Too often, the conversation on cybersecurity is predicated on fear, uncertainty and doubt (FUD): amplifying the latest news of how good hackers are getting, setting off alarm bells when it comes to vulnerabilities.
Headlines only highlight the growing sophistication of hackers and introduce readers to terms like “botnet” and “Internet of Things” often without the proper context. The danger in this, especially with so much noise about so many well-publicized attacks, is that people become desensitized and lax about cybersecurity in general. That creates a herd mentality through which people will grow numb and feel helpless — what else can one feel about the recent breach at Yahoo that left 500 million users potentially compromised?
Meanwhile, our old ways of thinking about cybersecurity — using tools like checklists and best practices and clinging to outmoded technology such as traditional antivirus — are making us complacent in the face of attackers that have spent the last decade evolving.
Government fiefdoms aren’t capable of mounting an effective defense against threats that cut across borders and jurisdictions. In addition, cyber threats now come in many forms. Attackers can infiltrate systems and go undetected for long periods — the average is seven months — while ransomware can cause immediate damage that remediation services do nothing to help. Physical systems and critical infrastructures are wholly dependent on digital controls that they are equally susceptible to cyberattacks. Governments are trying to develop legislation while law enforcement agencies are trying to protect their people against a threat that transcends sovereignty.
Are we really communicating?
How do our traditional forums, like cybersecurity conferences, help in this situation? We need a new kind of dialogue, one that takes into account how communication itself has evolved into something unprecedented.
We began several thousand years ago with one to one, or direct, communication. Over time, the printed word and broadcasting turned it into single sources disseminating to networks of consumers. Now, the internet enables any number of people to communicate with any other number of people anywhere in the world in real time.
As a society, we are interconnected and interdependent. But we have also opened up new means of attack, via the automatically generated spools of data produced by sensors that form the Internet of Things. Think about it: this is the first time in human history that machines, not humans, gather and transmit information on a mass scale. Yet these advances also allow for equally devastating abuse and damage.
Here’s how we can make this dialogue truly productive:
1: Let’s get real about being vulnerable. We can no longer afford to be embarrassed about security breaches and try to avoid discussion of them. Internally, organizations cannot indulge in a culture of blame when security is compromised. The problem must be quickly communicated up the chain while fostering a culture of prevention, not blame. This goes for business and industry collaborations as well as international information sharing. Security breaches are embarrassing on some level, but simply pretending to take care of them or finding a scapegoat is a dangerous precedent.
2: Let’s evaluate cybersecurity like we would other forms of risk. Business executives and boards of directors are in place to manage risk at the companies they govern, and cybersecurity can and should be thought of as another form of risk, like having property insurance. We need to better identify, assess, quantify, mitigate or transfer that risk, just like anything else. We need to move the ball forward instead of just pointing out problems. That’s why we need a multistakeholder conference on this issue.
3: Let’s talk about cybersecurity as a business enabler. Want to leave behind the FUD conversation? How about we look at all of the ways security by design can make businesses, governments and individuals more productive? How about we agree that it isn’t just an IT issue, and definitely not just a “cost center”? We will start being more productive — and adopt a prevention-based approach to cybersecurity — when we look beyond what technology to invest in and understand the positive effects of why we’re investing in it.
Japan is an important and timely stage for the cybersecurity talks that were held here last week. Tokyo will host the Olympic and Paralympic Games in 2020 and it is bolstering physical security and cybersecurity ahead of this historic event. Observers worldwide are looking to Japan to take a lead in cybersecurity because of its high-tech prowess, the cachet and reliability of its “Cool Japan” brand, and because it’s at the forefront of population aging, a phenomenon that many other countries will experience. It’s also high time that Japan becomes more tech-savvy and innovative. The International Monetary Fund and many other global research entities have pointed out that the Japanese economy’s productivity has declined and is losing out to global competition, suggesting that slow ICT utilization is a cause. Japan must act now and take the lead or face irreversible losses in the future.
In an increasingly virtual world, it’s easy to lose sight of the fact that human networks, relationships and trust are more important than ever. Those bonds can be sparked in face-to-face discussions. Meanwhile, we can’t allow ourselves to be passive when our opponents are actively engaged and financially motivated. Since we have such a determined foe, we need to challenge each other on the stage. We need to change from thinking defensively to proactively on ICT.