Cybersecurity Is Not The Issue We Think It Is

Conventional wisdom says:

  • Computer security is an existential threat to our well-being and way of life
  • We face threats whose impacts could be as devastating as Pearl Harbor, if not worse
  • Despite the tens of billions spent recently in the CNCI, we need to spend more in order to address the threat

Really?

For the last few years I’ve been harboring this sneaking suspicion that all was not well with our world. I, and everyone I knew, was working as hard as ever but we didn’t seem to be making any kind of difference. You can’t help but wonder why we keep hearing the same scary phrases over and over again; hearing about massive breaches caused by the same mistakes over and over again; reading about yet-another epic security fail on the part of some official or executive and wonder: “if this computer security thing is so important, how come we’re no better off today than we were 10, 20, 30 years ago?”

If we were doing our jobs then computer security should have fallen into that class of “things people perpetually care about” and be addressed accordingly, not something that is addressed rarely and in an ad hoc fashion. I’ve said before that we seem to do a disproportionate amount of naval gazing in this business and do not have a big enough impact on our fellow citizens, but is that just a hunch or can I prove it?

This is the information age, so it should be fairly easy to search through all that information to find out how popular – or more accurately “how often” – people are exposed to the issue of computer security. I don’t have a Nexis account, but I can use some poor-man’s alternatives, like Google Trends search (news headlines from 2004 to the present). So, let’s look at “computer security” in the headlines:

Computer Security Mentioned in News Headlines

Wait, what?! Headlines mentioning computer security have been declining over the last eight years? OK, what if we use “cyber security” instead?

Cyber Security Mentions in News Headlines

Oh my. Not what I thought it would be . . . wait, what about “cybersecurity” as all one word?

Cybersecurity Mentions in News Headlines

OK, that’s more like it, but still . . . if conventional wisdom is to be listened to; shouldn't headlines be steadily trending upwards to the right, not these wild pendulum swings?

Yes. Yes it should.

What about comparing “cybersecurity” to one of those “everyone cares about” issues, like taxes?

Cybersecurity vs Taxes Mentions in News Headlines

Hmm, looks like headlines spike during tax season, and then drop off (which makes sense), though the issue writ large is pretty consistently covered in the media over time. What about compared to “health care?”

Cybersecurity vs Health Care Mentions in News Headlines

OK, not helpful to our cause. What if we compare some frivolous, niche topics that couldn't possibly receive more media coverage than “a clear, present and growing danger to national security.” Let’s pick “Lindsay Lohan (gold) and Led Zeppelin (green):

Cybersecurity vs Miscellaneous Pop Culture Mentions in News Headlines

Look upon what people care about, you security experts, and despair . . .

Now, obviously this is not a scientific study. I’m not a survey-big-data-statistic-mathy guy, so I’m sure there are flaws that professionals who do this sort of thing for a living would love to pick at, but some reasonable conclusions I think we are able to draw from this little experiment:

  • No matter how much we spend (CNCI, etc.), no matter how massive the breach, no matter how widespread the damage: cyber security it not one of the country’s most pressing issues if media and literature coverage are any indicators.
  • If literature or media coverage over time is any indication, nothing we have done to date in the security industry is doing anything to increase public concern about computer security.
  • Until computer security impacts as many lives as deeply as issues like taxes, life or death – or defunct rock bands – it will always be the fringiest of the fringe issues in the minds of the public. It is, in fact, less than trivial.

Arguing about the folly of manufacturer back doors in SCADA systems, stupid coder mistakes, the efficacy of anti-virus, what APT is or any of the myriad topics security people love to discuss is a self-licking ice cream cone. We’re talking to ourselves, not the people we purport to want to help, and then we blame others for “not getting it.” We tell people to buy technologies we know will fail, but then lambaste those who try to look at problems from a new angle or otherwise disrupt the status quo.

If anything herein resonates with you, then do your peers, your industry, and your fellow citizens a favor:

Write something. I’m no English major, nor am I Shakespeare, but I've been known to reach national and international audiences on occasion. Insight and passion about an issue are all you need: they have editors (or under-employed English majors) for everything else. Make it as relevant and accessible to as many people as possible: you’re writing for mom, not your boys in the hacker space.

Speaking of your mom . . . don’t roll your eyes when she asks you to fix her computer. While you’re upgrading her from XP and IE 5, talk to her in terms she’ll understand about why computer security is important. Do this and two things will happen A) she will make you a pie[2], and B) at her next coffee klatch with the neighborhood haüs fraüs she’ll tell THEM why computer security is important. They will tell their friends, and so on . . . Look at that dude; you just lit a spark that helped changed the world view of about 15 million people. You know what 15 million people are called: A constituency.[3]

Advance your cause by viewing the world though other people’s eyes. Security is only a be-all, end-all in the land of unicorns and pixie dust; in the real world people are motivated to get things done. Engage with people who don’t do security for a living and appreciate why they resist your genius plan to eliminate the problems caused by ‘1337 h@x0r$. The people in Finance, Sales, or Manufacturing are not your enemy, they are just incentivized differently. No one is going to willingly surrender their reward to improve security: you need to come up with an approach that they will want to follow so that helping you is just another part of doing their job.

Computer security is hard. Forget the existential factor – or lack thereof – its technically complex; its political; its economic; its social. It is a nut that has yet to be cracked despite all the work that has been put in to date.[4] What we’ve been doing as an industry has been great for the industry, but it has had no substantial effect on those who need our support and protection. If you’re OK with that, then drive on; if you’re not: it’s time to do something different.

 


[2] OK, she “may” make you a pie

[3] That’s what politicians listen to when they start making decisions on things of national import.

[4] And I’m not talking about recent events; you can find research and studies and papers discussing computer security problems going back to the 60s.