After Yahoo, cyber security means every man for himself
还能信赖大企业保护隐私吗?
广州科技翻译公司:亨尼西:雅虎5亿账户数据被窃给用户的教训是,不能依靠大企业保护个人信息,而只能假设数据被窃不可避免。
Yahoo has confirmed that it is the victim of a cyber security breach affecting at least 500m accounts, perhaps the largest in history. Data breaches of email and social media accounts, retail stores, health insurance companies and even governments are now routine. The lesson to be learnt from the Yahoo breach may be that, when it comes to cyber security, we are not learning the right lessons.
雅虎(Yahoo)证实,该公司遭遇也许是史上最大规模的的网络安全侵入,至少影响5亿账户。如今,电子邮件、社交媒体账户、零售店、医疗保险公司、甚至政府的数据被窃已成家常便饭。雅虎事件的教训或许是,在网络安全方面,我们没有汲取正确的教训。广州科技翻译公司。
Following major breaches, companies often deflect responsibility by pointing the finger at “state-sponsored actors”, as Yahoo did. Certainly, states do engage in this kind of activity and in some cases leave enough of a trail to be blamed.
在遭遇重大侵入后,企业往往将矛头指向“国家支持的”黑客来躲避责任,雅虎正是这么做的。政府肯定在从事这类活动,在某些情况下还留下了足够的痕迹,难以推脱责任。
But there is also reason to be sceptical of Yahoo’s claim. Presenting breaches as nation-state attacks suggests that there was nothing the company could have done to defend its users. It is better PR to blame a foreign intelligence service than for a company to admit it lacked basic security features. It also puts companies on a stronger legal footing against users who may seek to sue them.
但人们也有理由怀疑雅虎的说法。将黑客侵入事件形容为国家发动的攻击,字里行间等于在说雅虎没办法捍卫用户隐私。企业指责外国情报机构,而不是承认自己缺乏基本的安全措施,显然是更好的公关战略。这也使企业面对可能起诉自己的用户在法律上处在更有力的地位。广州科技翻译公司。
The trouble is that most cyber security breaches — including those by nations — exploit known vulnerabilities, such as where a patch was either not developed or deployed. Most breaches are preventable yet attacks continue to increase in number and scale. The woeful state of cyber security is, simply, a market failure.
问题是,多数网络安全侵入——包括国家发动的侵入——利用的是已知的漏洞,比如针对漏洞的补丁尚未开发或应用。多数侵入都是可阻止的,然而攻击的次数和规模继续升级。简单地说,网络安全的糟糕状态是市场失灵的表现。
The reasons are numerous and complex. Consumers are unable to make informed judgments about security when choosing where to entrust their information. Companies hesitate to share cyber threat information with industry competitors. Threats are distributed such that the relative probability that any one company will be the victim of a breach remains low. The bottom line is that companies do not have adequate economic incentive to invest in security infrastructure.
原因有很多,而且较为复杂。当选择把信息委托给哪一方时,消费者无法对安全作出明智的判断。企业不愿与业内竞争对手分享网络威胁信息。威胁的分布方式意味着任何一家企业遭遇侵入的相对几率仍然较低。归根结底,企业没有足够的经济动机去投资网络安全基础设施。广州科技翻译公司。
Governments must find ways to encourage companies to undertake more responsible practices. One way will be by developing liability mechanisms to impose costs on organisations that fail to protect customers’ data. And where the consequences of cyber security breaches are especially dire — networked medical devices or autonomous vehicles, for example — governments will need to enact robust regulatory standards to ensure safety.
政府必须找到方法鼓励企业采取更负责任的做法。一个方法是建立赔偿责任机制,对没能保护客户数据的组织施加惩罚。同时,在网络安全侵入后果尤其可怕的领域——比如联网的医疗装置或自动驾驶汽车——政府需要实行健全的监管标准以确保安全。
But companies are not the only problem. Consumers are largely unwilling to accept even minor inconveniences for better security. Systems remain unpatched because individuals cannot be bothered to install updates. Users chafe against imposed security measures like the rejection of weak passwords. Conscientious companies walk a fine line between encouraging customers to be safe and imposing burdens that individuals will circumvent with even more vulnerable workarounds, or running the risk of driving users to more convenient and less secure platforms.
但是企业并非唯一的问题。消费者大多不愿为了提高安全而接受轻微的不便。系统一直没有装上补丁,因为用户懒得安装更新。用户对拒绝脆弱密码的安全措施感到烦躁。有责任心的企业在两大风险之间艰难把握平衡:一是鼓励客户保证安全,加大安全负担,而人们会以更加脆弱的变通方法躲避这些负担,二是把用户赶到比较便利、但不那么安全的平台。广州科技翻译公司。
Until we address failures at corporate and collective levels, the lesson of the Yahoo breach for the individual is that cyber security is every man for himself. When people cannot rely on large companies to protect personal information, the only responsible approach is to presume breaches are inevitable and try to mitigate the damage. Not reusing passwords prevents a single attack from compromising multiple accounts. Adopting two-factor authentication features reduces individual risk. And users should consider what information to store and share online.
在我们解决企业和集体层面的问题之前,雅虎数据被窃事件对个人的教训是:网络安全是每个人自己的事。当人们无法依靠大企业来保护个人信息时,唯一负责任的办法是假设数据被窃是不可避免的,然后尝试缓解损害。不重复使用同一密码可以阻止单次攻击影响多个账户。采用双重身份认证可以降低个体风险。同时,用户应该考虑在网上储存和分享什么信息。
But ultimately self-help will fall short. We have limited choice about what data about us are produced and stored and participating in modern society necessitates volunteering a great deal more. Preventing large-scale data breaches is similar to countering disease epidemics — individual practices can protect us only so much and, where we are unable to wall ourselves off, large-scale institutional responses are required.
但是,自救终究不够。对于有关我们的哪些数据被生成和存储,我们的选择有限,而参与现代社会意味着有必要自愿提供多得多的信息。阻止大规模数据泄露事件类似于抗击传染病——个体行为只能在一定程度上保护我们,当我们无法隔离自己时,便需要采取大规模的制度性回应了。广州科技翻译公司。
The writer is a Brookings Institution fellow and managing editor of Lawfare
本文作者为布鲁金斯学会(Brookings Institution)研究员、《Lawfare》执行编辑。
