Cybersecurity: The Circle of Blame

In a recent study conducted by the Rand corporation, the unanimous conclusion by all 200 institutional participants was that existing financial incentives for security are insufficient, and society has failed to create and implement a regulatory model for cybersecurity. Doh?

I know this will not be shocking news to anyone who has been paying even the slightest bit of attention over the last two years, but what might be revealing is that all classes of participants found someone else to blame. Individual users blame institutions for failing to secure their data. These institutions blame the government for not keeping them safe. The government blames technology companies for selling insecure products. And technology companies blame consumers for buying products that are cheap, therefore creating financial incentives for insecure devices.

Badaboom.

Bottom line from these exercise that included experts from governments, industry, academia, and related sectors is that effective cybersecurity can only be attained by creating financial incentives for manufacturers to produce secure technologies, and from legal frameworks that protect users and set standards for vendors.

In these study exercises, U.S. federal government officials suggested that safety standards for cybersecurity [similar to standards for automobiles] would be too difficult to create for both political and practical reasons, and that such standards would be unable to keep pace with the natural evolution of technology.

Law enforcement officials complained that holding bad actors accountable is frequently outside of their reach when attacks cross international borders, when attacks cannot be attributed to specific actors beyond a reasonable doubt, or when state-sponsors are involved. Which is almost always.

So, instead of course, the participating government officials [which we can fairly assume is representative of a broader government attitude toward these issues], assert that it is the responsibility of the private sector to create secure devices and software. In response [of course] industry representatives claim that their primary [shareholder-driven] focus must be on creating products that users will buy. If users continue to buy the cheapest product, rather than the most secure one, manufacturers will obviously not invest in security features that would raise product costs. Their response included examples of product lines where in every case, the cheapest and least secure product dominates the market.

However, both government and manufacturers did agree on one thing. It’s the users’ fault.

They argue that it is impossible for either side [government or manufacturer] to police and/or force individuals and institutions to activate their security settings, update patches regularly, or to buy the more secure products. Re-stating the blindingly obvious, they reminded everyone that those who buy the cheapest product rather than the more secure product, make themselves and everyone else vulnerable.

The counter-argument put forth by advocates for privacy rights, journalists, researchers of data breaches, and representatives from the insurance sector is that users should not be expected to understand the complex vulnerabilities they face. Users are often legally handcuffed by the end-user license agreements of the very companies blaming their own customers for not understanding how to act securely. That would be companies like Facebook, Google, Yahoo, and Ashley Madison.

While that is a convenient argument, it is hard for me to accept that here in the 21st Century, ignorance or indifference to security practices and the data privacy consequences resulting therefrom can be proffered as a legitimate excuse. Tom Cruise may claim to not know that one can view porn on-line, but unless you can prove that you’ve been living under a rock, it would be hard to claim that you’ve never heard of Cambridge Analytica or Russian meddling in elections.

An easy and uncontestable solution that all participants proposed is to improve cybersecurity literacy through public awareness campaigns and education. That’s like saying health care for all – nice idea – but, how does that happen and who pays for it?

Much closer to reality is the more difficult proposal that industry and nongovernmental organizations could partner to create cybersecurity standards and a certification program. One outcome would be the proposed seal of approval that could be appended on a product that could easily be understood by individuals or enterprise buyers who may lack technical knowledge. A law that requires informing consumers of a product's security at the point of sale would quickly create new financial incentives for manufacturers by providing consumers the opportunity to compare security ratings across similar products, similar to what EnergyStar provides for energy efficiency or JD Powers does for automobile ratings.

Getting this done would require unprecedented cooperation by all players, exceeding even the near-global war effort against the Nazis in WWII. And, even in that case, many opportunists did one thing with their left hand while doing another with their right. Participants additionally proposed the creation of a new “public trust for technology”; a nonprofit organization that would be established to create patches for software whose developers have gone bankrupt. “Immortal vulnerabilities” [those vulnerabilities that exist in perpetuity because no vendor maintains the code] could be eradicated with the creation of a new entity funded to address these vulnerabilities.

How and by whom of course, remain open questions.

And, we need to accept the reality that we are living in an age where [almost] our entire daily existence is dependent upon Internet and computing technologies. Consumers [users] are on the very brink of losing the ability to unplug when their basic needs, including the use of household appliances and medical devices, cannot be met without Internet connectivity along with the sharing of intimate user information. Soon, if the high priests of technology [and capital markets] have their way, we will be driving cars at high speeds down crowded highways controlled entirely by some cloud-based computing device reliant upon the Internet for connectivity. Oops. Please re-boot.

The study advocacy crowd pushed for the creation of a “users bill of rights” with attendant liability laws updated for the modern era. The blame for today’s cyber incidents is often assigned in the court of public opinion and sentences are doled out in consequences that translate to the loss of public trust and market share; but, instead of improving security, these effects create powerful incentives to conceal breaches and cover-up exposures and vulnerabilities. Yahoo. Uber. Equifax.

All of these options make sense in a Universe unlike our own, but the notion of accepting even partial responsibility is a step in the right direction. From there, it is not too far a bridge for consumers to become less intellectually lazy when it comes to activating their product’s security features, installing updates on time and considering security in addition to price at the point of purchase. Getting technology companies and federal and state governments to partner for the creation of reasonable cybersecurity standards and to make these standards easy to understand for consumers doesn’t seem like a big stretch. Not only is such a partnership not unprecedented, but we managed as a country to implement vehicle emission and safety standards that were costly to both manufacturers and consumers.

Why schools are not offering cybersecurity literacy classes just as they offer health and safety classes for teens and young adults is beyond me. I mean, who could possibly object?

But if the issue is left simply to the collective good intentions of users, enterprise buyers, vendors, manufacturers, and government officials, who all instinctively respond by playing the blame game, we will continue to follow this recipe for cybersecurity failure.

Information security may be a team sport, but someone needs to step up and lead.