Is Cybersecurity’s Social Revolution Waiting in RSA’s Wings?

This is the week that the cybersecurity clan gathers in San Francisco for the annual RSA Conference .

With close to 50,000 people in attendance, it’s a massive event that –– for four whirlwind days –– consumes the Moscone Center (and almost everything surrounding it). It also consumes the San Francisco #technology and cultural scene. Adversarial #machinelearning. Attack vectors. #SQL injections. Spear-phishing. Pig butchering. With #RSA, the conversation that fills coffee shops in Union Square is even wonkier (and to the casual passerby, decidedly less vegan) than usual.?

There will be an abundance of #generativeAI panels, to be sure ––?but at RSA , the obsession of the week will be how criminals and adversarial nations are going to try to commandeer #AI models to pillage, plunder, and destabilize businesses, governments, financial markets, and society as we know it. Heated debate will unfold over the best way for “good actors” to stop them. If you like this sort of cat-and-mouse gaming between attackers and defenders (with a dash of the apocalyptic thrown in), then RSA is an event that you simply can’t afford to miss.

Meanwhile, the catastrophizing minds at RSA don’t represent how most people view emerging technologies, nor the security risks and socio-economic externalities they present.?

Businesses and consumers typically prefer to focus on the bright shiny object: the next amazing feature that a software package, AI-driven or otherwise, can deliver to the smartphone or the enterprise on demand. Most government agencies would prefer to devote their time and attention to the efficiencies and improved outcomes that digital public services can bring to what they do –– and leave the security challenges to some “operations folks in the basement” who are in a mindset probably closer to that of the Cybersecurity and Infrastructure Security Agency and National Security Agency than the agency they work for. Major U.S. banks spend hundreds of millions or billions on #cybersecurity each year (the amount varies depending on how you bound the category), but for the most part, tend to think and talk about that expense as a cost of doing business rather than a source of differentiating value.

If we are going to get meaningfully closer to realizing the deep potential of digital transformation in economy, society, and politics, this thinking needs to change.??

It starts with the deadweight costs that cybersecurity imposes on modern economies. There are multiple ways to count this, but a reasonable estimate is that the average cost of a #data breach in the U.S. is today more than $10 million; and the overall cost to the global economy of #cybercrime is already in the trillions (and likely will reach ten trillion before the middle of the decade). That’s the same order of magnitude for costs to decarbonize the global economy.?

And that doesn’t even touch the opportunity costs of what we don’t do today –– inaction that’s driven by a (valid) distrust in the security of the data that would enable more profound digital transformation. Consider the U.S. #healthcare system and its very partial, patchy, and awkward steps toward #digitization. Filled out a piece of paper at a doctor’s office lately?? Multiply that by all the other patients who do the same, and it’s not surprising that 15 to 25% of healthcare spending in the U.S. is estimated to go toward administrative costs. A truly digital healthcare system would cut that in half, or possibly more.??

And that’s to say nothing of what a well functioning Electronic Medical Record (#EMR) system could do for quality of patient care and health outcomes. If you’ve interacted with today’s EMRs like EPIC, then you know firsthand what it means to be working with technology that looks and feels like the late 1990s. It’s not only the cybersecurity concerns that have held back digital transformation in sectors like health care –– but security is a big part of the barrier. And it’s also the piece that really shouldn’t be a lightning rod for political polarization. Who is going to stand up and defend the right of cybercriminals and the intelligence agencies of hostile nations to steal –– or worse –– insert disinformation into your medical record? All of this is going to become more interesting, with still-higher stakes, as we try to assess and manage the security risks associated with new and emerging technologies like #LLMs.

Cybersecurity really is the master problem of the digital era. It’s also what we think of as an iconic Four Vector problem –– and where all four of the vectors (State, Society, Capital Markets, and the Organization) aren’t making adequate progress:

• State: Governments can’t protect their own digital systems effectively, starting with the massive 2013 breach of the Office of Personnel Management and continuing to the present day.
• Capital Markets: Investors have been struggling for more than a decade to price cyber risk systematically, but most buyers and sellers will admit that today’s cyber-insurance market is barely functional and not making a significant difference in a supervisory manner (the way home fire insurance has impacted positively how people build safer homes).
• Organization: Firms are struggling to keep up with the range and velocity of attacks on their digital “crown jewels”, and it is really only in the last several years that cyber-risk has become a priority topic of discussion at board meetings. “How a CISO should talk to the board” is still the first question for many organizations’ cybersecurity programs; just imagine if the same were true for the CFO reporting on financial results.

But arguably in cybersecurity the least progress, and the most profound failures, are embedded in Society.

People continue to use digital technologies without much regard for their risks. Mindless downloads from suspicious sources. Scribbling down passwords on sticky notes. Sharing logins with friends. Typing social security numbers into unverified websites. Falling for clickbait and text scams without a second thought. For many users, cybersecurity is someone else’s problem to solve and someone else’s liability when things go wrong ––?but certainly not theirs.

Is Society still waiting for the technical silver bullet that will, in imagination, make these behaviors safe? Are people utterly insensitive to the risks their behaviors pose to themselves ––?and to their friends and families –– because legislation and regulation has mostly shielded them from direct financial liability (as it has also done for most firms)???

These are important questions about where digital security has gone wrong. Here’s the question firms and governments should be asking about how it can take a turn for the better, sooner: “Where is the social movement that will transform cybersecurity?”?

If that notion seems fanciful, consider how the same question might have seemed even more fanciful to the climate change world twenty years ago. Society's demand for climate action was what pushed States, Capital #Markets, and Organizations to move faster ––?more so than the other way around. The dynamic has fundamentally shifted, and the lessons to glean are right in front of us. Social movements around technology are often more powerful than the technology itself.?

It’s never easy. #Climatechange is a complicated technology and economy problem that is deeply embedded in Society’s lifestyles and organizational practices. In that respect, too, it’s much like cybersecurity.?Birthing and fostering the social movement that demands progress on digital security could very well become one of the most interesting public communication and mobilization challenges of the next few years.

Would you be surprised if the next Greta Thunberg led a major public protest outside of the Moscone Center? If a generation of schoolchildren took to the streets of San Francisco, concerned for adversarial AI’s threat to humanity? Holding hand-drawn signs that call for two-factor authentication?

It won’t happen this year, but it may not be far off. And it would be an important signal of a fundamentally different –– and likely a better –– era for the digital world.