Yahoo has confirmed that it is the victim of a cyber security breach affecting at least 500m accounts, perhaps the largest in history. Data breaches of email and social media accounts, retail stores, health insurance companies and even governments are now routine. The lesson to be learnt from the Yahoo breach may be that, when it comes to cyber security, we are not learning the right lessons.
雅虎(Yahoo)證實,該公司遭遇也許是史上最大規(guī)模的的網(wǎng)絡(luò)安全侵入,至少影響5億賬戶。如今,電子郵件、社交媒體賬戶、零售店、醫(yī)療保險公司、甚至政府的數(shù)據(jù)被竊已成家常便飯。雅虎事件的教訓(xùn)或許是,在網(wǎng)絡(luò)安全方面,我們沒有汲取正確的教訓(xùn)。
Following major breaches, companies often deflect responsibility by pointing the finger at “state-sponsored actors”, as Yahoo did. Certainly, states do engage in this kind of activity and in some cases leave enough of a trail to be blamed.
在遭遇重大侵入后,企業(yè)往往將矛頭指向“國家支持的”黑客來躲避責(zé)任,雅虎正是這么做的。政府肯定在從事這類活動,在某些情況下還留下了足夠的痕跡,難以推脫責(zé)任。
But there is also reason to be sceptical of Yahoo’s claim. Presenting breaches as nation-state attacks suggests that there was nothing the company could have done to defend its users. It is better PR to blame a foreign intelligence service than for a company to admit it lacked basic security features. It also puts companies on a stronger legal footing against users who may seek to sue them.
但人們也有理由懷疑雅虎的說法。將黑客侵入事件形容為國家發(fā)動的攻擊,字里行間等于在說雅虎沒辦法捍衛(wèi)用戶隱私。企業(yè)指責(zé)外國情報機構(gòu),而不是承認自己缺乏基本的安全措施,顯然是更好的公關(guān)戰(zhàn)略。這也使企業(yè)面對可能起訴自己的用戶在法律上處在更有力的地位。
The trouble is that most cyber security breaches — including those by nations — exploit known vulnerabilities, such as where a patch was either not developed or deployed. Most breaches are preventable yet attacks continue to increase in number and scale. The woeful state of cyber security is, simply, a market failure.
問題是,多數(shù)網(wǎng)絡(luò)安全侵入——包括國家發(fā)動的侵入——利用的是已知的漏洞,比如針對漏洞的補丁尚未開發(fā)或應(yīng)用。多數(shù)侵入都是可阻止的,然而攻擊的次數(shù)和規(guī)模繼續(xù)升級。簡單地說,網(wǎng)絡(luò)安全的糟糕狀態(tài)是市場失靈的表現(xiàn)。
The reasons are numerous and complex. Consumers are unable to make informed judgments about security when choosing where to entrust their information. Companies hesitate to share cyber threat information with industry competitors. Threats are distributed such that the relative probability that any one company will be the victim of a breach remains low. The bottom line is that companies do not have adequate economic incentive to invest in security infrastructure.
原因有很多,而且較為復(fù)雜。當(dāng)選擇把信息委托給哪一方時,消費者無法對安全作出明智的判斷。企業(yè)不愿與業(yè)內(nèi)競爭對手分享網(wǎng)絡(luò)威脅信息。威脅的分布方式意味著任何一家企業(yè)遭遇侵入的相對幾率仍然較低。歸根結(jié)底,企業(yè)沒有足夠的經(jīng)濟動機去投資網(wǎng)絡(luò)安全基礎(chǔ)設(shè)施。
Governments must find ways to encourage companies to undertake more responsible practices. One way will be by developing liability mechanisms to impose costs on organisations that fail to protect customers’ data. And where the consequences of cyber security breaches are especially dire — networked medical devices or autonomous vehicles, for example — governments will need to enact robust regulatory standards to ensure safety.
政府必須找到方法鼓勵企業(yè)采取更負責(zé)任的做法。一個方法是建立賠償責(zé)任機制,對沒能保護客戶數(shù)據(jù)的組織施加懲罰。同時,在網(wǎng)絡(luò)安全侵入后果尤其可怕的領(lǐng)域——比如聯(lián)網(wǎng)的醫(yī)療裝置或自動駕駛汽車——政府需要實行健全的監(jiān)管標(biāo)準以確保安全。
But companies are not the only problem. Consumers are largely unwilling to accept even minor inconveniences for better security. Systems remain unpatched because individuals cannot be bothered to install updates. Users chafe against imposed security measures like the rejection of weak passwords. Conscientious companies walk a fine line between encouraging customers to be safe and imposing burdens that individuals will circumvent with even more vulnerable workarounds, or running the risk of driving users to more convenient and less secure platforms.
但是企業(yè)并非唯一的問題。消費者大多不愿為了提高安全而接受輕微的不便。系統(tǒng)一直沒有裝上補丁,因為用戶懶得安裝更新。用戶對拒絕脆弱密碼的安全措施感到煩躁。有責(zé)任心的企業(yè)在兩大風(fēng)險之間艱難把握平衡:一是鼓勵客戶保證安全,加大安全負擔(dān),而人們會以更加脆弱的變通方法躲避這些負擔(dān),二是把用戶趕到比較便利、但不那么安全的平臺。
Until we address failures at corporate and collective levels, the lesson of the Yahoo breach for the individual is that cyber security is every man for himself. When people cannot rely on large companies to protect personal information, the only responsible approach is to presume breaches are inevitable and try to mitigate the damage. Not reusing passwords prevents a single attack from compromising multiple accounts. Adopting two-factor authentication features reduces individual risk. And users should consider what information to store and share online.
在我們解決企業(yè)和集體層面的問題之前,雅虎數(shù)據(jù)被竊事件對個人的教訓(xùn)是:網(wǎng)絡(luò)安全是每個人自己的事。當(dāng)人們無法依靠大企業(yè)來保護個人信息時,唯一負責(zé)任的辦法是假設(shè)數(shù)據(jù)被竊是不可避免的,然后嘗試緩解損害。不重復(fù)使用同一密碼可以阻止單次攻擊影響多個賬戶。采用雙重身份認證可以降低個體風(fēng)險。同時,用戶應(yīng)該考慮在網(wǎng)上儲存和分享什么信息。
But ultimately self-help will fall short. We have limited choice about what data about us are produced and stored and participating in modern society necessitates volunteering a great deal more. Preventing large-scale data breaches is similar to countering disease epidemics — individual practices can protect us only so much and, where we are unable to wall ourselves off, large-scale institutional responses are required.
但是,自救終究不夠。對于有關(guān)我們的哪些數(shù)據(jù)被生成和存儲,我們的選擇有限,而參與現(xiàn)代社會意味著有必要自愿提供多得多的信息。阻止大規(guī)模數(shù)據(jù)泄露事件類似于抗擊傳染病——個體行為只能在一定程度上保護我們,當(dāng)我們無法隔離自己時,便需要采取大規(guī)模的制度性回應(yīng)了。