People Will Have to Die
The President’s keynoting a cybersecurity conference at Stanford has gotten a lot of media attention. So too has executive action designed to encourage better sharing of security information. Both of these items come on the heels of the announcement of the creation of the CTIIC, which is reported to be focused on information sharing, and stories that $14B in new funding for cybersecurity is in the works. All of this would seem to be indication that the government has rejuvenated its interest in improving the security posture of the nation with regards to digital threats.
But is that really true?
Presidents say a lot of things about a lot of issues, but that doesn’t mean everything they say is at the top of the government’s to-do list. A President declared a war on drugs, another a war on poverty. We’re pretty good at killing terrorists but that war isn’t going to end any time soon either.
The President’s executive action encourages sharing; it’s not the law.
Increased funding is always welcome, but how do we know this isn’t good money after bad? What was the ROI on CNCI funding?
If the idea behind CTIIC sounds familiar to you it should because another President did the exact same thing almost 20 years ago: it was called the NIPC. InfraGard preceded NIPC, which was followed by ISACs, which was followed by the DCISE. Private sharing organizations like Red Sky Alliance and Facebook’s ThreatExchange followed suit. Sharing as they say is caring, but is it making a difference?
The fact of the matter is that cybersecurity is what the government cares about when it’s not shooting at people or when there is such a massive, egregious breach of security that it can’t be ignored. Computer security is not the issue computer security people think it is because the vast majority of Americans care about taxes, health care, schools, entitlements and a host of other issues because they impact people’s lives on a daily basis and in a meaningful way that security doesn’t. The only thing that is going to make the public care about computer security is death, or to be more precise “deaths” because I’m afraid it is going to take more than one to spark the kind of interest required to make a difference.
By all accounts the Chevy Corvair (ask your grandparents) was a blast to drive, but when Unsafe at Any Speed came out, the importance of building cars with certain features so as to reduce if not preclude key weaknesses became apparent. As a kid I rarely buckled up in a car and I certainly didn’t ride around in a car seat. Parents will look askance at you if you let your kid ride a bike without a helmet these days; my skull was my impact protection (which might explain a lot).
The point is this: the physical-world analog to security is safety, and we don’t care about safety until it becomes obvious that what the current way of doing things is killing people. This is not to say that “cyber” has not contributed to the death of a human being, simply that — as odd as it feels to type this — it hasn’t killed enough people to matter.
And it could kill people. Sooner than you think. If you have been in this field for long you know the hype about certain threats far outpaced reality. But computers have moved from buildings to rooms to closets to desktops to laptops to hand-helds to wearbles to implantables. Has security ever been a priority at any phase of the computers evolution?
I’m being rhetorical…
As long as the impact of cybersecurity issues on individuals is minimal, no one should expect this to be an issue that is truly of national importance. I’m not trivializing identity theft or the economic impact of intellectual property theft, but if your credit card data is stolen banks make you whole, and most businesses that lose IP don’t go out of business. In order for the country to care about cybersecurity, people have to die. No one wants this to be true, but history suggests its the only way we’re going to pay attention.