Sunsetting Cyber Awareness Month.blog.1017October 2, 2017
By Larry Clinton
Raise your hand if you know anyone who is unaware that we have a cybersecurity problem.
In a field where we are often desperate for any sign of success, I think we can spike the football on the issue of cybersecurity awareness.
Understanding the cybersecurity problem? Not so much.
Nearly a decade ago, when cybersecurity awareness month was launched, it was a good idea. Back then, many thought cybersecurity was a mirage concocted by the same IT vendors who had recently brought us the “Y2K” non-crisis. Back then, most people thought this Internet thing was secure. Ah, blissful youth.
But a decade of advocacy, and Target, and Yahoo, and OPM, and Equifax (to name a very few) have largely solved the awareness problem.
I suggest we now move on to Cybersecurity Understanding Month.
We can begin by clarifying that this is not, at heart, a simple IT problem. In fact, it’s not a simple problem at all. Y2K was a simple IT problem.
Obviously, cybersecurity has a substantial IT element to it, but IT compromise is just HOW the cyber attacks occur. If we are going to actually solve, or even manage, the cybersecurity problem, we also have to focus on the WHY of cybersecurity.
And the why of the cybersecurity issue – which is not well addressed in most current awareness events – includes two basic elements. First, the system itself is not only inherently vulnerable, but getting ever weaker – much weaker (mobile devices, IOT etc). Second, the value/profit of compromising the system is so enormous that attacks are not only likely, they are almost inevitable.
The Bank of Bangladesh attack was extremely unsuccessful. They wanted to steal billions and only got away with a few hundred million. That’s the kind of failure I can live with. If you are Chinese Intelligence, how valuable is all that data they stole out of OPM? And the Equifax attack pales in comparison to the Target attack – I can’t even fathom how valuable that data will be to all sorts of criminals who probably are already shopping for it on the Dark Web.
Does the public (let alone the policy makers) realize we are dealing with an issue of inherent systemic vulnerability coupled with literally invaluable data at risk? I think not. I think most think the problem is stupid, lazy and corrupt people running our systems (yes, we have some of them, but that is not really the core problem).
The time has come for us to move on from simplistic awareness events and to the harder work generating actual understanding that will lead to effective action.
Larry Clinton serves as the President and CEO for the Internet Security Alliance.