Is Risk Avoidance the Key?

My answer to this question is a resounding “yes.” But I don’t think that is the general view of cybersecurity professionals. After all, if business, government and other organizations pursued such a course, what would remain for cybersecurity folks to do? If you avoid the risk, then you don’t need professionals and tools to prevent bad stuff from happening.

I was very surprised to read a quote from Dr. Barbara Simons, co-author of the book “Private Ballots: Will Your Vote Count,” as follows:

“This [a DDoS attack] is a strong argument for why we should not allow voters to send their voted ballots over the internet.”

The above quote was included in a New York Times front-page article by Nicole Perlroth, “New Weapons Used in Attack on the Internet,” which appeared in the October 22, 2016 issue. The article’s primary subject was the DDoS attack on DNS firm Dyn that had slowed down large segments of the Internet for several periods during the previous day. However, the concern of elections officials was voiced with respect to the potential impact of a DDoS attack on citizens’ ability to vote in the general election since “Thirty-one states and the District of Columbia allow [vote over the internet].”

Bravo for Dr. Simons—she gets it! It’s surprising to me how many don’t get it, especially those pushing out technology frontiers and those responsible for setting standards. The DDoS attack described in the article appears to have emanated from “…hundreds of thousands of internet-connected devices like cameras, baby monitors and home routers that have been infected …” There have been so many warnings that this might happen as the Internet of Things explodes on the scene. It is embarrassing and horrifying that nothing significant has yet been done about it, particularly by regulatory agencies and lawmakers. Did they really think that nothing bad would happen? Dream on.

In an environment where technologies proliferate uncontrolled, there may be only one effective answer, and that answer is “avoidance.” Some are beginning to get it with respect to emails following WikiLeaks’ relentless release of hundreds of thousands of emails from the accounts of politicians, campaign workers, etc. We used to say that you should put nothing in an email (or voicemail, for that matter) that you wouldn’t write on a postcard, or wouldn’t want to have appear on the front page of a major newspaper or website. Just pick up the phone or arrange a face-to-face meeting if you have something important to discuss that you wish to keep private or secret, and if you want to transmit a document, use fax or mail (express or snail). Yes, phone lines can be tapped and conversations can be surreptitiously recorded, but not on the same enormous scale as has occurred (and will continue to occur) with email exfiltration. It takes much more effort to tap phone lines or access others’ personal voicemails than to harvest millions of emails and scan them.

Post a Comment

Your email is never published nor shared. Required fields are marked *