What if We Dealt With Cybersecurity Like We Deal With Pandemics?

The novel Coronavirus (COVID-19) pandemic has motivated governments around the world to implement a variety of measures, including shuttering “non-essential” businesses, restricting how far individuals are allowed to travel from their homes, limiting or eliminating travel to their countries, imposing curfews, forcing people into quarantine when visiting their jurisdictions, imposing requirements to wear face masks, and so forth.

In almost all cases, the original goal of these measures was to limit the spread of the SARS-CoV-2 virus so that hospitals and other healthcare providers would not be overwhelmed. This so-called “flattening the curve” worked well by dramatically reducing the number of people visiting healthcare facilities so that those who contracted COVID-19 would be able to find treatment. In fact, “flattening the curve” worked so well that governments overshot their goal – tens of thousands of healthcare workers were laid off for lack of work because so many hospitals were operating far below capacity.

What if government took the same approach to cybersecurity in an attempt to stop ransomware, data breaches, credential theft, account takeovers, and other types of security problems? Here’s how it might play out:

  • Your state’s governor, your country’s prime minister, or your government’s CIO would determine who should be classified as an “essential” or “non-essential” user of communication and information services. Those deemed non-essential would be prohibited from sending or receiving email, using the web for any purpose, or using a mobile device.
  • Government would establish which websites, web services, email providers, social media providers, etc. are essential or non-essential and order those in the latter category to be shut down for an indeterminate period. In some jurisdictions, operators that defied these orders and remained open would have their electricity and Internet connectivity cut off. Owners who persisted in their defiance and found other ways to remain in operation could be jailed.
  • No computer or mobile device connected to the Internet could be used between the hours of 8:00pm and 5:00am.
  • Corporate help desks would stop dealing with all user issues except those with a specific type of the newest cyberthreat. Other issues would be dealt with at a later, yet-to-be determined time. The goal would be to prevent security analysts from being overwhelmed with too many requests for help.
  • Government would determine from which states, provinces or countries email could be received. Emails from non-approved countries would be placed into a spam folder or sandbox for two weeks before they could be read.
  • As cybersecurity attacks hopefully lessened, government would permit providers of email and web services to once again start their operations, but with only 25 percent the number of users they had prior to the cybersecurity pandemic. More gracious governments would increase that figure to 50 percent.
  • Long after the cybersecurity pandemic had started and after the worst of the problems had eased, government would require that every user sending or receiving an email, visiting a web site, or posting to social media via the public Internet would be required to send all communication through a client-side, multi-layer filtering solution. Even though there was little or no evidence that the solution would do anything to prevent or limit cyberattacks, it would make citizens and governments feel better because they were “doing something” to prevent the spread of threats. Even so, those not complying with this order could be fined heavily and would be publicly shamed.
  • Any entity that promoted an inexpensive, yet effective, cybersecurity solution instead of the extremely expensive solutions offered by a limited number of government-approved providers would be prevented from discussing their approach to cybersecurity on social media.

No doubt that these measures would work to prevent cyberthreats and make us all safer. Or maybe not.

The Coming Great US Economic Migration

A “great migration” is generally considered to be a migration of people that has an important impact on the course of history. These types of great migrations – often the result of economic drivers – have occurred throughout human history. Over the past 200 years or so, these migrations have included, among many others, the migration of up to two million Irish citizens to other countries (mostly to the United States) as a result of the potato famine between 1845 and 1850, the California Gold Rush from 1848 to 1850 that brought roughly 300,000 fortune-seekers to California (more than tripling the state’s population), and the Dust Bowl that brought up to 400,000 people to California.

In the United States, we will be seeing another economic migration, this time driven in large part by the wide variety of different governments’ responses to the COVID-19 pandemic. For example, the response to the COVID-19 crisis in Kentucky was a stay-at-home order issued on March 26th, while South Dakota never issued one and imposed significantly fewer restrictions on economic activity than most other states. Not coincidentally, South Dakota has had a dramatically lower rate of unemployment through April compared to Kentucky and most other states (and a much lower death rate from COVID-19 as of this writing).

The variety and severity of responses to the COVID-19 crisis are undoubtedly being followed closely by many business decision makers as they make longer term plans for the expansion of their companies – and possibly a move of their companies to states that have responded with less-stringent measures to address the pandemic. And it makes sense for them to do so – if, during the next pandemic, a company will be locked down for four months in their current location or for two months in another, why wouldn’t they include that as a decision point in determining where to expand their operations?

The first major shot across the bow in this regard came from Tesla CEO Elon Musk who tweeted on May 9th, “Tesla will now move its HQ and future programs to Texas/Nevada immediately. If we even retain Fremont manufacturing activity at all, it will be dependen [sic] on how Tesla is treated in the future. Tesla is the last carmaker left in CA.” While that may have been an off-the-cuff response from a CEO who has a reputation for being a bit brash at times, it’s likely indicative of how many business leaders are feeling these days.

That said, it would be inaccurate to believe that the pandemic alone will motivate companies to seek greener economic pastures. The migration of companies to more economically advantageous locations has been happening for some time as business leaders seek lower taxes, less regulation, less unionization, a lower cost of living for their employees, and easier building permitting. For example, JP Morgan is considering moving its headquarters out of New York City, Honeywell moved its headquarters from New Jersey to North Carolina, and General Electric moved out of Connecticut. In just 2016, 1,800 businesses left California for other states.

However, what makes the response to the COVID-19 pandemic a key factor in future migrations is that many of the states that businesses were already considering leaving are those that have imposed some of the most stringent restrictions on business activity in response to the pandemic. California, for example, was the first state to impose a stay-at-home order and it shows little sign of letting up anytime soon: Los Angeles County, with roughly one-quarter of California’s population, will be shut down through at least July. The continuation of strict stay-at-home, shelter-in-place and similar types of orders will likely be important, motivating factors for thousands of businesses large and small to seek locations where the next pandemic may be met with fewer restrictions on their business activity.

In short, the SARS-CoV-2 virus will have important long-term impacts on business activity, and the economic health of different states, long after it has faded into obscurity.

How Will the Current Lockdown End?

Here is my two cents on what I see as the development of the six stages of the COVID-19 lockdown in the United States. (Please note that I am not advocating rebellion against government, just commenting on what I believe will transpire):

  • Stage 1 (through March)
    The vast majority of people readily accept what they’re told despite the economic hardship and inconvenience it causes to them personally. They comply with stay-at-home, shelter-in-place, and similar types of orders.
  • Stage 2 (early April)
    Most people continue to comply, but some will quietly violate stay-at-home and shelter-at-home orders, such as walking on closed trails or taking drives, in an effort to regain some sense of normalcy.
  • Stage 3: (mid-April to early May)
    Many start to consider that maybe some governments have been too draconian and capricious in their lockdown orders, and that models upon which government decision makers have relied have been too aggressive in predicting the number of deaths. They wonder why, like in Michigan, they can still go out to buy lottery tickets, but cannot purchase plants for their garden. We see the first inklings of rebellion as we saw with yesterday’s lockdown protest in Vancouver and Vernon, BC. A few state governments begin to re-open schools and allow previously “non-essential” businesses to reopen, albeit with restrictions.
  • Stage 4: (mid-May to early June)
    A large percentage of people, many small businesses, and some local governments defy lockdown orders in an attempt to return to semi-normalcy. An “underground” economy of previously legal activities like hair styling, residential construction, and nail salons emerges quietly.
  • Stage 5: (mid-June)
    The state and local governments still enforcing lockdowns choose either a) to back off and start to allow things to re-open slowly, or b) they ratchet up enforcement through more aggressive levying of fines and arrests, and in rare cases resort to violence to keep people and small businesses in line.
  • Stage 6: (late summer 2020 through mid-2021)
    Businesses do a post-mortem on how the state and local governments under which they operate reacted to the COVID-19 crisis. Business leaders make decisions about which jurisdictions struck the right balance between safety and the economy and begin to move operations to those locations in preparation for the next, similar crisis.

Obviously, there are lots of unknowns at this point and predictions are often and notoriously wrong. A case in point are the estimates of deaths resulting from COVID-19 published by the Institute for Health Metrics and Evaluation (IHME) at the University of Washington. On April 2nd, IMHE published their best guess of 93,531 death through early August, revised it to 81,766 deaths on April 5th, and revised it again to 60,415 deaths on April 8th. That’s not a slam against IMHE, whose scientists and modelers are no doubt very well-intentioned, but rather an example of the perils that exist in modeling just about anything, particularly in the relatively early stages of a crisis.

Lessons Learned from the COVID-19 Panic-Demic

Here are a few idle thoughts and personal takeaways about the impact of the COVID-19 pandemic and the ensuing panic among the public, in the financial markets, etc.:

  • Supply chains that are built around the concept of enabling sellers to provide products at the lowest possible price don’t weather pandemics very well. Depending so heavily on a single country for manufacturing is clearly susceptible to a Black Swan event like the one in which we’re currently embroiled. As investors are almost always advised to diversify their portfolios, manufacturers should diversify their supply chains to weather disruptive events more effectively.
  • Nation-state actors and cyber terrorists have been provided with an excellent example of how they might be able to severely disrupt life in developed countries, particularly the United States. While COVID-19 is a certainly a serious issue that requires the appropriate level of response, the panic buying of toilet paper, flour, sugar, milk, eggs, cake mixes, baby formula, diapers, cat litter (yes, cat litter!), etc. is clearly an overresponse when food-related supply chains, at least in the United States and many other developed nations, are still largely intact.
  • To the point above, imagine if a nation-state actor or terrorist organization were successful in taking a handful of power plants off-line with the threatening message that more would be taken off-line in the near future. As demonstrated with the COVID-19 panic, there would be a huge run on not only basic necessities, but also on things like batteries, generators, flashlights, and hundreds of other items. It wouldn’t just be grocery stores and Costco stores with thousand-foot lines, but also Home Depot, Lowes and lots of hardware stores.
  • Our residential broadband infrastructure seems to be holding up quite well with the addition of several million home-workers now suddenly added to the traffic burden. While I’m sure there are instances of poor broadband services for residential workers because of the additional load, they seem to be few and far between.
  • One of the positives that may come out of this crisis is the realization by many decision-makers that lots of in-person meetings that incur significant travel costs can be easily replaced with on-line meetings. While not good for the already decimated travel and hospitality industries, we might experience a new wave of meeting efficiency that we hadn’t anticipated.
  • There is likely to be a major increase, at least temporarily, in the number of victims of cybercrime and data breaches. As employees use their home computers – with inadequate endpoint protection and networks that incorporate hackable routers – to access corporate email and data assets on the corporate network, the security defenses that normally defend sensitive data resources will be bypassed in many cases. Expect a major uptick in security problems until organizations adapt to the new, hopefully temporary, reality of most or all of their workforce working remotely.
  • Similarly, expect a major increase in social media-related cybercrime because people are hungry for information about COVID-19, and they’ll click on links that purport to offer information about it. As noted by Brian Krebs six days ago, a live Coronavirus map developed by Johns Hopkins University is being exploited as part of an infection kit that uses the tool as a component of a Java-based malware deployment plot.

In short, lots of problems to be expected in the near- to mid-term until a combination of decreasing infection rates and whatever new crisis is in the offing move our attention to some different topic.

The Increasing Costs of Ransomware

As discussed in a ZDNet article about an RSA Conference talk from an FBI special agent, $144.35 million was paid in Bitcoin to ransomware-dispensing thugs during the six-and-a-half years ended July 2019. Among the most lucrative ransomware variants were:

  • Ryuk, which was by far the most successful ransomware, generating an average of $3.05 million per month during the 20-month period ended October 2019. Ryuk is responsible for the ransomware attacks that affected the San Diego Union-Tribune, the City of New Orleans, and Lake City, Florida, among many others.
  • Crysis/Dharma, which generated $670,000 per month during the three-year period ended November 2019.
  • Bitpaymer, which generated $350,000 per month during the 23-month period ended September 2019.
  • SamSam, which generated $200,000 per month during the 34-month period ended November 2018.

Interestingly, more than 25 percent of the ransom that has been paid by victims has yet to be spent, still housed in Bitcoin wallets.

Also of interest is the fact that up to 80 percent of ransomware attacks began as brute-force attacks on the Remote Desktop Protocol (RDP), with the remainder of attacks starting as phishing exploits. This, despite the fact that while the typical RDP attack will last for an average of two to three days, only 0.8 percent of them — only one in 1,250 attacks — are actually successful according to Microsoft.

Here are a few steps to combat ransomware, or at least the majority of it’s impact:

  • Minimize use of RDP. A friend at church told me on Sunday that while he was at RSA, his newly-hired subordinate was implementing RDP on all of the corporate workstations despite being told not to do so. Don’t do it if you don’t have to.
  • Use robust passwords. As the FBI special agent noted in his RSA talk, “If you can tell your password to someone else in under 30 seconds, it’s probably not a secure password.”
  • Implement robust security technologies focused on detecting and remediating ransomware before it has a chance to take root.
  • Implement ransomware-resistant backups that will prevent thugs from encrypting backups along with your endpoints.
  • Monitor networks for anomalous behavior.
  • Train users not to click on unknown or suspicious links in emails and on the web.

Ransomware hit a high point in 2016, waned a bit in 2017 and 2018, and hit yet another high point in 2019. We anticipate that 2020 will set yet another high watermark for ransomware victimization.

Some Musings on the RSA Conference

A great RSA Conference in San Francisco concludes today. Attendance was down noticeably compared to last year, no doubt because of fears related to COVID-19 and the pullout of several key exhibitors, including AT&T Cybersecurity, IBM, Verizon, and six of the nine Chinese vendors. That said, there were 614 vendors exhibiting this year compared to 624 last year, so without the (possibly) overblown fear of the Coronavirus, there would have been a year-on-year increase in exhibitors.

Here are a few takeaways and comments:

Wendy Nather gave a very interesting keynote that discussed the need for democratizing security instead of continuing the current top-down, somewhat autocratic security model that is in place today. As noted in a Dark Reading article on the topic and reiterated in the keynote, Wendy said, “I’m going to argue that we should be teaching kids not to comply with somebody else’s security system, but to make good security decisions on their own from an early age — which means we have to get rid of parental controls. We should be teaching kids to make the right decisions with the devices that they are using.” She applied more or less the same thinking for corporate users.

While I am completely on-board with teaching good cyber security practices to users, we need to keep in mind that security is not just about doing the right things. It’s also about defending against a sophisticated, well-funded, malicious, very intentional, and sometimes just plain mean adversary. This is not just about users making good security decisions, as important as that is, but it’s also about enabling security teams to have autocratic authority when it best serves the needs of the company footing the bill and taking the risks. IMO, the best security model lies somewhere between autocracy and the democracy that Wendy proposes.

One of the more interesting products discussed at RSA was Anomali’s Lens+, a web content parser that uses natural language processing to highlight cyber threat information. Lens+ is a browser plug-in that can be configured to highlight text in web pages based on various criteria. It enables threat researchers and others to view web-based threat bulletins, social media posts, articles and other web content and have highlighted for them information related to threat actors, attack techniques, malware families, and other relevant information. Plus, it enables researchers to understand if their organization has instances of these threats already present in their network, and it supports the MITRE ATT&CK framework by showing the TTPs discussed in the content they’re viewing.

Lens+ has the potential to significantly reduce the amount of time that threat researchers spend reading threat bulletins and other content related to their work. Plus, I can see enormous applicability well beyond this space, such as enabling employees to gain additional information about the content they’re reading across a wide variety of subject areas.

There was a very interesting — and fairly contentious — keynote panel led by Craig Spiezle, founder of Agelight Advisory and Research Group entitled, “How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei”. The panel members included Katie Arrington, CISO of Acquisitions for the Department of Defense (which can no longer legally purchase from Huawei); Andy Purdy, the CSO of Huawei; Bruce Schneier from the Harvard Kennedy School; and Kathryn Waldron, a Fellow at the R Street Institute.

Craig, who would have been well served in this session had his former career been that of boxing referee, did a good job at managing the group and keeping panel members more or less on topic. While the session shed more heat than light on supply chain management, with personal political preferences leaking through at times, it highlighted the importance of prioritizing where security dollars need to be spent, since there is no way to make everything secure. As Schneier noted, securing the supply chain is an “insurmountable” problem. Whether that’s true or not is certainly up for debate.

All in all, a great RSA and probably the most enjoyable since I started attending 16+ years ago.

Coronavirus Taking Its Toll on Industry Conferences

Here’s a partial list of the impact that the Coronavirus, known officially as COVID-19, is having on tech industry conferences worldwide as of Friday afternoon, February 21st:

  • RSA Conference, San Francisco
    Verizon today pulled out of next week’s event. They were preceded by AT&T Cybersecurity yesterday and IBM on February 14th. In addition, 10 other exhibitors — three from the United States, six from China, and one from Canada — have pulled out of the conference. Of the nine exhibitors from China that were scheduled for RSA, six have pulled out; the three remaining will be staffing their booths with individuals from the United States. RSA is expected to draw up to 45,000 attendees this year.
  • Mobile World Congress, Barcelona
    This conference, scheduled for February 24-27 and which normally draws about 100,000 attendees, was cancelled on February 12th. The announcement followed LG, Google, AT&T, Airbus, Sony, Cisco, Facebook, Nvidia, Amazon and several other exhibitors announcing that they were pulling out of the show.
  • DEF-CON China, Beijing
    This conference, scheduled for April 17-19, has been put on hold for six months because “China has announced a six-month hold on events like ours as part of the effort to combat the coronavirus outbreak”.
  • Facebook Global Marketing Summit, San Francisco
    The March 9-12 summit, expected to draw 4,000 participants, was cancelled by Facebook’s management “out of an abundance of caution.”
  • PAX East 2020, Boston
    Sony Playstation pulled out of this major video game conference because of fears over the virus.

In addition to these, more than two dozen trade shows in Asia have been cancelled because of the Coronavirus outbreak.

Some Examples of Security Problems in Government

State and local governments, municipalities, city councils, local law enforcement agencies, federal government agencies, and other government entities – collectively the government sector – are under attack from cyber criminals and nation-states. Threats from ransomware, business email compromise, phishing and other security threats are relentless, and 2019 was a banner year for various types of attacks against government.

A few examples:

  • Ransomware
    Successful attacks hit four municipalities in Florida in April and June 2019, more than 20 local government organizations in Texas (August 2019), and two power utilities in India (August 2019). Two-thirds of more than 70 ransomware attacks in the United States during the first half of 2019 had local and state government organizations in the crosshairs. The ransomware attack on the City of Atlanta in March 2018 compromised approximately 150 applications, including mission critical services such as the court system and police. The Atlanta’s Attorney Office lost 71 of its 77 computers and a decade worth of documents in the attack. 
  • Phishing
    The City of Naples, Florida was the victim of a spear-phishing attack in July 2019 that netted $700,000 for the cybercriminal(s); this occurred after Collier County suffered a similar attack in December 2018 that netted $184,000.
  • Business Email Compromise
    A public school in Portland, Oregon almost lost $3 million to a successful BEC attack, and a county in North Carolina was tricked into paying $2.5 million into the wrong bank account for a contractor working on a local project (some of which it was able to recover through quick action by the bank).
  • Data Breaches
    Mega-breaches include the US Office of Personnel Management in mid-2015 with 21.5 million sensitive data records breached, and the US Justice Department in 2016 with a data breach exposing contact details for more than 20,000 FBI and Homeland Security employees. A White House audit in 2015 discovered a cumulative 77,000 cyber incidents across government, with theft of data a common occurrence. In late October 2019, hackers breached the City of Johannesburg and claimed they had exfiltrated sensitive financial and personal data. The hackers said they would publish the data if a ransom payment was not made.

We have recently published a white paper focused on cyber security in government that discusses the problems in depth. It discusses a number of important best practices that government decision makers should seriously consider. You can download it here.

Will There be a US Federal Privacy Standard?

There’s a good commentary by Daniel Barber, published today, about the various data privacy bills that are being considered by Congress. Here’s a synopsis:

  • Consumer Online Privacy Rights Act (COPRA). A Senate bill introduced in November 2019, this is a consumer-friendly act focused on data privacy, would impose large fines on violators, and would create a new federal bureaucracy, the Bureau for Privacy.
  • Privacy Bill of Rights Act. A Senate bill from April 2019 that is quite similar to the California Consumer Privacy Act (CCPA).
  • Consumer Data Protection Act. A Senate bill from November 2018, COPRA closely matches the European Union’s General Data Protection Regulation (GDPR) and would target companies with at least $50 million in annual revenue and that manage more than one million records. Like the most aggressive penalty under GDPR, it would impose a fine of four percent on violators.
  • Online Privacy Act. This act would enable consumers to access their data and have it deleted, much like the GDPR, and would impose regulations on algorithmic processes that many are using to target prospective customers.

The two big questions surrounding a GDPR- or CCPA-like bill at the federal level are:

  • Is it a good idea to preempt state data privacy legislation?
  • Should stricter state regulations on data privacy supercede weaker federal provisions?

Mr. Barber’s take on the first question is clear: “While I generally favor the states’ role in being the so-called laboratories of democracy, only a uniform federal piece of legislation will solve the problem and create order.” I agree with him to an extent, but federal legislation tends to get watered down in committee. That, combined with an administration that is not favorable to enacting new regulations, could result in a weakened version of these bills that would do relatively little in addressing problems with data privacy.

With regard to the second question, I believe that states should be permitted to enact stricter legislation if their citizens and their elected representatives choose to do so. Yes, it makes things more onerous for business, but it enables states to have the freedom to implement rules that are a better fit for their citizens (not that that always happens, of course).

Perhaps the best course of action is for companies to adopt the CCPA as a de facto standard for all of their US domestic operations. Microsoft and ISP Starry have already done so, pledging to honor the provisions of the CCPA in all 50 states. In the absence of federal regulation to protect data privacy, it will be interesting to see if consumer demand for privacy is sufficient to motivate other companies to follow the example of Microsoft and Starry.

The Mixed Bag Influence of Twitter

This is not a tirade against Twitter. Twitter is a thing. Like cars, guns, a printing press, the Internet or any other thing, it’s inanimate and, by definition, cannot be either good or bad. Only the use to which it is put can be good or bad. So, when you read “Twitter” in the following, read it as “the use of Twitter”.

On the positive side, Twitter is a good thing because it enables distribution of news, ideas, etc. to a wide audience. It enables learning from bright people in a way that probably would not be possible in any other way. In my role as an industry analyst, I find Twitter to be incredibly useful for discovering ideas, learning about news, and following smart people that would be more difficult to do in other ways, and to be able share news and other information with an audience that would be almost impossible to reach some through other media.

But there are three fundamentally negative aspects to Twitter that largely negate much of the positive that it brings:

  • Almost every problem is multi-dimensional. Whether it’s homelessness, Hong Kong, the national debt, armed conflict, data breaches or any other issue, it’s rarely one thing that can be identified as the cause. Instead, problems normally are the result of many causes, each of which contributes to the problem in varying degrees. However, when someone takes to Twitter to discuss a problem or convey information, they’re limited to a maximum of 280 characters and so can rarely discuss more than one thing. If we assume that the average word is just five characters plus the following space, that’s a maximum of about 47 words to discuss the issue – and very few issues can be discussed with any degree of depth in 47 words. The result is that discussion of important issues gets reduced to sound bites, not substantive discussion or analysis. That fits nicely with the decreasing length of the typical attention span, but it makes for poor decision making.
  • Like any form of electronic communication, the remote nature of correspondence on Twitter eliminates the consequences associated with rude behavior. Hurl an insult in-person and you run the risk of getting punched in the nose – do so on Twitter and there will rarely be a consequence other than receiving an insult in return. In short, the social consequences of rudeness all but disappear in the Twittersphere.
  • Finally, and perhaps most dangerous, is the strong tendency for decision makers to assume that the most vocal people on Twitter actually represent many more of the same mindset than they actually do. For example, in June 2018, Twitter’s CEO Jack Dorsey ordered food from Chick-fil-A®. He was called out for doing so by a number of people on Twitter and apologized for his behavior. An article in USA Today cited three tweets as part of the backlash – these tweets had a combined 318 “likes” in the nearly 19 months since they were published. By contrast, I estimate that Chick-fil-A serves approximately 4,600 customers per minute. Those who “like” a tweet – or care about the issue in any way – rarely are even the tiniest fraction of those who could not care less about the issue or disagree with it.

The last point is the most dangerous aspect of Twitter because it has enabled the rapid expansion of bullying. Bullying requires a) a bully who thinks they can harm their victims (of which there is no shortage on social media platforms, including Twitter) and b) someone who considers themselves vulnerable to harm. Consequently, it’s easy for tweeters to seem like they’re representing more people than they really are. However, only 22 percent of Americans use Twitter and only 10 percent of its users account for 80 percent of tweets. Tweeters really don’t represent much of the population, but decision makers – including those who apologize for having lunch at the “wrong” place – seem to think they do, and so fall victim to bullying tactics on a regular basis.

In short, Twitter is a fantastic platform for sharing information and learning, but it has serious downsides that negate much, if not all, of its positives.