FTC’s Chief Technologist Ed Felten Discusses Government’s Role in Combatting Cybercrime

By TAP Staff Blogger

Posted on October 13, 2011

Last Friday’s 2011 Cybercrime Conference examined the current trends in cybercrime, security in the cloud, and the trade-offs between sharing and securing private information. TAP attended the conference and provides a summary of several of the sessions. This post covers the keynote speech by Edward Felten, Chief Technologist with the Federal Trade Commission (FTC) and on leave from Princeton University. Felten discussed why cybercrime losses continue to rise and what government can do to help address the issues. Additional posts covering other topics are linked to below.
Beginning his talk, Felten stated the Federal Trade Commission’s role as consumer protection. The FTC is a civil law enforcement agency directed by the Federal Trade Commission Act which, among other mandates, “forbids unfair or deceptive acts or practices.” Relating this specifically to cybersecurity, Felten outlined unfair practices as online scams, fraud, and areas where companies have taken inadequate steps to protect consumers and their data. Deceptive acts constitute companies promising goods, services, or agreements (such as not sharing personally identifiable information) to consumers and failing to follow through.
Looking broadly at public policy issues relating to cybercrime, Felten addressed the question, why do losses due to cybercrime keep going up? First, there is more at stake –more and more business interactions, personal banking, and purchases are online. Second, technology is more entwined –online interactions are connected through vast networks, data centers, and across multiple service providers. And third, cybercriminals are more sophisticated with both tools and expertise. Additionally, Felten said that users trade away the security given them in exchange for timesaving access to goods and products. An example of this is: entering a contest by filling in an online form on a non-secure site.
It was hoped that the market would lead to efficient practices and tools in assuring security; that companies would protect consumers in effective ways; and that vendors would provide products that have cost-effective benefits in assuring security. However, this seems to not be happening. Felten discussed a few reasons for this. First, it is difficult to do better than we’re doing with what we have. Technology companies haven’t been providing great tools to secure online interactions and data. And second, there is an under-investment in security due to market failings.
The market failings fall into two categories. The “if it doesn’t affect me, I won’t invest to prevent it” scenario: For the individual, one weighs the cost of purchasing the high-end protection software and staying on top of the necessary updates with the risk of becoming a victim of a hack or virus. Often in this equation, and individual reasons that they’ll back up their images and any other important documents so if their system is hacked they won’t really lose much. What is not factored into this equation is the event that an individual’s computer is infested with malware or a netbot that is then used to launch a spam attack on others.
The second market failing is the “why should my company invest in high-end security research if the consumers won’t know my product is superior” scenario. At the individual consumer level, it is difficult to tell which computer-protection product provides the best security. All the products on the market state they will prevent attacks, update virus definitions frequently, and keep your data safe. But there’s no simple way to do a cost-analysis to determine which is more secure, and which provides the best value for the money. If the buyer can’t tell which product is more secure, the vendor has no incentive to invest in securing their product. Both these situations lead to an underinvestment of security.
Felten wrapped up his talk with discussing what government can do to assure online security. Getting “our own house in order” was first in his list. That is, managing the agencies’ systems to model the best security practices; and to build expertise in understanding options in security. When the government buys systems, be willing to pay more for security. Additionally, attacking the market failings is critical to address online security. Finally, Felten suggested changing the liability rules was worth looking at. Though he said the details of how that would work could be problematic, if it were possible to apply liability to the companies or individuals that allowed a security flaw access to a network, it could result in more effective security decisions being made up front.
Felten closed with a statement that was heard across all sessions of the conference: the key to success in combatting cybercrime is to share knowledge –across agencies, between government and the private sector, and between companies and industries. “We all need to chip away at it from our perspectives.”

To read more about the 2011 Cybercrime Conference, view these posts:



Recent TAP Bloggers