Security hysteria: Time to cut the hype

Hackers are more malicious than ever, but the media- and vendor-fomented hysteria is misplaced. If it doesn't stop soon, expect to see Congress breathing down the neck of IT

Citigroup, Sony, Facebook, and Apple -- the hysteria over security and privacy breaches is drowning out rational thought. I'm not saying there isn't a problem -- hacker gangs are operating like a well-organized cyber-Mafia -- and doing real damage. But take a deep breath, counsels Avivah Litan, a veteran Gartner security analyst. "You've got to distinguish between attacks -- there are lots -- and damage -- where there's much less," she tells me.

Consider the recent hack against Citigroup. For all the front-page stories in the New York Times and the consternation in Washington, D.C., it appears that in the end, nothing useful (to criminals, that is) was stolen. "They did not get the good stuff," says Litan.

Or think about the endless hand-wringing about location data stored on the iPhone. In the end, there wasn't one single instance of real harm that anyone claimed, much less proved. When you think about it, many of the privacy issues we hear so much about come down to a tracking cookie on your hard disk that results in a relevant ad being served up. So what?

But while we're sweating over threats that don't have real-world consequences, we're missing threats that do. My fear is that the hysteria will get picked up by the techno-peasants in Congress and we'll wind up with burdensome regulations that will do more harm than good.

Vendor FUD threatens user security
To be clear, neither Litan nor I are claiming that there are no serious security threats or that they haven't caused significant damage. They have, of course, and it probably costs the economy billions of dollars a year -- real money, even in these days of trillion-dollar expenditures and deficits. And the recent attack against Lockheed had serious national security implications.

But are we facing a dual crisis caused by criminal hackers and feckless companies, like Facebook, eager to ream your privacy? We are not.

It's very easy to panic when you read about security breaches day in and day out. Much of the hysteria comes from what I call the vendor-blogger complex. Security companies make their living selling security products and services, so it is in their interest to stir the pot from time to time. Because bloggers and tech publications live and die by page views, it's awfully attractive to take a report, puff it up a bit, write a scary headline, and reap the rewards.

I'm not suggesting that reputable companies like Symantec are making stuff up -- they're not. But my mailbox is full of reports by security vendors, and when I read them carefully or interview the authors, I've noticed that many of the threats they highlight haven't appeared in the real world. Yes, they exist, but there's often no evidence that anyone has been victimized. Indeed, the constant drumbeat of scare stories may well result in a "cry wolf" syndrome, where users simply stop paying attention and even neglect prudent security precautions.

Small business isn't protected
Instead of worrying that some advertiser will follow your browser from site to site, you might want to worry that law enforcement can follow you (not your avatar, but you) by accessing data on cellphone towers -- without a warrant, says Rebecca Jeschke of the Electronic Frontier Foundation. Or maybe you should read reports of a recent federal memo that says FBI agents can rummage through your trash without a warrant. Now, those are privacy violations.

1 2 Page 1