Ten years ago, the main threats to security online were vandals and hackers. They chased notoriety and relished the challenge of beating security systems. Their calling cards tended to be denial-of-service attacks, which they used to bring down prominent sites such as eBay and CNN.
Today, the stakes are much higher. Organized criminal enterprises are using the Internet to conduct large-scale scams in pursuit of big payouts. The tools of their trade include worms, viruses, adware, and links to fake websites, to name a few, which they use to steal valuable data from consumers and enterprises of all sorts.
The losses from this data-security crisis are huge. The Privacy Rights Clearinghouse maintains a chronology of data breaches, which recorded 215 breaches in 2009 involving more than 218 million individual records. The Ponemon Institute, meanwhile, concluded data breaches that year cost US organizations an average of $204 per breached record. That means the total value of data breaches in 2009 approached $45 billion.
An under-reported fact in all this is that software piracy and cybersecurity threats go hand in hand. That is because pirated software is often used to distribute malicious computer code that compromises individual computers and entire networks, putting companies, governments and consumers at risk. The research firm IDC found that one-quarter of the websites offering pirated software attempt to install malware.
What should be done to stem this tide of security threats? That question was on the table when I testified at a May 25 cybersecurity hearing of the House Judiciary Subcommittee on Intellectual Property, Competition and the Internet.
A good start would clearly be to curb software piracy, which leapt 14 percent in its global value last year to $59 billion, according to BSA’s recently released 2010 Global Software Piracy Study. BSA also supports well-crafted legislation, as I outlined in my testimony to the Judiciary Committee, to strengthen the hand of law enforcement and prosecutors, create uniform data security and breach-notification rules, and provide incentives for private companies to share information about threats with government agencies.
It is heartening that Congress and the Administration appear to be focused on cybersecurity issues, because the stakes are growing all the time.