This article is based on a presentation at the Fall 2023 Accounting & Finance Forum on Data with Dignity by Scott Shakelford, the Provost Professor of Business Law and Ethics at the Indiana University Kelley School of Business, Director for IU’s Center for Applied Cybersecurity Research, and Executive Director of the Ostrom Workshop.
November 2, 1988 may not be a date you’ve assigned significance to. But it served as a key turning point in the history of the Internet and cybersecurity: the first DDoS attack.
This high-profile cybercrime, during which a graduate student at Cornell flooded a server with Internet traffic and inadvertently immobilized about 6,000 computers, caused hundreds of thousands of dollars in damages. And despite being accidental (it was meant to be a research project), the first DDoS attack nonetheless changed the landscape for cybersecurity and AI governance, says Scott Shackelford, a professor of business law and ethics for the Kelley School of Business, who also serves as the director for IU’s Center for Applied Cybersecurity Research.
From that case, the Computer Fraud and Abuse Act was established, setting a precedent that what happens in the cyber world has real-life consequences.
Since the late ‘80s, cyberattacks have quickly proliferated in number, sophistication and severity. They now target companies and countries alike, says Shackleford, in part because of the accelerating adoption and decreasing cost of hyperconnectivity, thanks to 5G and 6G, and the internet of things (IoT).
IoT describes what is now a commonplace part of our lives—physical objects embedded with sensors, software, and technologies that connect that device to the internet.
“Reasonable cybersecurity in the IoT context is a hot topic these days,” says Shackleford. “We see some states like California now mandating that if you sell an Internet-connected product, it has to be enabled for updates and can’t have a hardcoded password, but that’s not the case everywhere. In this digital ecosystem, we’re dealing with a legacy of technical debt like unsecured devices like smart light bulbs. And while that example may seem benign, it raises issues of critical infrastructure protection.”
The Unintended Consequences of IoT
IoT is driving contemporary discussions about cybersecurity and how it has led to some unintended consequences.
A pertinent example happened several years ago, when the Department of Defense and intelligence community wanted to promote what they were calling “A Fit, Fighting Force” by subsidizing the purchase of Fitbits and smartwatches for service members. What they didn’t anticipate was the data being generated and its implications for national security. Concentrated heat maps of exercise activity were uploaded to the fitness tracker Strava—that anyone can access—and inadvertently revealed the secret location of CIA black sites and military operations.
Trends in Cybersecurity and AI Governance
“A great deal of work today is focused on mitigating these vulnerabilities of the stack,” says Shackleford.
Supply chain security. According to Shackleford, there’s currently a lot of experimentation with initiatives such as the software bill of materials (SBOM), which acts as an “ingredients list” for software, spelling out where it was encoded, by whom, and at what point. These lists offer a way to trace the source of vulnerabilities. DoD vendors often also go through a cybersecurity maturity model certification to increase their supply chain security.
Liability. There’s also confusion about who is responsible for cybersecurity. Is it the government or individual organizations? And who is responsible within those organizations? In a recent survey on responsibility for cybersecurity, there was no clarity about whether a CEO, Chief Privacy Officer, or Chief Information Officer should ultimately be responsible for cybersecurity.
While there’s a long history of treating cybersecurity as just a cost center, there’s a movement now to think about it as a competitive advantage or even a corporate social responsibility, Shackleford says. From this lens, organizations are not only responsible for their operation’s impact on natural ecosystems, but digital ecosystems, as well. New certification schemes could demonstrate this responsibility.
“When you’re looking for a new TV or appliance, you look for the Energy Star label to see how much it will cost you each year,” Shackleford explains. “That’s pretty easy to measure. But could you develop a rating system like that to tell you something meaningful about the privacy or security features of an internet-connected device?”
Active defense. More and more countries and US states are going on the offensive to protect themselves against cybersecurity threats. Most new cybersecurity legislation is being passed at the state level, with a bipartisan interest seen in privacy and cybersecurity. Indiana was the eighth state to pass a data privacy law, but there is still confusion about what counts as reasonable cybersecurity across the country, Shackleford says.
The Federal Trade Commission’s list of Cybersecurity Best Practices offers some fundamental steps to increase cybersecurity. IU’s Center for Applied Cybersecurity Research is working on a similar framework of essential steps to help organizations define and implement foundational cybersecurity practices, called the Transformative Twelve.
“That can do a lot to help satisfy businesses’ concerns,” Shackelford explains. “A big issue is, ‘where should I put this next dollar of investment? Should it be end-to-end encryption? An insurance policy? Multifactor? Training my employees?’ Lists like these can help.”
Leave a Reply