Focus On: Andrea M. Matwyshyn

Information Security: ‘Only as Strong as the Weakest Link in the Chain’

Posted on February 25, 2013

cybercrimeMembers of the hacker group Anonymous targeted the U.S. Department of Justice and the Massachusetts Institute of Technology recently in retaliation for the death of Aaron Swartz, a 26-year-old Internet activist and programmer who took his own life in January after illegally downloading millions of academic documents from the university. Swartz believed the documents should be freely distributed, especially since many were funded with public money. He was prosecuted and faced decades in prison — a punishment that many considered too severe for the infraction.

But Anonymous also targeted the Federal Reserve, an innocent bystander in this tech drama, to protest authorities’ handling of the Swartz case. According to Wharton professor of legal studies and business ethics Andrea Matwyshyn, the Fed hacking is significant and has broad implications for information security. K@W Today spoke with her about the hacking, information security and how businesses should respond after a data breach.

K@W Today: Government websites have been hacked before. What made this case stand out to you?

Andrea Matwyshyn: Part of what makes this instance of the Federal Reserve being compromised by Anonymous — or at least a vendor to the Federal Reserve being compromised — significant in my mind is both the high profile of the target and the signaling function that this type of [breach] serves regarding the importance of information security for the broader business community. The Federal Reserve in this case was basically a secondary target. Although there was no direct connection between the Federal Reserve and the prosecution of Aaron Swartz, because of other dynamics going on in the broader technology community … government [entities] generally became part of the target group for attacks or acts of protest [by Anonymous].

K@W Today: What should companies and governments do to better protect themselves against these types of attacks?

Matwyshyn: The first step in crafting a good information security policy for an organization is to recognize that information security is really a holistic enterprise that requires end-to-end planning at the highest levels of the organization. From the moment data is collected and stored in a database to the handling of an incident when something goes awry and information is compromised, the best process is a holistic, thoughtful approach that considers the entire lifecycle of the information.

K@W Today: What is the cost-benefit analysis of spending on information security by companies and government agencies?

Matwyshyn: The question of the optimal way for companies and agencies to handle their information integrity issues isn’t necessarily closely tied to expenditures. The question really comes down to whether an organization-wide policy exists, from the highest levels of the organization all the way down to the lowest levels, creating a culture of data stewardship and data care. Information security has frequently been relegated to the information systems or IT people, and that cabins it off in one piece of an enterprise instead of creating a culture of data stewardship. That “cabining” creates an atmosphere that’s more likely to result in data loss and data breaches and suboptimal incident response.

There needs to be a tone set from the top about proper data handling and the way that care is exercised throughout the organization with respect to maintaining proprietary and confidential information –- both corporate and consumer information. So, for example, confidentiality agreements should be in place with all members of the organization and not merely with the executives who have the greatest access to research and development. Confidentiality agreements should be put in place all the way down the chain of employees who can access corporate information — even down to the janitorial staff who empty the garbage cans. Information security is only as strong as the weakest link in the chain of information possession.

K@W Today: How should agencies or companies respond to consumer concerns? What are some best practices that they should follow?

Matwyshyn: Organizations should have a process in place for handling reports [on data security issues] that escalates them smoothly to appropriate decision makers. Organizations should acknowledge and respond to the individual concerned about information security or possible data leakage. The report should be taken seriously in all instances until there’s evidence to the contrary. Sometimes, in lieu of acting cooperatively and funneling these types of reports internally to the correct decision makers who can verify and take action, organizations unfortunately adopt an adversarial posture toward the security researcher or consumer who points out a problem.

Ignoring these external reports or shooting the messenger is a squandered opportunity for improving the integrity of information systems and building commercial trust — both with the public and the information security research community.

The first approach should be a “thank you” and a verification of the veracity of the report rather than a legal threat of retaliatory action.

A second mistake that frequently happens is simply the denial of the existence of problems or the burying of reports. Although the handling of the relationship with the reporting individual may be done in a conciliatory manner, sometimes … fixing the actual problems that gave rise to the initial report does not happen. Similarly, companies or agencies should have external auditors come in and perform information security audits. The auditors will provide useful recommendations for improving the integrity of information security processes. But those recommendations [sometimes] fall by the wayside, and they are never implemented.

Featured Professors:
Posted in Knowledge@Wharton Today | Leave a comment

Internet Privacy Takes a Hit, Again

Posted on February 20, 2012

Google, according to a report in The Wall Street Journal last week, has not been playing fair when it comes to upholding its own privacy standards.

The company has been tracking “web-browsing habits of people using Safari browser software even if [users] intended for that kind of monitoring to be blocked,” the Journal article noted, adding that this behavior has led three U.S. congressmen to ask for a Federal Trade Commission investigation. The article also pointed out the company last year signed a privacy settlement with the FTC after the commission charged it with using “deceptive tactics and violating its own privacy promises to consumers” when it launched its Buzz social network.

As for the breach the Journal found last week, Google responded that it has deleted the tracking files in question and is addressing the congressmen’s concerns.

KnowledgeToday asked two Wharton faculty — Andrea Matwyshyn, professor of legal studies and business ethics, and Shawndra Hill, professor of operations and information management — to comment on this latest incident.

Given all the recent examples of Internet companies chipping away at people’s privacy, how serious is this latest breach?

Matwyshyn: According to press reports of commentary from a Google spokesperson, the company does not necessarily consider its actions to constitute impermissible conduct: Google is alleging that users authorized the company to interact with their data in certain ways and, by implication, that this consent authorized alteration of inconsistent settings on a device, which may have happened in an unanticipated manner. 

Hill: Firms like Google need to take [care] because legal cases regarding privacy breaches can and do go to court. With each breach, Google opens itself up to punishment and a degradation of consumer trust. In this [latest incident], millions of consumers might be affected, which could indeed prove problematic for Google because of the scale of the Safari problem.

What would have led Google to do this? An obvious answer is the increasing competition for ad dollars, but is there another explanation? 

Matwyshyn: This type of error is symptomatic of the broader privacy and security culture wars going on inside all companies, but technology companies in particular. Privacy and security champions and lawyers frequently butt heads internally with engineers over design and consumer protection. In engineering-focused cultures such as Google’s, shipping code usually wins, and privacy/security and consumer protection can be viewed by some internal decision makers as secondary things you “clean up” when they go awry, rather than things companies must design around.   

Hill: It’s possible that better advertising alone is driving the data collection when consumers use the Safari browser. However, it is also possible that Google was not aware of all the consequences of their actions. It is often the case with data collection that you have one intention but that there are other uses that are unforeseen when the data or process for data collection is established. Still, Google should do a better job identifying potential problems before launching new processes.

Is it conceivable that Google didn’t know this was happening?

Matwyshyn: Code is written by humans, for humans.  Yes, it’s entirely conceivable Google didn’t do their homework and anticipate this dynamic. It’s also conceivable that a company might anticipate a dynamic such as this, but would then decide that fixing it is a lower priority than shipping code out fast. A third scenario might be that a company decides this type of dynamic is a feature and not a bug, that their consumer EULA [end user license agreement] grants the right to tweak settings on user devices and that users are unlikely to notice the exact workings of the code.

Do you think Google’s reputation as a “do no evil” site has taken a substantial hit?

Matwyshyn: “Do no evil” was Google’s successful mantra from the 1990s and 2000s. Those days are gone from the standpoint of consumer perception. Although Google’s socially-beneficial pilot programs and philanthropic efforts are commendable, in the 2010s many consumers view Google as an aggressive data aggregator akin to Facebook. Microsoft is the new underdog.

Hill: Google is scheduled to change their privacy settings next month. In addition, they have come under scrutiny regarding other privacy breaches in the past year. While the firm may continue to claim to “do no evil,” their business strategy is certainly changing; no doubt consumer perceptions, and possibly trust, will change as a result. However, other large data driven companies are using behavioral, social network and demographic information to target ads. So, it’s not like there is an alternative (right now) where user data are not being used for advertising and business intelligence.

The main concern for consumers will come when/if Google tries to maximize their advertising dollars at the expense of giving users the most relevant information to answer their search queries.

Three congressmen have called on the FTC to investigate Google over this practice. Are we finally reaching a tipping point where the privacy issue has caused enough concern that the government will mete out serious sanctions/punishment?

Matwyshyn: One possible outcome may be another FTC consent decree expanding the existing mandatory periodic FTC audits…. The organizational impact of FTC audits may be underestimated internally: FTC audits are a disruptive and expensive experience, as Microsoft learned. If this underestimation is the case, and if the privacy lessons from Buzz have not been internalized by the corporate culture, it is unsurprising that another privacy problem has arisen.

Hill: It’s hard to say which case will end up [resulting in a] severe punishment. However, with each case, we get further along into the discussion about what is acceptable and what is not with respect to consumer privacy. The hope, at least from consumers, is that the conversation will evolve into a clear set of rules and regulations that govern how online firms and others can make use of personal data while offering useful, and free, services.

Featured Professors: ,
Posted in Knowledge@Wharton Today | Tagged , , , , , , , , , | Leave a comment

Facebook Shunners: Is Resistance Futile?

Posted on January 12, 2012

Shortly before Christmas, The New York Times became the latest media outlet to write about “Facebook resisters” — people who have never set up an account with the increasingly ubiquitous social network or those who started a profile, but later shut it down after they grew dissatisfied with the site.

As Facebook, its competitors and partner companies amp up the social aspects of their sites, and encourage consumers to share more of their activities and preferences online, it’s natural that some people are growing uncomfortable with the amount of information about their lives that is becoming publicly available, Wharton legal studies and business ethics professor Andrea Matwyshyn says. But that heightened level of sharing also makes it that much harder for consumers to completely break away from sites like Facebook, she notes, because they have become inextricably linked with how people live and work.

“There’s a growing concern among people about losing control of their own information, in particular the prospect of employers using social media as a filtering device” for prospective applicants, Matwyshyn says. She knows several law and MBA students who have opted to shut down their Facebook accounts because they were concerned about the reach of the information they were posting. “Depending on your privacy settings and the privacy settings your friends have on their own Facebook pages, you’re not just governed by your own conduct, but by the conduct of every one of your friends to the extent that they share data with third-party applications.”

Situations like this are also causing users to set up multiple personalities on Facebook, with one account for private use and another to use professionally. But bifurcated profiles and the use of pseudonyms creates other complications, Matwyshyn says, because they raise further questions about what is considered fair and legal conduct on social networking sites. “Third parties watching our conduct, or friends giving access to our information to third party vendors, are very messy spaces that will continue to flourish as the social reader phenomenon continues to expand,” she notes. “There’s a push toward having all of us increase the sharing of our information; to avoid sharing information, you have to adopt an increasingly aggressive, defensive posture.”

But given how pervasive Facebook has become, is it really possible to be truly disconnected? “The joy and pain of Facebook is that once you begin participating in the community, disconnecting means, in essence, that you lose a major source of information about people,” Matwyshyn notes. And social networking has also become an important aspect of the way many people do their jobs. “It may not be integral to the career prospects of an art framer, but for someone like me who works in a research field related to technology, it would not be possible for me to opt out of Facebook,” she points out.  “In fact, it would be, in my opinion, almost a credibility-diminishing choice.”

Featured Professors:
Posted in Law and Public Policy, Managing Technology | Tagged , , | 4 Comments

The Big Hack Attack

Posted on August 3, 2011

In one of the most widespread cyber-attacks ever discovered, computer-security company McAfee reports that ongoing intrusions into computers run by governments, businesses and other organizations has meant big losses of military secrets, industrial designs and other records.

McAfee vice-president Dmitri Alperovich said the pattern of the attacks “strongly suggested backing by a national government, since there would be no obvious economic benefit for crime groups,” from many of the intrusions, according to an article in The Financial Times. “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact,” Alperovich wrote in a just-released report.

The FT article notes that a pattern of attacks over some five years affected 72 organizations, mostly in the U.S., including “six U.S. government agencies and 13 defense contractors.” Among the pilfered data was classified military secrets and information from the U.N., the International Olympic Committee, the Olympic committees of several countries and also some U.S.-based news organizations.

Over the years, many U.S. government intelligence authorities have said that China is likely behind a great deal of the cyber-espionage conducted against U.S. organizations.

And in the recent Knowledge@Wharton article, Can Anyone Create a Hacker-proof Cyberspace?, Wharton legal studies and business ethics professor Andrea Matwyshyn said that large-scale hacking against Google and other Silicon Valley companies in 2009 were widely believed to have been the handiwork of the Chinese government.

China has always denied accusations about hacking and there has never been any direct proof of its involvement. At the same time, it is extremely difficult to get hard evidence against attackers.

The FT also reported that “People briefed on McAfee’s research said the most logical suspect was China, which was not among the Asian countries that were home to any of the victim institutions. Two South Korean companies and a government agency, as well as companies in Taiwan and Vietnam, were compromised.”

Whether China is guilty or not, a lot of evidence points to involvement by a government. Wade Baker, director of risk intelligence at Verizon, notes in the Knowledge@Wharton article that over the past year or two, security officials have been detecting government-sponsored attacks. Baker says that criminals looking for financial gain find new targets whenever they are at risk of being caught. But “nation states are different. They have the resources of nations behind them and a lot of time on their hands.” Another straw in the wind: Computer analysts have said that an unnamed government was behind a June attack on the International Monetary Fund designed to steal secret economic data that could be used to destabilize currencies or trade.

Given the huge threat involved, it might come as a surprise to some that the security industry has the tools to combat many of today’s hacking threats, yet faulty management structures seem to be holding them back, according to Baker. “The bad guys aren’t successful because organizations don’t have the technology,” he argues. “It’s really about using, deploying and configuring the basic things we’ve been doing for years.” Security analysts should devote more time to following up on their efforts in order to get a better sense of what actually works, he adds. “We don’t have real science and study and testing to make sure the things we are recommending are really effective.”

Meanwhile, the Obama administration unveiled a legislative proposal in May to address cyber security after more than 50 separate cyber-related bills were introduced in the last Congress.

Given the latest revelations about a cyber-espionage onslaught of huge proportions, it’s likely just a matter of time before Hollywood creates a new blockbuster movie on the topic. But if the movie stays true to life, don’t expect a quick, happy Hollywood ending to this thorny problem.

Additional reading:

Clear and Present Danger: Cyberattacks, Hackers and the Increasing Threat to Information Security

Information Security: Why Cybercriminals Are Smiling

Leaving ‘Friendprints’: How Online Social Networks Are Redefining Privacy and Personal Security

Featured Professors:
Posted in Business Ethics, Knowledge@Wharton Today, Managing Technology | 1 Comment

Survey: For Facebook, Critical Mass Doesn’t Equal Satisfaction

Posted on July 21, 2011

Facebook is a social networking behemoth, with 750 million active users who spend about 700 billion minutes per month on the site. In a sector where users’ ability to connect and share with friends is crucial to success, critical mass equals power, and Facebook has that in spades.

But just because users are active doesn’t mean they are entirely happy with the service. In a newly released satisfaction survey of online news, search and social media sites, Facebook garnered the lowest overall score — 66%. The annual American Customer Satisfaction Index (ASCI) e-business report was conducted in partnership with market research firm ForeSee Results.

Facebook’s satisfaction score was up three percentage points over 2010, but came out last in the social media category and last in the e-business sector overall. And the survey’s organizers suggest that the results show that the company might be vulnerable to competitors — namely to a push by Google to promote its new Google+ social networking service, which was introduced after the survey was conducted. “We don’t know yet how Google+ will fare, but what we do know is that Google is one of the highest-scoring companies in the ACSI, and Facebook is one of the lowest,” ForeSee Results CEO Larry Freed said in a news release. “An existing dominance of market share … is no longer a safety net for a company that is not providing superior customer service.”

Indeed, in a 2010 Knowledge@Wharton story about the introduction of, and privacy concerns related to, the Facebook Connect service — which links users to other parts of the web by sharing their “likes” and other activities across a number of different sites — Wharton legal studies and business ethics professor Andrea Matwyshyn warned that “people stay with Facebook because they feel locked in, but they may lose trust over time. It could be an ideal time for a competitor to come in and harness that trust deficit.”

With Google+, the search company (which received an 83% satisfaction score in the ASCI, topping its category) is attempting to address some of the most-talked about user frustrations with Facebook — privacy and contacts management. For example, the new service allows users to group friends into different “circles” and to choose which information and updates are shared with each one.

In a KnowledgeToday post about Google+, Wharton marketing professor David Reibstein said that Facebook “ought to be able to very easily respond” to the Google+ “circle” feature, if not others. “The question is how sustainable is any advantage coming out of Google+, which means something not easily replicable.” Facebook has already introduced a video calling service in partnership with Skype in response to the Google+ “hangout” application, which allows for multi-user video chats.

It will be a year before we know how Google+ fares in the ASCI, but this year’s report included one other notable result in the social media category:  Once-hot MySpace, which had the lowest satisfaction score in 2010 (63%), was dropped this year because there were not enough users to create a statistically significant sample. The ASCI is compiled with data from interviews with approximately 70,000 consumers annually.

Featured Professors: ,
Posted in Knowledge@Wharton Today, Managing Technology | 1 Comment