At Last! A Reporter Who Understands Cybersecurity

We are bombarded with TV news, newspaper articles, blogs, comments, and the like, about cybersecurity. Most reporters seem to be in awe of the attackers (sophisticated criminals and nation states, for the most part) and sympathetic to the victims. After all, so it goes, the attackers are so clever that no defender could reasonably be expected to protect themselves against them. Such nonsense!

Now, among the very few who actually seem to understand the situation, Ron Lieber wrote a “Your Money” column in the business section of the October 17, 2015 New York Times with the title “Identity Chaos, Courtesy of Your Federal Government.” The title is, in my view understated, so let me first present you with a quote from the article:

“The year 2015 may set a new standard for the shoulder-shrugging after identity thefts and data breaches that ought to provoke outrage.

Captains of industry and the Secret Service have long since admitted to our elected representatives that they are outgunned, outmanned, outnumbered and outplanned.

But instead of the guardians of our personal data making an all-out stand, we find that the very entities that are supposed to protect us are themselves vulnerable and sloppy …”

Lieber then goes on to describe “the most bizarre case of identity madness that I have ever heard of” regarding an unfortunate lady whose identity was confused with that of another person of the same name by government bureaucrats.

But let’s return to the first point … the shoulder-shrugging. I first wrote about that in my July 11, 2011 BlogInfoSec column “The Hackers Became Too Smart.” There I quote Michael Fox of ICR Inc. who said “Breaches are increasingly viewed less as a weakness on the part of the company and more as the sophistication and relentlessness on the part of the hackers.” I also refer to the claim by Heartland Payments, three years prior, that they should be excused for their massive data breach because of the sophistication of the hackers.

So here we are, seven years later, and a brave NYT reporter has come out with a statement essentially rebuking public and private entities for their “it’s not our fault, they’re too smart for us” attitude. 2015 may indeed be the year of the shoulder-shrug, but it has been a long time coming.

What’s particularly disturbing is that most data breaches and malware infusions (including VW’s latest transgression) are discovered by someone other than the guardians of our privacy and safety. That’s atrocious. It shows the extent of the inadequacy of the security and safety engineering professions at detecting incursions, fraud and criminality. It doesn’t really matter that executives claim that they are spending (collectively) billions of dollar on cybersecurity if the number and scope of reported breaches is growing exponentially, and they don’t even know when they have been successfully breached – it takes others to inform them.

The holes in the dikes are proliferating and we’re running out of thumbs for little boys to bravely stick into holes. We need new dikes to prevent the ultimate flood. But that would be really expensive. It’s much cheaper to shrug one’s shoulders, isn’t it?

Post a Comment

Your email is never published nor shared. Required fields are marked *