After the mega hacks of hospitals, gas pipelines, Amazon’s cloud services and even national security government agencies in the US, Europe, Israel and elsewhere, one might think it is a cliché to tell the public that its personal data are not safe.
One might think it is a cliché to tell private sector companies that they are exposed to hackers – in June, one hacker alone was convicted of hacking 100 million citizens’ Amazon cloud data. Israel has now had numerous instances of hundreds of thousands or millions of citizens’ data being exposed.
And yet most individuals and many businesses still do not have the threat on their radar screen.
Why is that?
Did the public miss the mega hacks of the past few years and that Iran just tried a mega hack against Albania this past week, grabbing the global headlines?
Wednesday night, FBI Director Christopher Wray tried to break through the public’s apathy about hackers by taking the almost unprecedented move of recording a video to announce indictments of Iranian hackers.
Usually, the FBI suffices with issuing written press releases or, in rare cases, gives very dry press conferences.
This was a clear attempt to get through to the general public and to highlight to Iran Supreme Leader Ayatollah Ali Khamenei that there will be a price to pay for his dragging out nuclear negotiations and for ongoing cyberattacks.
People don't care about their personal data
But if past experience is any guide, individuals and small businesses just do not have the attention span or the discipline to be careful about their personal data.
Individuals basically do not care if their personal data are stolen, unless the hacker personally locks them out of their accounts or the theft has some other major concrete negative impact on their lives. Yet, by then it is too late.
So governments have started in recent years, especially in the US and Israel, to try to get more on top of this issue.
The problem is that they are doing this at the same time that they are getting more on top of the far more pressing issue of defending critical infrastructure.
One person or one small business losing their money is bad news, but making sure a whole hospital does not go off-line, which Wray said was what Iran tried to bring about at Boston’s Children’s Hospital in summer 2021, and which partially happened to Israel with Hillel Yaffe Medical Center in October 2021, is a much bigger deal.
The same goes for the energy, water, transportation and other sectors.
And in these areas, the US and other countries are still far behind, and may be years from getting all of the smaller companies and municipalities involved up to speed, even with spending massive new resources and time on the issue.
So many of those being attacked are not willing to do anything about it, and governments are years behind getting all critical infrastructure properly defended, while they try to start propping up cybersecurity defenses for individuals and the private sector at the same time.
Cyberdefense in Israel
AT THE International Institute for Counter-Terrorism Conference (ICT) in Herzliya this week, the issue came up repeatedly.
In one session, former Shin Bet (Israel Security Agency) cyber chief Erez Kreiner said that, 10 years after being established, Israel’s cyber authority needs to be carefully evaluated and reconstructed so that cyberdefense is not neglected.
He said that the Israel National Cyber Directorate (INCD) falls far short of what is needed, both conceptually and practically, by a democracy like Israel in order to properly defend the private sector and the public as a group of individuals.
Not that Israel is alone. Kreiner said that almost all countries are currently utterly inadequate when it comes to protecting anything in the digital sphere beyond a limited list of critical infrastructure.
Further, he said that, at best, some countries have only recently started to create some mechanisms for vague national cyberdefense lines, while still failing to defend the private sector.
The INCD shot back at Kreiner’s criticism, saying it “is fully focused on strengthening Israel’s cyberdefense – in the public and private sectors. Whoever wishes to relate publicly to our innovative activities is most welcome to get acquainted with them in advance.”
The truth is that the INCD has been and is trying very hard to get the private sector and the general public to elevate their cyberdefenses and awareness, and has had some success.
But the US is still operating based on executive orders, and the INCD with similar directives from the Prime Minister’s Office, which leave them much more limited authority to maneuver than if Congress and the Knesset would ever pass the bills on these issues which have been sitting and waiting for years.
Why the bills cannot be passed is never completely clear. But some of it relates to ongoing polarized political crises in both countries, and some of it to an inability to resolve complex substantive questions. The questions relate to how much to let governments intervene in their citizens’ affairs, which were private until the era of cyber threats eliminated some of the walls of individual privacy.
But the worst part about all of this is that the digital threat matrix or surface is sometimes expanding faster than the improvements.
Like a game of Whac-A-Mole, by the time governments get around to solving the cybersecurity problems of the past five years, there are many more new problems popping up.
At the same ICT conference, co-founder and CEO of INSIKT Intelligence Jennifer Woodard said that AI-powered disinformation is currently the biggest national security threat, as massive amplification of information can be done in a minimal amount of time.
She warned that new breeding grounds for radicalization, building digital echo chambers for terrorist campaigns and virtual training camps are all possible due to emerging technologies.
Moreover, she said that new methods of AI will be needed in order to defeat the security threats attached to new multidimensional data and technologies, especially within the metaverse.
THIS NEW menu of problems simultaneously invading our security and privacy makes it clear why our data are, and are likely to continue to be, so compromised.
At the same time that countries are trying to keep up with terrorists’ new moves in the digital sphere and new threats from rogue states like Iran (not to mention world powers like China and Russia) using more sophisticated AI tools to wreak digital havoc, they will need to start educating themselves about invasions of privacy in the metaverse.
If the advent of social media let hackers collect information and photos of people’s friends and loved ones, the metaverse will let hackers collect health, biometric and more deeply personal data about people’s experiences and what truly makes them tick. Avatars may make it harder to detect terrorists and criminals.
It is unclear whether any government is setting up any rules to regulate the upcoming metaverse prior to crises erupting.
A former top Twitter employee just told members of Congress this week that even its data is easily compromised, and a top official at TikTok resisted demands by Congress to promise not to share US users’ data with its Chinese parent company.
It seems that until a larger number of individuals and businesses face personal crises, and the government figures out a way for these less sophisticated digital users to protect themselves, personal data in the US, Israel and the West will be up for grabs.