Encouraging people to think of cybersecurity as a shared responsibility is a recurrent theme in cybersecurity awareness programs. This probably strikes you as entirely reasonable if, like me, you think there is a clear need to establish norms of attitude and behavior in cyberspace, just as humans have done in meatspace.
At the top of this article I have pasted one of the official graphics from the organizers of the 2020 Cybersecurity Awareness Month in the US. Here are three of the suggested social media messages that go along with this image, with emphasis added by me:
- #CybersecurityAwarenessMonth emphasizes how we ALL play a part in protecting the internet. Learn more at staysafeonline.org/cybersecurity-awareness-month/
- Celebrate & #BeCyberSmart with us this #CybersecurityAwarenessMonth! We must work together, and all do our part to secure our connected world. #cybersecurity staysafeonline.org/cybersecurity-awareness-month/
- Keeping the digital world secure requires all of us to be proactive and diligent. Learn how you can #BeCyberSmart this #CybersecurityAwarenessMonth at staysafeonline.org/cybersecurity-awareness-month/
This message of shared responsibility has been stressed for many years. For example, here is a message from the 2014 campaign, known back then as National Cyber Security Awareness Month and referred to as NCSAM:
My purpose in writing about this today, Sunday, October 11, 2020, which is day 11 of cybersecurity awareness month, is to encourage us to reflect on the fact that this theme of shared responsibility is based on several assumptions about ethics, such as: a) most people have a well-developed sense of right and wrong, and b) they are willing to apply this to their actions in cyberspace.
Rather than delve into the validity of these assumptions—something I may do later in the month—today I just want to provide some historical perspective. To that end, please consider this statement:
During the last five years, hundreds of new security products have appeared, but hundreds of new threats have emerged. It is clear that ultimate success in the struggle to protect information depends not upon technology, but upon the development of appropriate ethical standards for the information age.
We have to insist on higher standards of conduct on all sides. That means everyone, from users, who tend to flaunt software-licensing agreements, to vendors, who tend to prefer quick bucks over commitment to the user community, to CEOs, who demand growth without budgets for security and training, to employees, who don't realize that their continued employment depends upon effective security.
Thankfully, over time, I have seen numerous examples of people and organizations committing to higher standards of conduct, and enforcing them; but regrettably it appears that the world at large is still falling woefully short. The reasons for this are numerous and undoubtedly complex, but part of the problem is the slowness of our response to what I went on to say in that chapter:
It also means teaching our kids to respect property and privacy rights in cyberspace, while providing them with educational and employment opportunities that keep them challenged (many of tomorrow's hackers will be kids whose curiosity about digital technology outpaced the meager facilities of underfunded or ill-managed schools).
Fortunately, the most recent five years has seen more attention paid to engaging young people in cybersecurity and hacking—in the best senses of that word. From established international events like DEFCON, to growing regional events like CORNCON, there has been a growing effort to encourage children to consider the implications of technology and the ethics of messing about with it. Young people can now participate in cybersecurity competitions like the US national CyberPatriot program in the US, and also a range of regional programs (see these two videos on Mayor's Cyber Cup programs and how they are empowering a diverse group of young people).
What I did not grasp clearly enough back in 1995, was the role of governments in addressing the ethics of digital technology and the many ills inherent in the abuse of digital technology. Here's what I did say then about the need for higher standards of conduct:
[..it] means governments and corporations setting aside the cynical exploitation of the marketplace and public opinion so that bad actions are once again seen to have bad consequences, from the top down.
Twenty-five years ago I was concerned that the abuse of technology was not being taken seriously enough, with governments failing to appropriately prosecute computer intrusions and theft of intellectual property, even as they surreptitiously adopted these tactics for government purposes. At the same time, digital products were being marketed as though they could not possibly have any downsides at all.
While I was able to imagine things going badly if we stayed on that course, and have constantly warned of the need to change course, I did not think we would so quickly arrive at a point where a man aspiring to be President of the United States could not only get away with publicly urging foreign actors to criminally abuse the data systems of US citizens, but he would actually get elected on the back of them doing so.
So, in addition to being aware of what we can do to increase the security of information systems, we need to do what we can to ensure most people have a well-developed sense of right and wrong, and that they are willing to apply this to their actions in cyberspace.
#BeCyberSmart
* The book is still listed for sale on Amazon, but I regained the copyright some years ago to make a free PDF version available, in three parts, on this blog—the links are near the top right of the page you are now reading—mainly as an historical artifact because some of the technology discussed in the book is no longer in use.
No comments:
Post a Comment