Why should I care? (why would you?)

When it comes to dealing with cybersecurity threats, our generation is most likely a lost cause.

As an IT Security Consultant / Ethical Hacker, I get more than the usual amount of attention and curiosity about what I do professionally, which allows me to engage people in conversations around IT, hacking, online security, privacy, etc. People who take an interest in what I do for a living realise that IT security is an important issue in our society, and that organisations, both public and private, should invest more resources into ensuring that our IT infrastructure is secured from malicious actors, a.k.a. hackers.

Ironically enough, they tend to have a dismissive attitude about IT security when it comes to their private lives; believing that the current threat landscape would not affect them personally, as they cannot imagine themselves as potential targets: “I have nothing of value for a hacker, why should I care?”.

That type of attitude is mostly a consequence of a lack of awareness and education. Let’s put aside the common plunder that we associate with a hack: passwords, credit card information, private pictures, etc. Regardless of who you are, where you live, how much money you make, you have something very valuable that only you and no one else possesses in this entire world: your identity.

Nobody is an island on the Internet. Insecure online behaviour does not only put yourself and your data at risk, but also the people and entities connected to you: family, friends, colleagues, the company you work for, the organisations you are a part of, etc. A hacker who compromises your data, can use that information to impersonate your identity, thus allowing him/her to exploit the trust that you and your connections have built throughout time.

As individuals, we also tend to forget that the organisations of which we expect to act as our protectors online (be it governmental institutions, Internet service providers, hardware manufacturers, etc.), are nothing but a collection of other individuals like us who suffer from the same optimism bias when it comes to IT security. This reluctance to educate ourselves and to think of IT security as something more than a nuisance transcends our personal lives and spreads itself into all aspects of society.

The WannaCry ransomware attack that hit the world last weekend is a clear example of how this reckless attitude can lead to catastrophic consequences. Reports tell of several hospitals in the UK which have been shut down after the malware encrypted their filesystems, thus rendering their IT systems useless. These disruptions have affected countless people who could not get immediate medical care and had to be directed to other hospitals, ultimately putting lives at risk.

This might be the first time that we are able to see the consequences of poor IT security practices having a very tangible, easy to understand and at the same time shocking, life threatening outcome. As a society, as humans, we clearly need this type of wake-up calls. The human brain is a very poor judge of risk, especially when it comes to concepts that we do not fully comprehend.

Most of the news outlets, demonstrating a poor understanding of the situation at hand, made it seem like the reason why this attack was possible was because it involved very advanced tools developed by the NSA (United States National Security Agency). This misinterpretation of the facts, in turn, allows the affected organisations to deny their responsibility in preventing the attack from happening, and to claim that they do not have the resources to protect themselves from actors who possess technology that is allegedly on par with nation-states cyber warfare weaponry.

In reality, the WannaCry ransomware attack exploited an issue on Windows that had been disclosed to the public two months ago. Moreover, Microsoft had already released a patch for their systems that would fix the issue at the time when the vulnerability was made public. In a perfect world where the average organisation better understood the risk of not patching their systems when such a high-risk vulnerability is publicly known and available, this ransomware attack would not have been possible, or at least it would have had a smaller impact and less widespread reach. In fact, the entire IT security industry predicted that it was only a matter of time before such an attack would happen, but nobody listened.

However, can we blame anybody for this? The majority of people who are in charge of making the decisions that directly impact how these situations are handled have been educated in a world where the Internet did not exist. They have not been instructed from an early age to care about and understand IT and IT security.

The question is what actions are we taking to remedy this situation for the future generations. Our school systems are clearly behind when it comes to technology. Young kids are put into educational programs that have remained fairly static and unchanged for decades; programs that were designed in a completely different era where IT was not such a ubiquitous element of the society. Children engage in the online world without having a basic understanding of how computers and the Internet work, just like their parents did.

These children, the same who will become the decision makers of the future, are fortuitously bound to make the same mistakes that their predecessors made, misjudging the risks when it comes to cybersecurity threats. Hence, the vicious circle perpetuates itself and goes on. Except by then, the technology will have become exponentially more complex, as civilisation becomes continuously more dependent on and integrated with the “cyber”. What will happen when a similar type of malware hits self-driving cars in mass? Robots that perform surgeries? Airplanes? Smart houses?

It is because of these prospects that I am advocating for making IT security part of the high-school curriculum. Helping create a basic understanding of how the technology works would be the best way to fight the optimism bias syndrome. We cannot expect our children to have an inherent grasp of how the technology functions just because they are constantly exposed to the Internet. Knowing how to post a video on Youtube does not give one a real comprehension of why encryption is important, what a vulnerability is, how exploits work, and why it is important to keep your operating system up-to-date.

Furthermore, there is one more benefit to educating our children. They will not only be the decision makers of the future, but could also become the driving force demanding higher levels of IT security in society. Around 20 years from now, they will join the workforce and become consumers, meaning that their decisions and preferences will drive the global economy. An educated consumer would be able to identify a product that was developed with security in mind. This demand for security would push companies and organisations to make security a priority, since doing otherwise would mean losing to their competitors.

When it comes to dealing with cybersecurity threats, our generation is most likely a lost cause. But if we are to have a hope that our descendants would be able to deal with the cyber threats of the post-modern era, we must leave them the tools needed to understand the world that we are leaving behind.