, with billions in damages to our economy and consumers, should motivate us to make some changes in the same way accidents catapulted new standards for road and airways. We need to develop a model framework for Internet governance, and we need to do it soon.