Time and time again we hear people lament about the impact cybercrime has on our businesses, our individual lives, the economy, and on society. Report after report show the impact cybercrime is having on our economies, with some estimating the global cost of cybercrime is approaching $3 trillion per year. As each of these reports is published, there is the usual handwringing over why the state of cybersecurity is so bad.
We blame companies for not protecting our personal data properly, we blame the vendors for producing ineffective solutions that do not address our problems properly, we blame standards bodies for developing standards and frameworks that address only the basic elements of security, we blame users for falling victim to phishing emails and other scams, we blame law enforcement for lack of action and/or capability in dealing with cybercriminals, we blame academia for not training students in the proper skills or not conducting research in the proper areas, and finally, we blame criminals for conducting these attacks.
There is one group that I often see missing from all of the above finger pointing and arguably this group has the most influence in how we improve cybersecurity and how we tackle cybercrime: the governments of each of our countries. For the past number of decades, governments have failed to recognize or even acknowledge that cybersecurity is an important issue. The collective attitude has been that cybercrime or cyberattacks were not an issue that governments should be concerned with and that individuals and companies should protect themselves.
It is this short-sightedness that has led us to the poor state of cybersecurity we now face. Lack of leadership and investment into cybersecurity by governments has resulted in many law enforcement agencies lacking the appropriate capabilities and resources available to tackle cybercrime. This lack of leadership has also resulted in many government systems being less secure than they should be.
It is said “nature abhors a vacuum” and so, too, does leadership. Without leadership from our governments, the private sector has stepped into the role of defining what good security practice is and we now have countless standards all competing for our attention. Due to the lack of resources and skilled staff, law enforcement agencies have had to look to private sector companies to bolster their capabilities. We regularly see security vendors working with law enforcement to take down botnets and disrupt online criminal activity. These services are offered to augment the technical capabilities of law enforcement and are often provided at no cost.
The value for the security companies is the media attention they get for doing this work. Law enforcement agencies welcome the help, but this practice highlights the severe lack of funding by governments in this area. When the marketing budget a security vendor can spend on its involvement in botnet takedowns exceeds the annual budget that the law enforcement cybercrime units receive, there is something seriously wrong with our priorities.
In effect, private sector companies are the ones who are driving the cybersecurity agenda and not governments. The danger is that the cybersecurity agenda will be driven by the goals of the private sector companies involved, which in many cases do not align with the greater requirements of society. We have seen companies create a niche in the market for their services and then campaign that their services should be government policy. The push by a number of companies promoting hacking back as a valid approach to deal with a cyberattack is a good example of this.
But the biggest concern is the practice by security vendors to quickly attribute attacks to certain nation states based only on the information those private companies hold. As a result, we see press release after press release saying that certain countries are the source of major attacks, often with only the flimsiest pieces of evidence to support those claims. Time after time we have seen so-called facts and evidence from vendor reports being used to support political arguments, and then later witnessed that evidence being refuted.
This constant flow of “news” stories, no doubt supported by political lobbying on behalf of those cybersecurity companies, runs the risk of shaping public and political opinion on how government foreign and domestic policy should be formed in relation to cyberattacks. When government policy in relation to cyber security is based on marketing reports and press releases from private sector cybersecurity firms, we are opening ourselves to major problems in the future.
As security professionals, let’s make sure that when we see companies making their marketing propaganda part of the political agenda we call them out on their hype with fact-based arguments.
As private citizens, let’s make sure we lobby our politicians to take cybersecurity seriously and highlight to them where the real issues lie.
It’s time our governments focused their priorities on developing better policies regarding cybersecurity, so let’s make sure they develop those policies based on the greater needs of society and not the marketing requirements of private companies.