Estimated Reading Time: 4 minutes
Being someone who’s spent the better part of his InfoSec career in the greater NYC area, one tends to become acutely aware of the millions of people who surround them walking the city streets. Much like the scene in Cryptonomicon, when our protagonist Lawrence Waterhouse used the up-and-down motion of people walking the streets of London to generate sine wave graphs, watching the masses move in their seemingly random manner is at times, chaotic, other times, hypnotic. Add to that what seems to be a genetic obsession with all things security, you tend to become an almost frenetic people watcher when in social situations, much like what happened this week during the RSA conference.
I was sitting at a surprisingly quiet little place for during lunch one afternoon when I overheard a couple of gentlemen sitting next to me complaining about the ‘onslaught of badges and backpacks this week’. One of them wondered what ‘RSA’ stood for, which the other replied ‘It’s one of those security and hacker conferences you hear about’, which garnered a muffled chuckle from me. The two proceeded to have a fairly humorous discussion about how ‘all this money is being spent on securing stuff that’s already out there’ and that ‘you have to wonder about the job security of these people if everything is already stolen’
That last comment did not elicit a chuckle, but rather got me wondering.
Is this the opinion of most people today? We’ve always battled the proverbial ‘bad guys’ to protect our customers, clients, and businesses, but to what ends? Breaches are reported almost daily now, in both the public and private sectors, causing the average person to truly wonder ‘If the government can’t protect their own computers, how can the companies I use possibly do it’? Does the average person really think ‘everything is already stolen’? Has the ongoing barrage of media misinformation and repeated receipt of credit-monitoring letters quietly desensitized the average person’s opinion about the potential catastrophic potential of today’s insecure government and business infrastructure?
Or, conversely, have we collectively gotten so drunk on our own wine that we can’t see the fact that we’re not just fighting a losing battle, but one that’s already long lost?
Being in the role of a CISO provides access to information, both public and private, that the general population rarely has access to. Much like we trust our mighty military to protect us without wanting to know the intimate details of how they do it, the average citizen – or employee – really doesn’t care how we do what we do – as long as it doesn’t impact them. Want to throw in a new fancy-schmancy tool to detect some obscure attack vector? Great, as long as the end user doesn’t need to change how they do their job every day. Need to add strong authentication to a business application which requires the users to open-app-enter-pin-type-in-token and you’ll have a revolt.
This is really no different for the general population. Have you ever tried to explain to someone why they now need to get a text message and type in a six digit code into the browser in order to access their healthcare records today, when yesterday, the password they use for all of their accounts worked just fine? Have any of my InfoSec colleagues had a discussion around the Apple/FBI debate with their non-technical friends or family? Do they understand the potential long term impact of putting backdoors in everything, or do they just frame the discussion in, ‘Well, if it can stop someone from doing something bad, what’s the big deal’?
While the two gentlemen I overheard were obviously being a bit snarky, it really does make you wonder. Do they not appreciate that every single thing they rely on – electrical and gas supplies to their homes, clean water delivered to their taps, the financial infrastructure they so count on to conduct business, are all highly dependent on technology to achieve their end means – and if it relies on technology, it is susceptible to attack. Not the type of attack that would result in their name and email being disclosed, but an attack that could fundamentally disrupt their entire way of life.
No – they did not understand that fine point. And neither do the vast majority of people out there.
While I realize that comes as no surprise to most of the people who’ll read this, I also firmly believe that it is collectively up to us to fix the problem. This isn’t merely something a media blitz can fix. We somehow need to get the average person to care about something they fundamentally have no understanding of – no appreciation of – and place little value on. The recent attack on the Ukraine power grid is far more of a frightening story than the back and forth of the Apple/FBI legal ramblings, but very few mainstream media outlets have covered it. After all, it didn’t affect us personally, so who cares, right? And let’s be honest “Big Brother” wanting backdoor access to our private conversations is irrelevant if there is no electricity to charge the phones and run the cell towers.
In retrospect, while I don’t believe we are drunk on our own insight, and I certainly do not feel we’re losing the battle, we do need to occasionally take a step back from fighting the good fight and get a bit of perspective of the world around us. Collectively, we need take every opportunity to educate those outside of the industry to the real technology issues we face, and the impact that ignoring them will have.
And while I admittedly missed the opportunity last week, the next time I run into a couple of guys like that, I’ll be sure to have a discussion with them.
Originally posted on SecurityCurrent.com.
Copyright © 2002-2020 John Masserini. All rights reserved.