We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review by Canon Committee Member, Jon Oltsik: Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It (2015) by Marc Goodman
Executive Summary
Future Crimes by Marc Goodman details the dark side of technology, examining how new technologies are used and abused for criminal purposes. In just under 400 pages, Goodman provides some basic historical background on computer security and then guides the reader through a cybercrime journey spanning consumer, industrial, medical, and various other technologies.
Fair warning to prospective readers: the story isn’t pretty. The author starts with a wake-up call about data privacy and how a plethora of companies like Facebook, Google, and OkCupid, and the $150 billion dollar data broker industry regularly collect, sell, and abuse user data. When it comes to Internet services, Goodman reminds readers, “you’re not the customer, you’re the product.”
Future Crimes also explores the current derelict world of cyber peeping toms, bullies, revenge porn, and extortion. While these crimes are already rampant today, Goodman theorizes that things will get worse with the proliferation of surveillance cameras, geo-location services, RFID tags, and wireless networking technology. The point is crystal clear: each technology innovation increases the attack surface, and cybercriminals are only too happy to exploit these vulnerabilities for profit.
Aside from level setting on the present, about half of this book examines the future of cybercrime with an in-depth analysis of cybercriminal organizations, cybercrime processes, divisions of labor, specialization, and the overall cybercrime marketplace. This analysis is especially useful for cybersecurity professionals seeking to understand what motivates cyber adversaries and how they do what they do. Goodman also does a good job of aligning cybercrime with the proliferation of Internet of Things (IoT) technologies. The author succeeds in introducing IoT technologies, describing their potential benefits, and then providing numerous examples of how these innovations have or will be used for nefarious purposes.
Future Crimes can be verbose and even alarmist at times, but these are minor shortcomings within an otherwise extremely educational and informative book. The author is especially adept at providing real-world examples, research points, statistics, and news stories to back up his points throughout the text. And while experienced cybersecurity readers may be familiar with many of the events described in the book, Future Crimes goes beyond other books by covering a variety of territories like consumer, industrial, medical, and even military technology threats, vulnerabilities, and crimes. In this way, Goodman weaves familiar cybersecurity events into a unique wide-angle lens of cybercrime.
I found Future Crimes extremely educational and believe it is a worthwhile read for cybersecurity professionals and even business managers interested in learning more about a broad range of cyber risks. As such, Future Crimes should be included in the Cybersecurity Canon.
Review
Being an industry analyst, people often ask me a rather fundamental question: What is the difference between information security and cybersecurity? Some of my peers believe that any distinction between the two terms is nothing but semantics. I disagree. In my humble opinion, information security is inexorably linked to the confidentiality, integrity, and availability of IT assets and infrastructure (i.e., applications, data, networks, servers). Alternatively, cybersecurity is a broader topic that encompasses the confidentiality, integrity, and availability of all connected systems – industrial control systems, medical devices, consumer devices, etc.
With these discrepancies in mind, Future Crimes by Marc Goodman can be categorized as a comprehensive analysis of the state of cybersecurity, its implications on consumer safety and privacy, and the collective impact of cybersecurity vulnerabilities on our society at large.
The book is divided into three sections. In Part One (A Gathering Storm), Goodman explores today’s cybercrime realities. Part Two (The Future of Crime), looks at the cybercrime underworld and maps technology development to new types of burgeoning and creative criminal activity. Finally, Part Three (Surviving Progress) provides some cybersecurity recommendations to consumers, government agencies and technology companies.
In the first chapter of the book (Connected, Dependent, and Vulnerable), Goodman provides a situational analysis describing the state of cybercrime today and how we got to this point. Here, Goodman compares cybercrime to physical crime, explains the differences, and then gives the reader a historical review of computer security and basic malware tutorial. The author then quickly fast-forwards to today’s dangerous threat landscape, illustrating his points by recounting examples of identity theft and data breaches while providing several ominous statistics on the explosion of malware. By the end of the chapter, readers should be well-aware of Goodman’s in-your-face message: ‘Think your online world is secure? Think again!’
With the first chapter as a baseline, Goodman proceeds through the first part of the book by digging deeper into criminal activities associated with the technologies we all use in our daily lives for communication, entertainment, health care, our jobs, etc.
For example, Future Crimes exposes the dark side of all of the free Internet services we all enjoy, such as email, search engines, and social networks. Goodman provides numerous examples of how companies like Facebook, Google, and LinkedIn provide these free services while playing fast and loose with user privacy and monetizing user data as they see fit – today and in perpetuity. Of course, most users have no idea this is happening, as they are relatively defenseless against typical terms of service (TOS) agreements. The author actually cites a Carnegie Mellon University study stating that the average American encounters thousands of privacy policies each year with an average of over 2,500 words.
As if this weren’t enough, the book proceeds with a creepier scenario: everyone is gathering and profiting from our data—cellular phone carriers, data brokers, dating sites, you name it. I was particularly troubled by the story of a supposedly altruistic website, PatientsLikeMe, focused on connecting people with chronic illnesses. As it turned out, PatientsLikeMe was actually selling this deeply personal patient information to a Nielsen subsidiary (BuzzMetrics), which then packaged the data for sale to drug companies, medical device manufacturers, and insurance companies. This served as a strong example of cyber caveat emptor for consumers.
Once readers understand just how vulnerable they are, Goodman shifts the narrative from victims to perpetrators. Part Two of Future Crimes specifies that criminals have always pioneered new ways to use new technologies for malevolent purposes, and this trend is only accelerating with accelerated innovation. The author delves into the organizational structure of cybercriminals, looking at reporting structure, specialization, outsourcing, and the overall criminal marketplace. These chapters act as a Cybercrime 101 course with details about things like the use of money mules, cybercriminal communication using the Dark Net, digital currencies like Bitcoin, and average prices for stolen merchandise like credit card numbers, documents, and even assassination services.
True to its name, the book also examines future crimes associated with evolving Internet of Things (IoT) technologies that combine compute, network, and storage resources with consumer and industrial capabilities. Goodman is a fan of IoT and highlights its potential benefits but is also quick to identify a myriad of vulnerabilities. For example, implanted medical devices (IMDs) like pacemakers and insulin pumps could be remotely controlled and monitored by physicians, improving care and reducing healthcare costs. Alternatively, insecure IMDs could also be hacked and used for criminal acts. Imagine if thousands of diabetics using a particular IoT insulin pump received an email threatening to give them a lethal dose of insulin unless they paid an extortion fee of $1000. Future Crimes looks at many similarly frightening scenarios.
It is worth pointing out a core strength of Future Crimes: it is replete with countless real-world stories and copious data points that accentuate Goodman’s points throughout the book. For example, the book recounts the 2008 attack in Mumbai and describes how terrorists took advantage of technologies like cell phones, GPS, and real-time access to news feeds. Goodman also reveals incidents of cyberbullying, industrial espionage, revenge porn, and outright cyber vandalism. For example, the 2001 hack of an Australian sewage treatment plant that “caused millions of litres of raw sewage to spill out into local parks, rivers, and even the grounds of a Hyatt Regency hotel,” really reinforced Goodman’s message on the cyber risks and consequences related to critical infrastructure.
Future Crimes is not without a few flaws. Experienced cybersecurity professionals are all too familiar with many of the examples cited, and there are certainly other books providing more details about each individual topic. Some may consider Goodman as a cyber “Chicken Little,” pummeling readers, page after page, with a dystopian diatribe about technological evils. The author’s recommendations toward the end of the book are somewhat disappointing; those with cybersecurity policy and management experience won’t find anything new here. Finally, Future Crimes can be a bit verbose and repetitive at times, exhausting even the most energetic reader.
In spite of these few shortcomings, however, I believe that Future Crimes is a very good book. In truth, Goodman is really a technology optimist and does a fine job of explaining the use of technologies for good and evil. While some of the stories are familiar to the cybersecurity community, I found the author’s reviews to be concise and relevant toward a variety of cybercrimes. Future Crimes’ best quality is its breadth of coverage. In just under 400 pages, Goodman seems to cover everything (consumer technology, industrial technology, medical technology, etc.), comes up with specific examples of criminal exploits, and offers intelligent insight about future criminal trends. Well done, Marc!
In my humble opinion, cybersecurity professionals will advance their education by reading this book, so I recommend its inclusion in the Cybersecurity Canon. I would also suggest that business executives read Future Crimes in order to expand their knowledge about cyber risks. This will help CEOs and corporate boards realize that they need to consider cybersecurity vulnerabilities and threats as they relate to employees, products, and the cyber supply chain – not just their organization’s IT assets.