When it comes right down to it, we are about as bad at cybersecurity as Twitter’s CFO is at Twitter or North Korea is at coming up with new political slogans to commemorate its 70th anniversary. Some of the highlights from North Korea’s 310 (!) new slogans (no joke) include:
“Play sports games in an offensive way!” (Eh. Like Ndamukong Suh?)
“Let the strong wind of fish farming blow across the country!” (Did anyone consult the tourism and marketing folks on this one? Note to self: buy Febreze stock.)
“Let us turn the whole country into a socialist fairyland!” (Simply impossible. Fairies only live in monarchies.)
“Let us turn ours into a country of mushrooms!” (What are you, Smurfs?)
Look at our track record. We barely survived what we thought were one-of-a-kind data breaches at Target and Home Depot, when along comes the Sony hack to wreck the release of a major motion picture, cost Sony’s co-chair her job, and force us to watch “The Interview” when we didn’t really want to do that in the first place. Then we get Anthem, which may be the largest breach of personal information in history. Hacking and acquiring medical information is a lot more lucrative than hacking credit card information, and the health industry lags behind the retail sector in protecting its information. In the cybersecurity world, you see, we want to make sure that our criminals know exactly what vulnerabilities to exploit and which operating systems to use. We’re super nice that way.
(Speaking of cybercriminals, the media has a real problem when it comes to providing the right graphic to go with cybercrime articles. According to the Miami Herald, for example, a cybercriminal dances through a meadow in a black mask wielding a butterfly net to catch floating ones and zeroes. According to the Washington Post, a cybercriminal must sit at a computer in the dark while wearing a hoodie. Google’s consensus is that cybercriminals dress in all black and wear ski masks at their desks. And I thought that one of the advantages of being a cybercriminal was not having to dress up. Silly me.)
Anyway, it’s not like just increasing spending on cybersecurity is helping, either. Take the beleaguered U.S. Department of Veteran’s Affairs, for example, which last year “spent $11,700 per employee on IT, or twice the average amount of the private sector,” yet “failed its annual cyber-security audit for the 16th consecutive year.”
Let that sink in for a moment. Sixteen consecutive years. sixteen. Seriously. The VA was failing at cybersecurity when Will Smith was still Getting’ Jiggy Wit It. Not even the Washington Redskins have failed for sixteen consecutive years. (Here’s something terrific: The team just dared to ask its [remaining] fans what they would like to see in a new stadium. In a shocking turn of events, “a winning team” was not listed as an option.)
And yet we continue to cede information to third parties that strips away our most basic privacy protections. The information that we convey without considering the consequences is incredible: usernames, passwords, pictures, status updates, relationship information, moods, locations, vacation plans, and credit card numbers, to name just a handful. But we continue to add to the information out there without shoring up protections first. It’s as if we keep buying brand new flat screen televisions for a house with no back door. Think of the examples:
- Studies have shown that Facebook may know you better than your friends or family because it is able to build a predictive model using your “likes.” According to the study, “the model only needed to analyze 10 likes to outperform a person’s coworker; it needed 70 likes to do better than that person’s friend or roommate, and 150 likes to do better than a parent or sibling.”
- Tesla is going to start producing a battery to power your home. Tesla’s products are generally connected to the Internet so that Tesla can regularly update its products with better software. It seems fair to infer that a home-use battery would share information about power-consumption, which is a pretty good roadmap to when occupants are home and when they are away.
- Speaking of televisions, wouldn’t it be wild if, while you watched television, your television watched you? Wait, it can?
- How about your car? OnStar has an app that can remote start your car, send diagnostics, and lock/unlock your doors. Many new cars are prewired for microphones and Bluetooth. Do you know what your car is saying about you?
Because we are in an era where we regularly trade privacy for convenience, cybercriminals are finding targets in every sector. We make it easy for them. Remember when a person had to interact with another person to catch an STD? Heck, now you can catch a virus just by clicking on an dating application. Who knew that Rockwell was prophetic?
Our convenience-for-privacy trade is why we are so reliant on groupthink in combatting cyber threats. From Silicon Valley crowdsourcing efforts, to public-private information sharing, to the creation of a Cyber Threat Intelligence Integration Center, the latest push is to make cyber threats so transparent that even Brian Williams can’t misremember them. Why? Because knowledge is power, and shared knowledge is even more powerful. If cybercriminals pool information together – and they do! – shouldn’t we?
As a prosecutor in a securities fraud case, I once had a witness testify that the bad guy treated him and his fellow investors like “mushrooms,” i.e., he “kept them in the dark and fed them manure.” Okay, he didn’t actually say “manure,” but this is a family blog (if only for kids with insomnia). But we are all mushrooms when it comes to data privacy. Think about it. Do you think about how your information is protected when you swipe your credit card? Do you know how your doctor’s office secures your personal health history? Or are you in the dark?
So maybe “a country of mushrooms” isn’t the worst slogan in the world, if it helps us pay attention to the privacy that we cede and the cyber threats that we ignore.
It sure beats a strong wind of fish farming.