Risk Factor

Every few years, the International Earth Rotation and Reference Systems Service calls for an adjustment, usually by one second, to be made between atomic and Earth time to compensate for deviations in the earth’s rotation. The most recent one took place over the weekend at 30 June 2012 at 23:59:60 UTC (Coordinated Universal Time).

Apparently, the change in time was not adjusted for correctly by some web servers leading to temporary problems with Qantas Airlines, Mozilla, Reddit, Gawker, LinkedIn, FourSquare, Yelp and other websites, according to the Guardian newspaper. Qantas's check-in, reservations, and plane loading systems were all forced onto manual operation for about two hours yesterday. The problem was actually with the Amadeus airline reservation system; the airline Virgin Australia was also affected, though not as severely.

Also every few years, a derecho or "a widespread, long-lived wind storm that is associated with a band of rapidly moving showers or thunderstorms," hits parts of the U.S. East coast. On Friday night, a “super” derecho swept through the mid-Atlantic area between 0800 and 1100 pm causing wide spread power outages in its wake (there is a fascinating time-lapsed YouTube video of the derecho here). The storm (which felt like being in a short-lived hurricane) took out power to the Amazon’s Elastic Compute Cloud (EC2) in Northern Virginia; back-up power also for some reason did not kick in. As a result, several popular websites including Instagram, Netflix, and Pinterest experienced problems.

The storm also disrupted 911 service in Prince William, Fairfax, Stafford, Manassas, and Manassas Park counties in Northern Virginia; many Verizon and Sprint customer phones were not working in the area as well. So if you have been having trouble reaching someone either by email or by phone in the Washington, D.C. region, don’t be surprised. Things should be back to normal by Saturday.

Yesterday, C. Frank Figliuzzi, the head of the U.S. Federal Bureau of Investigation’s counterintelligence division, testified [PDF] that based on the FBI's pending case load, "economic espionage losses to the American economy total more than $13 billion" and that the threat, which is coming from foreign governments, corporations, hackers and insiders, is growing. In his testimony to the Intelligence Subcommittee of the House Homeland Security Committee, he indicated that one primary cause has been the continuing global economic financial crisis.

Figliuzzi said that:

"With each year, foreign intelligence services and their collectors become more creative and more sophisticated in their methods to undermine American business and erode the one thing that most provides American business its leading edge; our ability to innovate..."

"What we're seeing is that foreign nations and their intelligence services are understanding more than ever before that it's cheaper to steal our technology than to use their budget resources in this time of economic crisis to develop it themselves."

Figliuzzi also told the Los Angeles Times that while  the FBI and others are becoming better at identifying who is behind electronic espionage, there is still no consensus on what to do once a culprit is identified. "That's a big question," Figliuzzi was quoted as saying. Given previous history, it won't likely be answered anytime soon.

Of course, it doesn’t help matters when U.S. companies illegally sell banned software to foreign countries, like United Technologies admitted to doing. The software helped China develop its first modern attack helicopter, according to Reuters. United Technologies paid only a $75 million penalty for doing so, which is paltry considering that the company makes $58 billion a year and that it deliberately sold the software to gain economic favor with the Chinese government. The cost to the U. S. military is hard to quantify, but it is probably a lot higher than $75 million.

Another thing that doesn’t help is the IT security carelessness of employees. Even at the U.S. Department of Homeland Security, where employees really should know better, the Inspector General found that they routinely log onto DHS networks with unapproved electronics including e-readers, thumb drives, MP3 players, GPS units, external drives, etc., and regularly fail to encrypt sensitive information on their government-issued Android devices, according to Government Executive magazine. Gov Exec goes on to say that the DHS officials claim that "they have no way of stopping personnel from hooking up devices to their workstations" and that they try "to block the electronics from the network by distributing only government-procured devices and by educating employees not to use such [unauthorized] devices on government computers."

It doesn’t look like the IT security education is sticking very well.

Of course, the $13 billion figure for economic espionage given by Figliuzzi is only an educated guess since corporations are often loath to reveal that they have been hacked. That may change soon, if Sen. Jay Rockefeller, chairman of the Senate Commerce, Science and Transportation Committee, has his way.

As you may recall, last year the US Security and Exchange Commission (SEC) Division of Corporation Finance issued guidance "... regarding disclosure obligations relating to cybersecurity risks and cyber incidents." The SEC wants public companies to disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.

However, the requirement isn’t mandatory, and there are enough loopholes in the guidance that most companies can safely ignore it. What Rockefeller wants, according to the Associated Press, is for the SEC to make it crystal clear when public companies must disclose breaches as well as tell investors what they are doing to keep cyber threats at bay. It is too soon to tell whether he will be successful, but I think it is a long overdue requirement.

There was good news and bad news on the cyber security/crime front this week. Yesterday, the U. S. Federal Bureau of Investigation (FBI) announced the arrest of 24 hackers allegedly involved in credit card, bank account and ID theft in a sting operation that spanned 13 countries.  Eleven of the individuals were arrested in the U.S. (two are minors), while the remainder were arrested in Bosnia (2), Bulgaria (1), Germany (1), Italy (1), Japan (1), Norway (1), and the United Kingdom (6).

The FBI stated that in June 2010 it set up a phony website for “users to discuss various topics related to carding and to communicate offers to buy, sell, and exchange goods and services related to carding, among other things.” The FBI used the site to gather detailed information on the users which eventually led to the arrests.  The press release describes in more detail how the honeypot website worked.

The FBI claims that as part of its operation it “has prevented estimated potential economic losses of more than $205 million, notified credit card providers of over 411,000 compromised credit and debit cards, and notified 47 companies, government entities, and educational institutions of the breach of their networks.”

It may have been coincidence, but yesterday the U.S. Federal Trade Commission (FTC) announced  that it had filed a lawsuit “against global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years.”

The FTC states that "these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.”

The FTC alleges that Wyndham, even after a significant security breach in 2008, which was the result of poor security practices (and which the hotel chain kept secret for months), “failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures” which allowed two more data breaches in 2009. It would be interesting to know whether some of the compromised credit card information stolen from Wyndham turned up on the FBI sting website.

One reason that the FTC is suing Wyndham is that it, like a lot of other companies, prominently proclaims in its marketing information to take the care and security of customer data seriously, but apparently really doesn’t.  I suspect the FTC is sending out a warning to other companies that their actions better match their public statements about IT security.

Which makes one wonder how the FTC will view the cruise ship company Cunard Line’s admission of a recent data breach involving the personal details of 1,200 of its passengers? According to this story concerning the breach, Cunard’s website states that, “Cunard Line cannot guarantee the security of any information you transmit to us or from our site, and therefore you use our site at your own risk." Does that legally absolve them in any way in case of a data breach?

Maybe some of the lawyers interviewed in this Wall Street Journal article from Monday about lawyers and law offices being hacked can give an opinion.

In one more bit of news on the justice side of the ledger, two members of the group LulzSec pleaded guilty in a UK court on Monday to charges of launching denial of service attacks against and hacking into websites in the US and the UK. Two other LulzSec members who were also arrested have pleaded innocent to similar charges and are awaiting trial.

On the unlawful side of the ledger, the head of the UK Security Service MI5, Jonathan Evans, stated in a speech on UK national security this week that hacking by an unnamed foreign state resulted in a British company losing £800m in revenue, the Independent reported. Evans was quoted as saying the loss “was not just through intellectual property loss but also from commercial disadvantage in contractual negotiations.” Whether this should be considered just a criminal act or something more like a cyber-attack, I’ll leave up to you to decide.

Additionally, EU security researchers have announced in a research report (pdf) that they “found a way to exploit the RSA SecurID 800 token, as well as at least seven other tokens, by leveraging cryptographic flaws in the devices,” this article in Information Week states. Supposedly, the researchers took as little as 13 minutes to crack the token's security.  However, RSA responded to the news with a big yawn, stating that while the results are “scientifically interesting, it does not demonstrate a new or useful attack against RSA SecurID 800.” I expect there will be more on this result in the coming weeks.

Further, an article in Computer World today reports that cyber criminals are targeting “high-balance business and consumer bank accounts by using sophisticated fraud automation techniques that can bypass two-factor authentication.” The new attack approach, which netted criminals at least £48 million in attacks against 60 institutions is outlined in a report (pdf) put out by the security companies McAfee and Guardian Analytics.

Finally, Royal Bank of Scotland (RBS) Group customers are already seeing phishing emails trying to get their personal banking details in wake of the computer system meltdown at RBS Group owned banks the past week.  According to a story at SkyNews, “One of the emails pretends to be from Stephen Hester, the head of RBS, apologsing for the problems at RBS and says a ‘security upgrade’ requires them to update their information.” The email sends the person to what is described as a realistic site where the person's bank account details are requested, and thereby stolen.

Unfortunately, it is likely that more than one RBS Group customer will fall for the phish, just as an employee of the U.S. Commodity Futures Trading Commission fell for a phishing email last month which led to the possible compromise of personal information on all 700 employees working there. The incident was announced late last week. Maybe the CFTC should start using the phish email training software to try to educate its employees on how to recognize phishing emails.

As I said, a IT security mixed bag this week, and it’s only Wednesday.

Researchers at the University of Texas at Austin Radionavigation Laboratory have successfully demonstrated that a drone with an unencrypted GPS system can be taken over by a person wielding a GPS spoofing device.  You can see a video accompanying a Fox News story on it, as well as a video here of an experiment conducted by the researchers, led by Professor Todd Humphreys.

Humphreys and company were recently invited by the U.S. Department of Homeland Security (DHS) to demonstrate whether their capability to successfully spoof commercial GPS systems in the laboratory could work in the field.  Spoofing, as defined in this article by UT researchers, is “the transmission of matched-GPS-signal-structure interference in an attempt to commandeer the tracking loops of a victim receiver and thereby manipulate the receiver’s timing or navigation solution. A spoofer can transmit its counterfeit signals from a stand-off distance of several hundred meters or it can be co-located with its victim.”

The UT researchers took equipment costing about $1000 to the White Sands Missile Range in New Mexico last week and showed observers from both the Federal Aviation Administration (FAA) and DHS how control of a test drone could be taken away from its original overseers. The UT researchers, as the above article notes, have been able to take control of basically every type of unencrypted commercial GPS system in their laboratory.

Given the likelihood that a large number of drones will be plying the skies of the United States within a decade, the ability to easily spoof them is a bit disconcerting. The U.S. government is looking into the threat, but as the Fox News story states:

“DHS is attempting to identify and mitigate GPS interference through its new ‘Patriot Watch’ (pdf) and ‘Patriot Shield’ (pdf) programs, but the effort is poorly funded, still in its infancy, and is mostly geared toward finding people using jammers, not spoofers.”

As I said in a blog a few months ago, the UK has a program called Sentinel that looks for GPS jamming there.  I believe the researchers at UT are associated with this program as well.

Humphreys is calling for the hardening of GPS systems used in drones before they get into widespread use.  It is good advice, especially because of the abysmally low success rate for trying to design security features into computer systems after the fact.

Of course, drone GPS systems aren’t the only ones facing the threat of spoofing. One could use the technology to spoof aircraft, ship, or vehicle navigation systems that feature unencrypted GPS systems (think of what would happen to a spoofed autonomously driven car). This technique may even be able to bring down a smart grid (pdf) or financial market.

I think it would be interesting to see how the U.S. public feels about the possible spoofing of drones in comparison to (or in addition to) their privacy concerns involving wide-spread drone use.

Update: 26 June 2012

I received a kind note from the Association of Unmanned Vehicle Systems International (AUVSI), which wanted to address the issue of spoofing commercial GPS systems raised in the post. AUVSI bills itself as "the world's largest non-profit organization devoted exclusively to advancing the unmanned systems and robotics community." In order to provide a fuller context surrounding the potential for spoofing commercial UAVs, I have included below in its entirety a statement from AUVSI President and CEO Michael Toscano titled, On Ensuring the Safe Use of Unmanned Aircraft:

“The unmanned aircraft systems industry is committed to the safe and responsible integration of unmanned systems into the national airspace. We are already in communication with a variety of stakeholders to ensure unmanned aircraft are integrated safely so we can unlock the tremendous potential of this technology to enhance public safety, advance scientific research and otherwise benefit society, all while potentially creating thousands of jobs.

“‘Spoofing’ or otherwise tampering with GPS has dangerous implications for any technology which depends on it for guidance, whether it is manned or unmanned aircraft, your cell phone or your car. In fact, commercial airliners are relying more and more heavily on GPS signals to locate the runways at airports and, with the advent of the next generation air traffic control system, all aircraft – manned and unmanned – will rely on GPS for navigation.

“The industry is well-aware of so-called ‘spoofing’ and is already advancing technologies, such as SAASM – Selective Availability Anti-Spoofing Module – to prevent it. This technology is already in use by the military to thwart GPS spoofing abroad and we expect it will transition to civilian unmanned aircraft in the coming years to protect aircraft flying in the national airspace. Meanwhile, some unmanned aircraft also have alternate navigation systems, such as radio links and backup inertial systems, which provide redundancy to GPS.

“It is important to remember that while an aircraft itself may be unmanned, a trained professional is behind the controls, ready to respond, and bring a safe resolution to any problem that may arise. Like any other technology, unmanned aircraft technology continues to become smarter and safer every day. The industry is working with the FAA, DHS and other agencies to ensure safety is a top priority as unmanned aircraft are integrated into the national airspace.”

Comments, anyone?

The computer problems plaguing RBS Group banks including NatWest, Northern Ireland’s Ulster Bank, and the Royal Bank of Scotland are finally ending, according to news reports today. NatWest is saying that the technical issues have been resolved and that most bank accounts should be updated and back to normal by the end of the day on Monday, although there may still be “bumps in the road.”  The same appears to be true for RBS account holders. However, the problems at Ulster Bank will likely continue for the remainder of the week, the BBC reports.

According to the Guardian, the computer problems, which have caused the longest and worst bank-related IT outage in UK history, were traced to a software update to RBS’s payment processing system that became corrupted. The software problem erupted last Tuesday night when millions of  bank accounts across all three banks failed to be updated. However, according to this story at Computing.co.uk, the software glitch actually dates back to a week ago Friday. It may take some time before the true facts of the matter come to light, since the RBS Group is refusing to publicly discuss the exact cause of its computer woes.

NatWest, which last year saw complaints about its service rise 75 percent over the previous year, certainty hasn’t helped itself during its crisis. While the bank's CEO apologized to the its customers for “the inconvenience" to "some customers," Steven Hester waited a long time before making an appearance in public. The bank, which has been saying that the computer problems would not cost its customers anything out of pocket, also didn’t win any friends by urging customers with account problems to call its costly toll number for help. When questioned about it, the bank said that customers could later make a claim to try to get reimbursed for the cost of the call, although it didn’t tell its customers how to make such a claim.

NatWest also told customers of other banks that have been affected by the glitch to straighten out any problems they were having with their own bank. The UK Financial Services Authority "urged other banks to be 'lenient' with their own customers if they missed payments because transfers from RBS accounts had not come through," this London Telegraph story reported. The story goes on to state that, "The banks have pledged to refund their customers, but only if they contact them directly and are able to prove they have been hit by the technical failure."

The FSA will no doubt take a look into the mess.

Another thing that must have irritated NatWest customers was that right through early this morning, NatWest had a small banner at the top of its website acknowledging customers' inability to access their accounts, while right below it was a conspicuous ad proudly boasting: “We have award-winning online banking. Does your bank?”  

Not really a smart thing to do when your award-wining online banking system isn’t working.  Sometime late this morning London time, someone at the bank must have noticed the discontinuity in its marketing message and all the website ads were taken down; the web page is now focused on the corporate apology for the mess and a customer FAQ list.

RBS Group announced today that it was going to keep 1200 bank branch offices open from 8am to 6pm for the rest of the week to help out customers. Branches were open over the weekend as well.

The final cost of the fiasco that the bank’s CEO said “should not have happened” could reach nearly 100 million pounds; not good news being that the bank is 82% owned by the UK taxpayer.

I would assume that the computer rage meter pegged for a lot of people yesterday, and for some, it will likely remain so for the next few days if not longer.

According to news reports like this one at the London Telegraph, millions of customers of the UK bank NatWest and some 100 000 customers of Northern Ireland's Ulster Bank, both of which are owned by RBS Group (and in which the UK government owns an 84 percent stake), have not had their accounts updated since Wednesday evening due to "technical issues" with the banks computer systems. As a result, customers have been having trouble with their accounts, leaving many without any money or the ability to automatically pay their bills.

In addition, a small number of Royal Bank of Scotland customers are said by the Telegraph to have been affected as well.  In a story from the BBC, RBS is claiming that the underlying technical problem has been resolved, but it may take until Monday or later before all customer accounts are up to date. However, it took months for account update problems to be resolved for many National Australia Bank (NAB) customers when a similar IT problem happened in late 2010.

NatWest took to Twitter to provide status updates to its customers yesterday, but Twitter had problems of its own, going down twice yesterday. According to this story in ComputerWorld, Twitter engineers said that a “cascading bug” in one of its "infrastructure components" was the culprit. Twitter ended up rolling its software back to a more stable version.

Of course, you may not have noticed that Twitter was having problems if you were in parts of London or Sheffield and a customer of BT’s broadband service. This story at ComputerWeekly said that BT suffered multiple equipment failures that took down BT’s broadband services and Wi-Fi hotspots in different parts of the UK for up to five hours yesterday.

And just to round out yesterday’s gluttony of IT glitches and one that hopefully will be resolved sometime today, most of the 181 stores in the Hannaford Brothers supermarket chain were unable to process debit or credit cards at checkout yesterday due to a software problem stated this story at the Kennebec Journal. Hannaford supermarkets operate across Maine, Massachusetts, New Hampshire, New York and Vermont. An AP story early this morning says that the company hopes to have the problem resolved later today.

You may remember that Hannaford had 4.2 million credit cards stolen in 2008; the ring leader of the hacking gang was later caught and sentenced to 20 years in prison.

{Note: Title updated}

The Associated Press reported on Monday that a design flaw traced to an incorrect computer analysis will keep Southern California Edison’s controversial San Onofre nuclear power plant offline for some time to come. San Onofre, which is Southern California’s only nuclear plant, produces enough power to serve about 1.4 million households.

Back in January, “a leak from a tube at one unit [Unit 3] released a small amount of radiation”, which caused the plant’s operator to shut the reactor down, reported this LA Times story. The story went on to note that two days after the incident, during routine maintenance on the other unit, Unit 2, “nuclear regulation officials found extensive wear on tubes that carry radioactive water in a steam generator. The tubes were installed less than two years ago after they were delivered by the Japanese manufacturer of the generators, Mitsubishi Heavy Industries.”

In 2009 and 2010, the plant’s four steam generators were replaced at a cost of $671 million, and were expected to last until 2022.

According to the LA Times story, Nuclear Regulatory Commission officials found that, “two of the tubes showed more than 30% wall thinning, 69 had 20% thinning and more than 800 had 10% thinning.”

Then in March, the NRC announced (pdf) that the San Onofre nuclear power plant would not be allowed to be restarted until the unusual wear on the steam generator tubes was understood and fixed, a follow on LA Times story reported.  The NRC stated in a news release that the wear at Unit 3 was caused by the tubes vibrating and rubbing against adjacent tubes and against support structures inside the steam generators, while at Unit 2 the tubes were rubbing against the support structures but not rubbing against adjacent tubes. At the time, the NRC stated that it did not know why this was happening.

The AP story this week now reports that “design flaws” caused by “botched computer analysis” by Mitsubishi when it was designing the replacement steam generators “vastly misjudged how water and steam would flow in the reactors. Also, changes intended to improve manufacturing were never thoroughly reviewed in the context of the generator design, resulting in weaker support around bundles of tubes that contributed to vibration.”

However, while the problem is now understood, it is unclear how to fix it: The NRC says that there are “significant technical issues” to be overcome. Replacing one or more of the steam generators is a possibility.

The AP story states that “the generators were designed to meet a federal test to qualify as ‘in-kind,’ or essentially identical, replacements for the original generators, which would allow them to be installed without prior approval from federal regulators.”

The NRC says it is now going to review its “non-approval" approval process.

The AP story also noted that the replacement steam generators, which weigh 24 tons more than the ones they were replacing, were designed with 400 more tubes and a V-support structure specifically to reduce vibrations and tube wear.

No time estimate for when the power plant will be operating again has been given.

Photo: iStockphoto

Well, as many suspected, the Flame malware has been confirmed by a former high‐ranking U.S. intelligence official as being the work of the National Security Agency, the CIA ,and the Israeli Defense Force, a Washington Post story published yesterday afternoon reports. Also as suspected, the purpose, along with that of Stuxnet, was to slow down Iran’s nuclear efforts.

The unnamed source was quoted by the Post as stating that they were only two elements of several covert actions being taken against Iran that are continuing today:

“This is about preparing the battlefield for another type of covert action… Cyber‐collection against the Iranian program is way further down the road than this.”

If I am interpreting this statement correctly, it means that other cyberweapons are being used against Iran that have not yet been discovered.

Let the hunt begin.

Now exactly why this former official would make his statement in light of the high profile U. S. government inquiry into leaks about classified cyberwar and other sensitive military information indicates either bravado, stupidity, a lack of fear about being discovered or being prosecuted if discovered. The latter – which could be because the former official has been legally authorized to provide the information – is getting my vote until proven otherwise.

Neither the US or Israeli governments would comment on the story. They don't really have the time to given there are so many former and current government officials who are incapable of following former U. S. Secretary of Defense Robert Gate's strategic communications advice when one is tempted to talk about classified information: "Shut the f--- up."

“The cost of protecting ourselves against cybercrime can far exceed the cost of the threat itself … [therefore] we should spend less in anticipation of cybercrime and more on catching the perpetrators.” 

That is the controversial conclusion of a new University of Cambridge IT security research study called “Measuring the Cost of Cybercrime” (pdf) being released today. The study, conducted at the request of the UK Ministry of Defense which was concerned that cybercrime was being over-hyped, is claimed in a press release to be “the first systematic estimate of the direct costs, indirect costs and defence costs of different types of cybercrime for the UK and the world.”

Of course, in studies like this, it is important to look at what the study authors defined as being a “true cybercrime” which is one “unique to electronic networks, e.g., attacks against information systems, denial of service and hacking.” As noted in the paper,  

“We distinguish carefully between traditional crimes that are now ‘cyber’ because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly.”

“As far as direct costs are concerned, we find that traditional offences such as tax and welfare fraud cost the typical citizen in the low hundreds of pounds/Euros/dollars a year; transitional frauds cost a few pounds/Euros/dollars; while the new computer crimes cost [only] in the tens of pence/cents.”

However, the societal costs for protecting against new computer crimes are far out of proportion with what the new crimes net, the researchers argue, whereas the cost of protecting  against more traditional crimes is more in line with their direct costs imposed upon society. For example, the UK is said to be spending some $1 billion on efforts to protect against or clean-up after a threat, including $170 million on antivirus measures, but only $15 million is being spent on law enforcement to pursue cyber criminals. A better approach is to “perhaps spend less in anticipation of computer crime (on antivirus, firewalls etc.) but we should certainly spend an awful lot more on catching and punishing the perpetrators.”

The argument seems premised on the assumption that a small number of cybercriminals are responsible for the vast majority of the cybercrimes  and that business will make the requisite investment to keep their IT systems secure.

The researchers don’t give much in the way of advice on how much less we should spend on anti-virus software (or how individuals should decide to forego it), or how much more funding should be spent on law enforcement. Would quadrupling to $60 million the amount of money spent on UK cybercrime law enforcement make a serious dent on UK cybercrime, for instance? Would that amount allow UK citizens to pitch their anti-virus software? Or would that increase in spending be a wasted effort unless similar increases in law enforcement spending happened around the world as well?

The Cambridge University study, which is to be presented to next week at the Workshop on the Economics of Information Security in Berlin, Germany is just another that adds to the confusion about the significance of the threat cybercrime poses and what to do about it, as I noted  last month. In fact, contrast the Cambridge study with an editorial in the New York Times about two weeks ago written by, Preet Bharara, the United States attorney for the Southern District of New York where he wrote that:

"The alarm bells sound regularly: cybergeddon; the next Pearl Harbor; one of the greatest existential threats facing the United States. With increasing frequency, these are the grave terms officials invoke about the menace of cybercrime — and they’re not understating the threat."

So is the cybercrime threat exaggerated or not?

At least for myself, I plan to keep my IT security guard up for a little while longer, especially given the two stories, one by Reuters and the other in the New York Times that discuss the increasing cyber threat to business (and personal) bank accounts.  And even if an IT security all-clear is given, I don't think I will be an early adopter of dropping my anti-virus software.

Photo: iStockphoto

Would you begin your commute earlier if you had a chance of winning up to an extra $50 in your paycheck?

That question formed the basis of an interesting story in the New York Times this week. Researchers at Stanford University are conducting a driver incentive experiment aimed at seeing whether peak-period traffic congestion around campus can be reduced. The project, called Capri, for Congestion and Parking Relief Incentives, lets regular university commuters who enter or leave the main Stanford campus via designated exits at off-peak hours (an hour before or after 8am to 9am and 5pm to 6pm on weekdays) sign up to be entered into a lottery. The more times a commuter drives during the off-peak hours, the greater the reward. In addition, a commuter can designate a “boost day”: if the driver makes “an extra effort to travel at off-peak times on that day” he or she will triple their potential reward. Alternatively, a commuter can choose to be paid 10 cents per eligible trip if they don’t want to enter the lottery.

Participants in the program can have a small RFID tag attached to their windshields to track their entry and departure times, although the Times story indicates that a driver can opt to have the tracking conducted through the his or her smart phone.

It turns out that by getting just a small number of commuters to change their driving patterns, peak-period traffic congestion can be reduced significantly. The objective is to get some 10 percent of Stanford University commuters to avoid peak commute times. The project has been so successful in the early going that Stanford's underused parking lots will soon be the focus of a similar incentive program meant to encourage their use.

Stanford University electrical engineering and computer science professor Balaji Prabhakar came up with this approach to incentives to change driver behavior as an alternative to proposed disincentives such as  congestion charges which most people hate, the Times says. Prabhakar, who hit upon the idea of incentives while sitting in a massive traffic jam in Bangalore, India, a few years ago, has run successful trials in Bangalore (pdf) and Singapore that bore out the effectiveness of the incentive approach.

The Stanford experiment is being supported by a $3 million grant from the US Department of Transportation.

So, would you leave for work an hour earlier or depart an hour later for the chance of winning $50? And how long would it take—assuming you never won anything—for you say to heck with it? Would the possibility of earning a guaranteed $1 a week still be enough to change your behavior, or would the benefit of a faster commute be incentive enough?