Cybersecurity Researcher Addresses 'Misplaced' Fears: Q&A with Professor Fred H. Cate

The Privacy and Data Protection Legal Reporter spoke recently with Professor Fred H. Cate, distinguished professor of law and adjunct professor of informatics at Indiana University, in Bloomington, IN, about what he sees as the hyperbole that, at times, overtakes the public discussion about ID theft and electronic security. As the director of Indiana University's Center for Applied Cybersecurity Research, Cate is a leading researcher and consultant on issues such as phishing, consumers' use of passwords, and cybersecurity.

Privacy Reporter: In The Washington Post in October, you wrote that the general public and lawmakers are developing an overblown and misplaced fear about security breaches. Can you explain what you mean?

Cate: 'Misplaced' is a very good word to reflect what is going on today. This is not to say that the threat of identity theft isn't real, nor that the impact for the people who really suffer from having their identities stolen isn't terrible. But identity theft is not occurring with the frequency we often hear about in the press; in fact, studies suggest it is actually declining.

Look at the high-profile case of the theft of the laptop computer from the Veterans Administration with information on 26.5 million veterans. Nobody suffered identity theft. The laptop has been recovered with the data untouched ' but only after weeks of hand-wringing, promise of impending doom, and a request to Congress to provide $160.5 million to cover the cost of 1 year of credit monitoring for the veterans.

Privacy Reporter: Why are we hearing more about these types of theft if they really are rare?

Cate: Some people have pretty obvious motives to jump on the issue, such as if they are selling electronic security services. But others have motivations, too. Politicians like the issue because it's fairly simple to explain and to use to generate attention; then they can pass legislation to 'solve' the problem. The press likes the idea of millions of records and billions of dollars of potential harm from runaway ID theft because that's more exciting than run-of-the-mill fraud or the subtleties of changing fraud patterns.

Privacy Reporter: You mentioned Congress. What do you think about the need for a national privacy breach notification law? What about the state laws now in place?

Cate: State notification laws have served some useful purposes by embarrassing companies that now have to admit publicly when their systems have been breached. To put it crassly, previously many companies did not internalize the value of personal data that they are holding. When they lost personal data, the companies were not hurt. Yet most companies did a far better job of internalizing the value of the confidential corporate information they are holding, and so they took stronger steps to protect that data. So the notification laws have created an incentive to improve data protection and housekeeping for consumer and employee information.

But these state notification laws have caused problems too. The public has been inundated with notices where frankly little risk was presented and where there was little they could do in any event. Moreover, some state legislatures think they have solved the ID theft problem by passing these laws, and that's all they have to do. To the extent that these laws are leaving other problems unaddressed, this is a major concern.

Privacy Reporter: Well, what are those unaddressed concerns?

Cate: I see three issues: One that is here now, one that is clearly emerging, and one that is starting to emerge.

First, all the data we have now tell us that the biggest threat to our personal information security is the people we know. It's the same with many violent crimes. Most ID theft is committed by people you know. So laws that focus on strangers ' such as notification laws ' actually misfocus our attention. It would be better to tell people to lock up their checkbooks, look at the balances on their bank statements, and to look out for themselves rather than to tell them to fear outsiders. Politically it's unfeasible to say that, but there is a lot that individuals can and should be doing to protect ourselves.

Second, I see a problem that's starting to emerge, and has arrived in some sectors. This is phishing. But this problem is a lot broader than just the fraud that gets people to expose some information about themselves. The bigger problem is that there is little that industry can do right now to stop it. This is dangerous because people are giving personal information that can be used in so many damaging ways, and as people realize this, they stop trusting the Internet and e-mail. When I get an e-mail from eBay now, I just delete it, because I have no way of knowing if it's genuine. And more and more people are starting to act the same way. The result is that this very cheap, fast way to communicate is being undermined ' and that will cost all of us a great deal of money and convenience if it's not solved.

The third thing is just starting to become a problem, but it's growing. This is very organized fraud that uses 'synthetic identities.' ID Analytics reported recently that it is seeing more of this, and chief security officers at banks are reporting increased incidences. The idea is: Why should a thief steal my identity to commit financial fraud? He doesn't know if I have good credit. It is more profitable to just create a totally new, 'synthetic' identity and give it good credit, and use it to perpetrate fraud. And what's worse, this fraud can be perpetrated much longer because there's no one whose identity was actually stolen ' so no one is filing a complaint or report. This is a good example of where current legislation is not helping to solve the problem. The FACT Act, through which we all can get a free credit report once a year, won't catch synthetic identities.

Privacy Reporter: Given these many issues of concern, where do you see the primary vulnerabilities?

Cate: It might sound obvious, but everyone is vulnerable. One interesting question is to look at where the law places liability. Individuals are almost never held liable for ID theft perpetrated against them, and that is good. Congress has basically said that you won't be held liable personally.

Yet the vulnerability goes right to the heart of our digital economy. Congress and the states have no idea how to address the problem. Because as we move to faster and faster electronic commerce, fraud can move faster and faster. Meanwhile, the law is always behind. Think about getting a mortgage 2 decades ago, when you might have to visit the bank three times and then wait for weeks for approval; but the [delays in the] system made it arguably harder to commit fraud. Compare that to getting a loan to buy a new car in 10 minutes at a dealership today, but fraud is easier.

So if fear of phishing causes even a 3% or 5% reduction in people's willingness to work online, that is huge as it is multiplied across the economy. If we combine that impact with the more draconian scenarios for false identifications, fake driver's licenses, and so on, that can enable a person to get onto an airplane or into a secure building, then we see an impact that goes beyond financial.

Privacy Reporter: What's the solution to the problems you outline?

Cate: What worries me is that I don't see Congress appropriating money to study and research these issues, and to fund others to study them. You might expect the academic community to help, too, by advancing research. But this has been inadequate.

Industry is struggling, too. In some situations, the problem is beyond their control. For example, you can open a bank account by showing your driver's license. But since driver's licenses can be easily faked, the bank can't protect itself perfectly from fraud. Companies also face numerous other financial priorities, and they also have the problem that they are competitors in many arenas, but this is one where they need to cooperate.

I think there is potentially the need to re-engineer the Internet to address some of these problems. We need to find ways for messages and packets of data to be linked to specific send-ers or other sources. Similarly, we probably have to rethink forms of identification so that they are more reliable than driver's licenses and more useful online.

Privacy Reporter: Tell us about your research and the work of the Indiana University Center for Applied Cybersecurity Research. How are you tackling these types of problems?

Cate: The Center addresses these issues in a number of ways. We conduct research on fraud, such as phishing, to understand the problem today, anticipate new types of attacks tomorrow, and develop countermeasures. We study how people use computers and how security tools, such as passwords, can be designed to be more useful and reliable; it isn't just a question of designing better mousetraps, but of making sure those mousetraps can be used by real people. We do research on viruses and other forms of malicious code and how they spread through networks. We examine threats to handheld devices, computers in cars, home medical monitoring equipment, and other less traditional technologies.

The Center also does a lot of work helping to educate policymakers, journalists, industry leaders, and the public about identity theft and its causes, steps we can take to protect ourselves, and future threats. And we help train the next generation of cutting-edge computer scientists, business leaders, policymakers, and others who will have to deal with cybersecurity threats in the future.

The Privacy and Data Protection Legal Reporter spoke recently with Professor Fred H. Cate, distinguished professor of law and adjunct professor of informatics at Indiana University, in Bloomington, IN, about what he sees as the hyperbole that, at times, overtakes the public discussion about ID theft and electronic security. As the director of Indiana University's Center for Applied Cybersecurity Research, Cate is a leading researcher and consultant on issues such as phishing, consumers' use of passwords, and cybersecurity.

Privacy Reporter: In The Washington Post in October, you wrote that the general public and lawmakers are developing an overblown and misplaced fear about security breaches. Can you explain what you mean?

Cate: 'Misplaced' is a very good word to reflect what is going on today. This is not to say that the threat of identity theft isn't real, nor that the impact for the people who really suffer from having their identities stolen isn't terrible. But identity theft is not occurring with the frequency we often hear about in the press; in fact, studies suggest it is actually declining.

Look at the high-profile case of the theft of the laptop computer from the Veterans Administration with information on 26.5 million veterans. Nobody suffered identity theft. The laptop has been recovered with the data untouched ' but only after weeks of hand-wringing, promise of impending doom, and a request to Congress to provide $160.5 million to cover the cost of 1 year of credit monitoring for the veterans.

Privacy Reporter: Why are we hearing more about these types of theft if they really are rare?

Cate: Some people have pretty obvious motives to jump on the issue, such as if they are selling electronic security services. But others have motivations, too. Politicians like the issue because it's fairly simple to explain and to use to generate attention; then they can pass legislation to 'solve' the problem. The press likes the idea of millions of records and billions of dollars of potential harm from runaway ID theft because that's more exciting than run-of-the-mill fraud or the subtleties of changing fraud patterns.

Privacy Reporter: You mentioned Congress. What do you think about the need for a national privacy breach notification law? What about the state laws now in place?

Cate: State notification laws have served some useful purposes by embarrassing companies that now have to admit publicly when their systems have been breached. To put it crassly, previously many companies did not internalize the value of personal data that they are holding. When they lost personal data, the companies were not hurt. Yet most companies did a far better job of internalizing the value of the confidential corporate information they are holding, and so they took stronger steps to protect that data. So the notification laws have created an incentive to improve data protection and housekeeping for consumer and employee information.

But these state notification laws have caused problems too. The public has been inundated with notices where frankly little risk was presented and where there was little they could do in any event. Moreover, some state legislatures think they have solved the ID theft problem by passing these laws, and that's all they have to do. To the extent that these laws are leaving other problems unaddressed, this is a major concern.

Privacy Reporter: Well, what are those unaddressed concerns?

Cate: I see three issues: One that is here now, one that is clearly emerging, and one that is starting to emerge.

First, all the data we have now tell us that the biggest threat to our personal information security is the people we know. It's the same with many violent crimes. Most ID theft is committed by people you know. So laws that focus on strangers ' such as notification laws ' actually misfocus our attention. It would be better to tell people to lock up their checkbooks, look at the balances on their bank statements, and to look out for themselves rather than to tell them to fear outsiders. Politically it's unfeasible to say that, but there is a lot that individuals can and should be doing to protect ourselves.

Second, I see a problem that's starting to emerge, and has arrived in some sectors. This is phishing. But this problem is a lot broader than just the fraud that gets people to expose some information about themselves. The bigger problem is that there is little that industry can do right now to stop it. This is dangerous because people are giving personal information that can be used in so many damaging ways, and as people realize this, they stop trusting the Internet and e-mail. When I get an e-mail from eBay now, I just delete it, because I have no way of knowing if it's genuine. And more and more people are starting to act the same way. The result is that this very cheap, fast way to communicate is being undermined ' and that will cost all of us a great deal of money and convenience if it's not solved.

The third thing is just starting to become a problem, but it's growing. This is very organized fraud that uses 'synthetic identities.' ID Analytics reported recently that it is seeing more of this, and chief security officers at banks are reporting increased incidences. The idea is: Why should a thief steal my identity to commit financial fraud? He doesn't know if I have good credit. It is more profitable to just create a totally new, 'synthetic' identity and give it good credit, and use it to perpetrate fraud. And what's worse, this fraud can be perpetrated much longer because there's no one whose identity was actually stolen ' so no one is filing a complaint or report. This is a good example of where current legislation is not helping to solve the problem. The FACT Act, through which we all can get a free credit report once a year, won't catch synthetic identities.

Privacy Reporter: Given these many issues of concern, where do you see the primary vulnerabilities?

Cate: It might sound obvious, but everyone is vulnerable. One interesting question is to look at where the law places liability. Individuals are almost never held liable for ID theft perpetrated against them, and that is good. Congress has basically said that you won't be held liable personally.

Yet the vulnerability goes right to the heart of our digital economy. Congress and the states have no idea how to address the problem. Because as we move to faster and faster electronic commerce, fraud can move faster and faster. Meanwhile, the law is always behind. Think about getting a mortgage 2 decades ago, when you might have to visit the bank three times and then wait for weeks for approval; but the [delays in the] system made it arguably harder to commit fraud. Compare that to getting a loan to buy a new car in 10 minutes at a dealership today, but fraud is easier.

So if fear of phishing causes even a 3% or 5% reduction in people's willingness to work online, that is huge as it is multiplied across the economy. If we combine that impact with the more draconian scenarios for false identifications, fake driver's licenses, and so on, that can enable a person to get onto an airplane or into a secure building, then we see an impact that goes beyond financial.

Privacy Reporter: What's the solution to the problems you outline?

Cate: What worries me is that I don't see Congress appropriating money to study and research these issues, and to fund others to study them. You might expect the academic community to help, too, by advancing research. But this has been inadequate.

Industry is struggling, too. In some situations, the problem is beyond their control. For example, you can open a bank account by showing your driver's license. But since driver's licenses can be easily faked, the bank can't protect itself perfectly from fraud. Companies also face numerous other financial priorities, and they also have the problem that they are competitors in many arenas, but this is one where they need to cooperate.

I think there is potentially the need to re-engineer the Internet to address some of these problems. We need to find ways for messages and packets of data to be linked to specific send-ers or other sources. Similarly, we probably have to rethink forms of identification so that they are more reliable than driver's licenses and more useful online.

Privacy Reporter: Tell us about your research and the work of the Indiana University Center for Applied Cybersecurity Research. How are you tackling these types of problems?

Cate: The Center addresses these issues in a number of ways. We conduct research on fraud, such as phishing, to understand the problem today, anticipate new types of attacks tomorrow, and develop countermeasures. We study how people use computers and how security tools, such as passwords, can be designed to be more useful and reliable; it isn't just a question of designing better mousetraps, but of making sure those mousetraps can be used by real people. We do research on viruses and other forms of malicious code and how they spread through networks. We examine threats to handheld devices, computers in cars, home medical monitoring equipment, and other less traditional technologies.

The Center also does a lot of work helping to educate policymakers, journalists, industry leaders, and the public about identity theft and its causes, steps we can take to protect ourselves, and future threats. And we help train the next generation of cutting-edge computer scientists, business leaders, policymakers, and others who will have to deal with cybersecurity threats in the future.