Horse Sense #135

Dirty Secrets of Computer Security

I heard a former FBI Cyber Division Assistant Director who now manages cyber security for large corporations speak with hundreds of computer solution providers at an ASCII Group Summit ( These solution providers currently manage the security of thousands of small to medium sized businesses and put enormous amounts of effort into keeping their clients secure. The picture that emerged was scary and prompted me to consider why our cyber security is lacking.

Small Businesses Are Big Targets

Cyber criminals attack small businesses more than most people think for many reasons. First, there are a lot of them. There are only a few large businesses, but millions of small ones. Second, small businesses have fewer people, business, and technological resources to mount a defense than larger organizations. Third, criminals who want to attack large businesses often attack a small business first. It can be easier to break into a trusted smaller organization with weaker defenses and launch the attack on the large organization from there.

The risk/reward ratio makes small businesses very attractive cyber crime targets. The chance of being discovered is smaller than with a large business. Even if an attacker is discovered, it may not be worth the effort for either the company or the authorities to prosecute them. Criminals have found that attacking small businesses is very lucrative.

Your Government is Not All Powerful--In Fact, It is Laughably Overmatched

Because cyber crime is so pervasive, the Secret Service or FBI may not pursue criminals unless losses are in the millions of dollars. They might refer you to local and State police, but the police tend to have few trained people and little ability to follow up on financial losses or even to chase down cyber criminals who steal or harm people "in person." Even when criminals are caught, the prosecution may be difficult and expensive and the penalties are often ludicrously light for financial crimes.

Governments tend to do better when they have law, public support, procedure, training, and funding to deal with issues. Very few laws even recognize that the Internet exists. It is very difficult and expensive to train people in government to handle cyber security and forensics. The techniques and technology change at an extremely rapid pace. Courts and juries have problems understanding what is going on. Naturally, police and prosecutors are going to be much more interested in the more easily dealt with crimes against persons, but they also realize that cyber crime is now part of the landscape of organized crime, terrorism, and even one on one crimes against others.

Why is it hard for governments to attack cyber criminality? One reason is we have a "blame the victim" or "caveat emptor" mentality when it comes to finances. The buyer or victim of a financial crime is thought responsible for their losses. We get excited if physical violence is threatened. Yet, who harms us more? Is it the kid who threatens to stab someone and takes $200, or the cyber criminal who tanks multiple small or large businesses with a financial crime netting millions? In the second case, the crime is bigger, longer lasting, and involves more people and hardship. However, the robber is more likely to be caught, prosecuted, and given much more time in jail. Our understanding of risk is poor. We are not all that likely to be robbed at gunpoint, but we are exceptionally likely to have our privacy and even our finances compromised in ways that will cause us time, effort, money, and grief by a cyber criminal. But....that's our fault for not protecting ourselves better, right?

People want their government to leave them alone, yet they also think governments have nearly infinite power and abilities to keep them secure. Our governments are simply incapable of providing us the security we desire. The truth is that the real power in government has always been its people.

Privacy is for Corporations, Not Our Government

Governments want corporations to tell everyone when they have been breached and provide them with all kinds of information. They are willing to club corporations with a big stick if they do not behave responsibly. However, it is all stick and almost no carrot. Government demands information and penalizes those who do not follow its rules, but gives precious little aid or information back.

Governments do not have to play by the same rules they force upon corporations. While we have very little right to privacy here in the US, there are even fewer privacy laws that apply to governments. Governments do not have a financial incentive like corporations do to keep sensitive data private. Governments are usually exempt from the data breach and other laws that apply to corporations. Do not imagine that your information is better protected by government institutions. It is quite likely that it is not. And, since governments outsource a lot of what they do to the lowest bidder and then shift those bidders around from year to year....

Although a government normally paints itself as "one of the good guys," once you give information to a government, they can pretty much do anything they want with it. Trusting governments with sensitive information may be required by law, but do not plan on that information being well protected. The standard rule applies: "No one is as concerned about your personal and corporate secrets as you are," even your government.

Computer Security Professionals Can Do Little (Without Our Help)

Our speaker had a lot of cyber security and forensics knowledge and experience. These people are *rare.* If your security depends on a very small number of people keeping you safe, they will have very limited success. Sure, there are lots of tools out there to help you stay secure, but....will people use them correctly? Although everyone understands the need for security and wants to feel secure, few are willing to pay for what is needed, commit the resources that are needed over the long term, do anything about it, learn to do it right, or change their habits. This is not just true of cyber security, but security in general.

We Cannot Fix Our Cyber Security Problem!--So We Need Cyber Safety

Feeling scared and defeated? Appropriate fear is good for your long term health, but you need not feel defeated, because the real answer to the problems above is not where you think it is.

With determined enemies who have great financial and other incentives to attack us, what can we do? Our first problem is that we talk about security. Security is at best boring and meaningless to us. More likely, it is a pain in the butt we want to avoid. Security is not personal. It is something someone else or a technology needs to do so we can feel "safe." Bingo! Safe is the key word!

In computer technician terms, we have a PICNIC problem: Problem In Chair, Not In Computer. We want to make the computer or someone else responsible and not worry about it ourselves. We do not want to pay for or do anything ourselves while we have someone else take all the responsibility. Does that sound wise to you?

So, how do we fix our computer security problems? We need to stop talking and thinking about computer security, but computer *safety.* Safety is something you personally take ownership of. It is something you do over the long term. You cannot take a magic pill for it. It is something that requires constant vigilance, even though you know that you cannot be 100% safe. We associate security with lots of negatives. It is onerous, intrusive, imposed, and inconvenient. Safety is positive. It is easy, cooperative, and part of the way we naturally should do things. A failure in security can easily result in blaming the victim or inadequate attention by someone in charge of security. A safety failure is everybody's problem. Blame is not a big part of safety. If a failure is made, the important thing is to learn from it, go forward, and correct the issues you see as best you can. Security makes one think of fear and damage. Safety involves analyzing people and what they do. It strives to lower all the risks and prioritizes areas where there is the most real risk of harm. Thinking of safety implies that if someone is doing something safely, they need to do it that way to protect themselves and others and it is a personal commitment they cannot cede to someone else. It also recognizes that they accept some risk for their behavior, whereas in a security centric world people think they can outsource their security to someone else.

Let us start reframing our security conversations and instead talk about what we really want, safety. We have had it backwards for a long time and it will take a lot of time and effort to reprogram the humans who use computers, but it will be worth it.

Do not blame yourself about having had it wrong up to now. We are Americans. We do a lot of things backwards. We drive on parkways and park on driveways. We talk all the time about backup, but it matters not at all when you think that what really matters is getting the data back like you need it (restore).

When it comes to our government, do not assume that they will keep us safe. They can help us, but safety is a personal issue. We need to look for ways that we and our governments can work together to promote safety rather than just demand compliance with security. Instead, we should promote and demand safety efforts while avoiding less functional efforts targeted towards security and compliance.

[I was once a safety officer at CalTech's Chemistry department. We worked with a lot of potentially dangerous chemicals and equipment. Safety was not optional for anyone. Full professors would get ejected from labs for not wearing eye protection. But, that did not translate well to government thinking. When I came back to live in Fairfax County, I got asked to work on the Local Emergency Planning Committee (LEPC). They wanted to spend enormous amounts of time, effort and money collecting information on who had what chemicals in the County due to a federal compliance mandate. However, they refused to focus on how to prevent or minimize the disasters and promote chemical safety in the first place. Compliance gave the LEPC members a false sense of security and no real improvement in safety. As the only chemist on the committee, I felt I could not put my stamp of approval on such a short sighted process and would not sign off on their efforts. I hope my safety ideas do better this time!]

"We have met the enemy and he is us." (Walt Kelly/Pogo) The only way we are going to do well in this new cyber age is if we adjust our own way of thinking and insist on our own safety instead of passively believing someone can magically make us safe. Perhaps if we focus on safety, we can then empower those who want to keep us safer with authority as well as responsibility. We can better our security based on shared and publicized experience rather than trying to hide our security failures. We can maintain consistent funding and management focus on safety. We can make the effort to train ourselves and those around us to stay safe. Perhaps we can even maintain a lasting and evolving commitment to safety that we have never been able to achieve when we just thought about security.

Security is often seen as something involving a lack of trust. Instead, we need to flip the coin and concentrate on safety. We must trust in one another to improve our safety. We must trust ourselves, our professionals, other businesses, and even our governments to help us if we are to live a safer cyber (and non-cyber) life. In looking to be secure, we will die lonely and alone, but in looking to be safe, we will prosper together.

I recommend that cyber security professionals rebrand themselves. Like me, tell people you are a cyber safety officer. With "safety" in your title, you send the message you are there to help and assist, but it is the responsibility of each and every person you come in contact with to do what it takes to stay safe for themselves (with your help).

©2015 Tony Stirk, Iron Horse