You’ve heard it before: The cybersecurity world has a problem, or the world has a cybersecurity problem. From the Target and Sony hacks to the Office of Personnel Management breach that compromised data on up to 25 million Americans earlier this year, attacks on both public and private networks have been on the rise in the last several years. Congress, the private sector, and the security research community are trying to find a solution, but, with all due respect, some people are just flat-out missing the proverbial rub.
Much of the debate around cybersecurity, particularly in Congress, would lead you to believe that we face technical challenges that are nearly insurmountable, and that our best bet is to institute some form of better information sharing between the government and the private sector to come up with better guidelines for software vulnerability disclosure…
A report from Verizon earlier this year illuminates the alarming fact that 99.9 percent of cyber incidents involve known, and often patchable, software vulnerabilities. If we know what the problem is, what are the cyber-baddies really exploiting?
Despite the narrative, the crux of our current cyber problem is largely not technical at all, but instead comes down to organizational behavior. Bad security practices and poor investment in OPM’s IT security are largely culpable for that hack, and Sony was compromised via basic social engineering. The humans were the weaknesses in the system that the bad guys sought to exploit…
There are several ways that a free market behavior can influence a human behavior to offset these human vulnerabilities: through legislation…regulation and, in concert with or in lieu of the others, insurance premiums. Legislation and regulation are cumbersome and, once written, slow to change, which is not ideal in an environment as dynamic as cyberspace…Lawsuits are on the rise, but are also a slow lever for change. The final option is a thriving insurance marketplace.
In practice, insurance companies act as regulatory bodies, mandating security standards and behaviors that, if left uncorrected, can void coverage. The problem at this point in time is not coming up with standards and practices, which already exist, but ensuring that they are followed. At the moment, they are not. Widespread insurance coverage could change that, but the market is immature and we’re just not there yet.
If you accept Morgus’ premise – then, read on. As much as I hold a boatload of contempt for the insurance industry, we’re limited by the nature of contemporary capitalism and voters who dare not look beyond what they’re told.
Morgus moves on to suggested legislation about insurance and there’s the real question. Because I don’t see anything vaguely positive being accomplished by Congress in the next decade. The next census has to be performed. Gerrymandering so artfully [and criminally] put in place by bigots and conservatives must be removed. Preferably systematically a la Canada. Hopefully, this process moves us on to more than the two old parties which tie voters into a Mobius loop of footdragging.
Ten years minimum.