评论
打印
Yahoo has confirmed that it is the victim of a cyber security breach affecting at least 500m accounts, perhaps the largest in history.
雅虎(Yahoo)证实,该公司遭遇也许是史上最大规模的的网络安全侵入,至少影响5亿账户。
Data breaches of email and social media accounts, retail stores, health insurance companies and even governments are now routine.
如今,电子邮件、社交媒体账户、零售店、医疗保险公司、甚至政府的数据被窃已成家常便饭。
The lesson to be learnt from the Yahoo breach may be that, when it comes to cyber security, we are not learning the right lessons.
雅虎事件的教训或许是,在网络安全方面,我们没有汲取正确的教训。
Following major breaches, companies often deflect responsibility by pointing the finger at state-sponsored actors, as Yahoo did.
在遭遇重大侵入后,企业往往将矛头指向国家支持的黑客来躲避责任,雅虎正是这么做的。
Certainly, states do engage in this kind of activity and in some cases leave enough of a trail to be blamed.
政府肯定在从事这类活动,在某些情况下还留下了足够的痕迹,难以推脱责任。
But there is also reason to be sceptical of Yahoo’s claim.
但人们也有理由怀疑雅虎的说法。
Presenting breaches as nation-state attacks suggests that there was nothing the company could have done to defend its users.
将黑客侵入事件形容为国家发动的攻击,字里行间等于在说雅虎没办法捍卫用户隐私。
It is better PR to blame a foreign intelligence service than for a company to admit it lacked basic security features.
企业指责外国情报机构,而不是承认自己缺乏基本的安全措施,显然是更好的公关战略。
It also puts companies on a stronger legal footing against users who may seek to sue them.
这也使企业面对可能起诉自己的用户在法律上处在更有力的地位。
The trouble is that most cyber security breaches — including those by nations — exploit known vulnerabilities, such as where a patch was either not developed or deployed.
问题是,多数网络安全侵入——包括国家发动的侵入——利用的是已知的漏洞,比如针对漏洞的补丁尚未开发或应用。
Most breaches are preventable yet attacks continue to increase in number and scale.
多数侵入都是可阻止的,然而攻击的次数和规模继续升级。
The woeful state of cyber security is, simply, a market failure.
简单地说,网络安全的糟糕状态是市场失灵的表现。
The reasons are numerous and complex.
原因有很多,而且较为复杂。
Consumers are unable to make informed judgments about security when choosing where to entrust their information.
当选择把信息委托给哪一方时,消费者无法对安全作出明智的判断。
Companies hesitate to share cyber threat information with industry competitors.
企业不愿与业内竞争对手分享网络威胁信息。
Threats are distributed such that the relative probability that any one company will be the victim of a breach remains low.
威胁的分布方式意味着任何一家企业遭遇侵入的相对几率仍然较低。
The bottom line is that companies do not have adequate economic incentive to invest in security infrastructure.
归根结底,企业没有足够的经济动机去投资网络安全基础设施。
Governments must find ways to encourage companies to undertake more responsible practices.
政府必须找到方法鼓励企业采取更负责任的做法。
One way will be by developing liability mechanisms to impose costs on organisations that fail to protect customers’ data.
一个方法是建立赔偿责任机制,对没能保护客户数据的组织施加惩罚。
And where the consequences of cyber security breaches are especially dire — networked medical devices or autonomous vehicles, for example — governments will need to enact robust regulatory standards to ensure safety.
同时,在网络安全侵入后果尤其可怕的领域——比如联网的医疗装置或自动驾驶汽车——政府需要实行健全的监管标准以确保安全。
But companies are not the only problem.
但是企业并非唯一的问题。
Consumers are largely unwilling to accept even minor inconveniences for better security.
消费者大多不愿为了提高安全而接受轻微的不便。
Systems remain unpatched because individuals cannot be bothered to install updates.
系统一直没有装上补丁,因为用户懒得安装更新。
Users chafe against imposed security measures like the rejection of weak passwords.
用户对拒绝脆弱密码的安全措施感到烦躁。
Conscientious companies walk a fine line between encouraging customers to be safe and imposing burdens that individuals will circumvent with even more vulnerable workarounds, or running the risk of driving users to more convenient and less secure platforms.
有责任心的企业在两大风险之间艰难把握平衡:一是鼓励客户保证安全,加大安全负担,而人们会以更加脆弱的变通方法躲避这些负担,二是把用户赶到比较便利、但不那么安全的平台。
Until we address failures at corporate and collective levels, the lesson of the Yahoo breach for the individual is that cyber security is every man for himself.
在我们解决企业和集体层面的问题之前,雅虎数据被窃事件对个人的教训是:网络安全是每个人自己的事。
When people cannot rely on large companies to protect personal information, the only responsible approach is to presume breaches are inevitable and try to mitigate the damage.
当人们无法依靠大企业来保护个人信息时,唯一负责任的办法是假设数据被窃是不可避免的,然后尝试缓解损害。
Not reusing passwords prevents a single attack from compromising multiple accounts.
不重复使用同一密码可以阻止单次攻击影响多个账户。
Adopting two-factor authentication features reduces individual risk.
采用双重身份认证可以降低个体风险。
And users should consider what information to store and share online.
同时,用户应该考虑在网上储存和分享什么信息。
But ultimately self-help will fall short.
但是,自救终究不够。
We have limited choice about what data about us are produced and stored and participating in modern society necessitates volunteering a great deal more.
对于有关我们的哪些数据被生成和存储,我们的选择有限,而参与现代社会意味着有必要自愿提供多得多的信息。
Preventing large-scale data breaches is similar to countering disease epidemics — individual practices can protect us only so much and, where we are unable to wall ourselves off, large-scale institutional responses are required.
阻止大规模数据泄露事件类似于抗击传染病——个体行为只能在一定程度上保护我们,当我们无法隔离自己时,便需要采取大规模的制度性回应了。
