Cybercrime Blame Game At RSA Conference

"Despite progress, greater efforts are needed in the fight against cybercrime." That's how the Business Software Alliance summarized a town meeting that the software industry interest group hosted today at the 2007 RSA Security Conference in San Francisco.

It's a fair statement that deftly avoids disconnect that could been seen between federal officials and the security experts on the discussion panel. Greater efforts are needed, but from whom?

Clearly, something needs to be done. The Federal Trade Commission on Wednesday released its list of the top consumer complaints for 2006. For the seventh year in a row, identity theft led the list with 36% of the complaints, at least five times more than the next complaint-generating categories: shop-at-home/catalog sales; prizes, sweepstakes, and lotteries; Internet services and computer complaints; and Internet auction fraud.

In the question and answer session that followed an address by FTC chairman Deborah Platt Majoras, Marc Groman, the FTC's chief privacy officer, and Christopher Painter, principal deputy chief of the U.S. Department of Justice computer crime and intellectual property section, enumerated some federal success stories and argued for improved consumer education to combat online fraud.

Ira Winkler, president of the Internet Security Advisors Group, more or less said that consumer stupidity was incurable and argued for at least a 10- to 15-fold increase in federal cybercrime enforcement budgets, the integration of security and infrastructure, and criminal penalties that are greater than the profit enjoyed by successful identity thieves.

"Why aren't the ISPs doing more?" Winkler asked, a question that brought applause.

The other non-government panelist, Robert Maynard, an ID theft victim and the founder and COO of online security firm LifeLock, used more measured rhetoric to argue for prevention in addition to enforcement. He did, however, allow that consumers are easily confused with regard to identity theft. Majoras in her speech called for a "culture of security," a phrase that suggests everyone pulling together to end cybercrime. Note that she didn't call for, say, a legal framework that demands security or an obligation to secure computer systems. Her phase is one that hews to the current administration's preference for the least possible regulation.

"An educated consumer is an empowered consumer," Majoras said.

Winkler did his best to shoot that idea down, recounting how eBay security officials told him that they felt the millions their company spent on consumer education were wasted. He also pointed to a recent study by Harvard and M.I.T. researchers that shows that site-authentication images, intended to prove the authenticity of bank sites to consumers, mostly didn't work -- consumers entered personal information whether the images were present or not.

The FTC's Groman countered that calling consumers stupid didn't advance the discussion. It was a politic reply, but one that essentially rejected Winkler's position that the answer lies in industry accountability and infrastructure control, rather than in regulatory reticence and teaching consumers how to fend for themselves.

That's not to say the government isn't considering new laws or prosecuting cybercriminals. It is, and it deserves some credit for the 11.5% decrease in the dollar loss attributed to identity theft last year. What's more, the FTC is working with financial regulators on an identity theft red-flag rule that will require banks to implement procedures to identify signs of identity theft -- imagine a bank that actually compares signatures on incoming checks to reference signatures on file.

But for all that, there's a disconnect between the government's approach to identity theft and those like Winkler calling for greater industry accountability. The discussion isn't advancing because those reluctant to embrace major changes have already made up their minds about what must be done.

Consider that the Business Software Alliance had already made up its mind about what was going to be said at the discussion before it actually took place. It issued a summary of what was said in a press release prepared before the event took place. The release quotes RSA president Art Coviello as saying, "Today's BSA Town Hall showed that government and industry can work together to bring renewed trust to consumers." Had Coviello waited until he actually heard what was said before issuing a statement, he might not have put such a rosy spin on the proceedings.