What Could be Harder Than Cybersecurity?
This piece by Oren J. Falkowitz — CEO of Area 1 Security — was also published in Fortune Magazine
Judging by the defeatist stance of the private sector, the government, and the security industry in reaction to high profile breaches, paired with the billions lost every year, you might think that this whole cybersecurity thing is way beyond us. The experts claim the bad guys are unstoppable, prevention is impossible, and that it’s so very complicated, the best we can do is buy cyber insurance and go hide under the bed. When it comes to protecting our data, our identities, and our money, it is as if we’ve fallen and can’t get up.
Please.
Cybersecurity isn’t even in the top 100 of things we’ve already done, with less sophisticated tools, mind you, that are far harder. For instance, let’s talk about that moon shot we pulled off in 1969. The computer in that capsule that transported three men —producing a ludicrous 7.68 million pounds of thrust from five monstrous kerosene-gulping engines — to the moon, 233,455 miles away, where two of them landed, and brought them all back safely. That little gadget had less computing power than those learning toys for preschoolers.
Too extreme of an example? How about something we did a really long time ago? Like the discovery of germs. Try convincing a venture capitalist to give you funding for this: “So, we discovered these little invisible creatures that live in our food, air, and water and sometimes they make us sick.”
Or even better, the cure for those diseases: “Hi, we’re back. Now we need more funding because we figured out we can grow other invisible creatures from mold and garbage to cure the diseases the first creatures caused.”
Of course. To whom do I make out the check?
Just for fun, try making your own list of things that are harder than cybersecurity. Here are just a few of the more obvious on my list:
Flight. Every day, millions of people get into metal tubes with wings and are shot from one concrete pad to another thousands of miles away. And it’s a rare occurrence worthy of worldwide news when everyone doesn’t get to where they’re going safely.
The automobile. Hundreds of millions of machines with hundreds of thousands of parts transporting people over ribbons of steel and concrete to their destinations, billions of times, mostly without incident. And by the way, they’re now driving themselves.
The Internet. The entire accumulated knowledge of our species available to anyone with computer, smartphone, or tablet. For free.
Solar power.
The Eiffel Tower.
In fact, any modern skyscraper and everything in it.
Aspirin.
A heart transplant. They pull your heart out of chest while it’s still beating, and put a new heart in, maybe from a pig or cow, then they shock the living daylights out of you to start up the new heart and a couple days later, you go home.
That computer in your pocket that you take for granted.
Q-tips. (A personal favorite.)
You get the idea. We have this almost limitless track record of astounding accomplishments, and yet, we seem to be willing to write off security online as something completely mysterious and beyond our abilities. Worse, it is as if we have accepted defeat like it were the best available option.
For example, just last summer in one of the largest and most stunning breaches of government, nearly 21.5 million people lost their personal information from the Office of Personnel Management, including Social Security numbers and even fingerprints. In an article reporting the story, The New York Times wrote, “[The breaches] seemed certain to intensify debate in Washington over what the government must do to address its substantial weaknesses in cybersecurity, long the subject of dire warnings but seldom acted upon by agencies, Congress or the White House.”
Yes, intensifying the debate would be nice, but too little too late. Perhaps it would be a good idea to intensify the debate after we get those vulnerabilities, which are apparently rampant, fixed.
In the same article, The New York Times quoted Michael Daniel, the White House cybersecurity coordinator, who said, “This incident that we are talking about today is unfortunately not without precedent. We have to raise our level of cybersecurity in both the private sector and the public sector.”
And then Katherine Archuleta, the director of the Office of Personnel Management, got into the act. She held a conference call to explain the extent of the damage and the agency’s planned response. She said, “I am committed to the work that I am doing at O.P.M. We are working very hard, not only at O.P.M. but across government, to ensure the cybersecurity of all our systems, and I will continue to do so.”
By the way, these hackers, like the ones who got into Sony, were in the network for the better part of a year before they were detected. You’d think with all those people working so hard that someone would have noticed.
She also announced that the OPM would be implementing some new security measures — how’s that for timing — and that the victims of the breach would receive, you guessed it, free credit and identity theft monitoring. How does it do anyone any good to be offered free identity theft protection after their entire life has been stolen?
She also said she would not resign, despite members of Congress from both parties calling for her head.
She resigned the next day.
Finally, just this past week, and nearly more than half a year later, President Obama announced a $3 billion dollar initiative to get this cybersecurity thing under control.
Maybe it’s more economical for banks and credit card companies to pass their losses along in the form of 27% interest. Maybe in an age of corporate-funded politics, privacy and personal security online isn’t the first priority. Maybe the government is really waking up, just slightly after the private sector hit snooze. But the fact is that the present situation is not acceptable.
Hackers are not superhuman. They succeed because we help them. They work with what we give them, in almost every instance. And it’s obvious that what we’re doing isn’t working. So it’s time, no, it’s far past time to do something different.
It will require a far different mindset than we’ve had so far, but the good news is, we can solve this. And it’s not even as hard as sticking a bit of cotton to both ends of a little paper stick
