Computer Security is Not The Issue We Think It Is

Conventional wisdom says:

  • Computer in-security is an existential threat to our well-being and way of life
  • The public's concern about this issue has reached a tipping point
  • We need to (epic big pet project here) and/or (massive influx of cash there) in order to address the threat and reduce risk

Really?

For the last few years I’ve been harboring this sneaking suspicion that all was not well in the computer security world. We're working as hard as ever but we don't seem to be making any kind of difference. You can’t help but wonder why we keep hearing the same scary warnings over and over again; hearing about massive breaches facilitated by the same mistakes over and over again; reading about yet-another epic security fail and wonder:

If this computer security thing is so important, how come we’re no better off today than we were 10, 20, 30 years ago?

If we were doing our jobs then computer security should have fallen into that class of “things people perpetually care about” and be addressed accordingly, not something that is dealt with ad hoc and halfheartedly. We seem to do a disproportionate amount of naval gazing in this business and not enough to make an impact on our fellow citizens, but is that just a hunch or can I prove it?

This is the information age, so it should be fairly easy to search through all that information to find out how popular – or more accurately “how often” – people are exposed to the issue of computer security. I don’t have a Nexis account, but I can use some poor-man’s alternatives, like Google Trends (news headlines from 2004 to the present). So, let’s look at “computer security” in the headlines:

Wait, what?! Headlines mentioning computer security have been declining over the last decade? OK, what if we use “cyber security” instead?

A little better (there were a LOT of breaches in 2009) but not what I thought it would be . . . wait, what about “cybersecurity” as all one word?

OK, that’s more like it, but still . . . if conventional wisdom is to be believed shouldn't headlines be hockey-sticking and not this gradual climb with wild pendulum swings?

Yes. Yes it should.

What about comparing “cybersecurity” to one of those “everyone cares about” issues, like taxes?

Hmm, looks like headlines spike during tax season, and then drop off (which makes sense), though the issue writ large is pretty consistently covered in the media over time. What about compared to “health care?”

OK, not helpful to our cause. What if we compare against some frivolous topics that couldn't possibly receive more media coverage than “a clear, present and growing danger to national security.” Let’s pick “Taylor Swift (red) and "Led Zeppelin" (gold) and compare against cybersecurity (blue):

Look upon what people care about, you security experts, and despair . . .

Now obviously this is not a scientific study. What a media company believes is newsworthy and what any given individual feels about a topic does not necessarily map 1-to-1. I’m not a survey-big-data-statistic-math-y guy, so I’m sure there are many flaws that professionals who do this sort of thing for a living would love to pick at, but with those caveats I think its not unreasonable to draw some broad conclusions:

  • We may have broad, deep and longstanding problems in computer security, but its not a topic that people care about with sufficient interest and regularity.
  • Nothing we have done to date in the security industry is doing anything to increase public concern commensurate to the threat. We have no 'little kids can't get health care' situation we can exploit to drive change. 'Little Suzy can't afford anti-virus'...doesn't really carry the same weight.
  • Until computer security impacts as many lives as deeply as issues like taxes, health insurance (or lack thereof), or defunct rock bands, it will always be the fringe-ist of issues in the minds of the public. It will be, in fact, less than trivial.

Arguing about the folly of manufacturer back doors in SCADA systems, stupid coder mistakes, the efficacy of anti-virus, what APT is or any of the myriad topics security people love to discuss is a self-licking ice cream cone. We’re talking to ourselves, not the people we purport to want to help, and then we blame others for “not getting it.”

If anything herein resonates with you, then do your peers, your industry, and your fellow citizens a favor:

Write something. I’m no English major, nor am I Shakespeare, but I've been known to reach national and international audiences on occasion. Insight and passion about an issue are all you need: they have editors (or under-employed actual English majors) for everything else. Make it as accessible to as many people as possible: you’re writing for mom, not your boys in the hacker space.

Speaking of your mom . . . don’t roll your eyes when she asks you to fix her computer. While you’re upgrading her from Windows XP talk to her in terms she’ll understand about why computer security is important. Do this and two things will happen A) she will make you a pie[1], and B) at her next coffee klatch with the neighborhood haüs fraüs she’ll tell THEM why computer security is important. They will tell their friends, and so on . . . Look at that; you just lit a spark that helped changed the world view of several million people. You know what several million people are called: A constituency.[2]

Rally some friends and form a lobby [3]. Not an industry lobby, a computer security lobby. An industry lobby tries to make using (a type of product) a law; a computer security lobby tries to make effective compensating controls - regardless of whose logo is on the box and who made the biggest donation to the Senator's election campaign - law.

View the world though other people's eyes. Security is only a be-all, end-all in the land of unicorns and pixie dust; in the real world people are motivated to get things done. Engage with people who don’t do security for a living and appreciate why they resist your genius plan to eliminate the problems caused by ‘1337 h@x0r$. The people in Finance, Sales, or Manufacturing are not your enemy, they are just incentivized differently. No one is going to willingly surrender their reward to improve security: you need to come up with an approach that they will want to follow so that helping you is just another part of doing their job.

Computer security is hard. Its technically complex; its political; its economic; its social. It is a nut that has yet to be cracked despite all the work that has been put in to date.[4] What we’ve been doing as an industry has been great for the industry, but it has had no substantial effect on those who need our support and protection. If you’re OK with that, then drive on; if you’re not: it’s time to do something different.

[1] OK, she “may” make you a pie

[2] That’s what politicians listen to when they start making decisions on things of national import.

[3] That's the other thing politicians listen to when they start making decisions on things of national import.

[4] And I’m not talking about recent events; you can find research and studies and papers discussing computer security problems going back to the