How we talk about and address cybersecurity

Every week, it seems, we hear of yet another cybersecurity vulnerability. Last week it was “FREAK,” a flaw that has been afflicting Apple and Google device users for almost 10 years. Long story, short – this flaw enables hackers to take advantage of an older and weaker encryption in browsers which then allows them to “steal passwords and other personal information and potentially launch a broader attack on the Websites themselves by taking over elements on a page, such as a Facebook ‘Like’ button.”1

What I have begun to realize though is that I always shrug off these articles. I acknowledge that it’s unfortunate for whoever has been hacked but I move on quickly because I don’t believe it affects me. And even when I know that my information is being tracked, a big part of me thinks, “Who cares? What are people going to do with this anyway?” And I don’t think I’m alone. I think many Americans view cybersecurity this way, which is a pretty big problem. If the American people don’t care or understand these risks, how are we going to get them to take precautions to protect their data or move the issue forward on their own?

I think this provides a great opportunity for the tech industry and the government to work together. We need to come up with a way to explain why cybersecurity is such an important issue and how it impacts every single American. Why should we care? What are the actual implications of these cyber attacks?

Another thing I’ve thought about when reading these cybersecurity articles is the risk in announcing these vulnerabilities before they are fixed, which seems to be the case in many of these situations – the media points out the flaws before they are addressed by the company. For example, the first line of the Washington Post article about the FREAK flaw is this:

[quote author=” “]”Technology companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov.”[/quote]

Another example was a recent article about the Government Accountability Office’s revelation that the Federal Aviation Administration “has fallen short in its efforts to protect the national air traffic control system from terrorists or others who might try to hack into the computers used to direct planes in flight.3

While I understand the need for the public to know about security concerns that could impact them, I also worry about widely announcing these flaws and alerting potential attackers to their existence. On the opposite side of the spectrum though, there’s also the potential benefit of crowdsourcing, of revealing these flaw in hopes of receiving a flow of potential solutions to fix it. What’s the proper balance here? How do we manage notifying the public of risks without revealing them to hackers?

While the private sector has been hit the hardest by cybersecurity problems, the government is not exempt. According to a recent Brookings Institute report, “[b]y late 2014, the Privacy Right Clearinghouse (which maintains a list of all publicly reported data breaches) recorded only 27 incidents involving government entitles [sic].”4 And state governments are even worse off. The report lists only two states (Idaho and Mississippi) as having outstanding cybersecurity plans while most states fell into a category of “aware but lacking in details.”

The point is, cybersecurity affects all of us and from many different angles, from the data we give to corporations to that we provide to state and federal governments. How we talk about these threats is important. We need the public to care and to be informed but we also need to be sure that in publicizing these risks, we’re not opening the door for hackers to take advantage of them. There doesn’t seem to be an easy answer to our cybersecurity woes and that’s probably the reason Congress is struggling to come up with sound legislation on the issue, despite a rare agreement from both sides that cybersecurity is a priority. But this difficulty doesn’t mean we should stop addressing our cybersecurity problems. And in fact, I believe we need to do so in a way that combines feedback from both the private and public sector. Bringing together these two groups allows us to have a diverse set of viewpoints that, when combined, may be able to come up with perfect solution.

Resources
1 Timberg, C. (2015, March, 3). ‘FREAK’ flaw undermines security for Apple and Google users, researchers discover. Washington Post. Retrieved from
http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/
2 Timberg.
3 Hasley III, A. (2015, March 2). FAA computers vulnerable to hackers, GAO report says. Washington Post. Retrieved from http://www.washingtonpost.com/local/trafficandcommuting/faa-computers-vulnerable-to-hackers-gao-report-says/2015/03/02/388219ac-c119-11e4-9271-610273846239_story.html
4 Dawson, G. and Desouza, K. (2014, March 5). How state governments are addressing cybersecurity. The Brookings Institute. Retrieved by http://www.brookings.edu/blogs/techtank/posts/2015/03/5-state-cybersecurity-plans-dawson-desouza

Featured image via http://s.marketwatch.com/public/resources/MWimages/MW-BW729_cyberc_MG_20140314163602.jpg