Recent history has seen technology advance at a rate faster than humanity could ever have imagined.  Over the last century, as the tools society uses everyday have become exponentially more sophisticated, individual knowledge of those tools hasn’t.  The average person doesn’t even possess enough knowledge to understand the things they don’t know about computers and networking.  That exponential increase in software and hardware complexity, compounded by a lack of knowledge in the general population has led to the untenable situation faced by modern society:  the government and private industry are currently unable to protect society from the dangers posed by cyber-attacks, hacking, and information theft.

End users not being fluent in the technology they use isn’t a new situation.  Technology has always relied on a gap between experts, who are able to troubleshoot and have intimate knowledge of the system, and the lay-person, who knows just enough to use it.  With computers, that gap looks more like a chasm.  When radios were the preeminent technology, there was also a large gap, but the flow of information was essentially one way.  The same could be said about telephones and most other forms of recent communication.  People using analog technologies didn’t have to invest or take on faith that broadcast or telecommunications companies were safeguarding their information, or that the system they were using was doing anything more than what they seemed to at face value (with few exceptions).

Computers and networking have changed lives in ways that couldn’t even have been imagined just thirty years ago.  With a few clicks of a button, a person can order food, compare insurance rates, get cross-country directions, and access a previously unimaginable breadth of information.  What people don’t expect is that the exchange of information cuts both ways.  With networked technology, we place the responsibility of protecting that information on the technical experts, often with little oversight.

Government regulation and policy has an important place in any emerging technology field.  Aircraft flying without the Federal Aviation Administration or National Transportation Safety Commission would be disastrous.  The U.S. Government is woefully behind when it comes to regulating cybersecurity, often proving unable to safeguard their own assets.  One of the largest cyber breaches in recent history was on a government agency - the cyber intrusion of the U.S. Office of Personnel Management (OPM).  

From 2014 to 2015, a series of network intrusions took place within OPM’s servers (Starks).  OPM is a critical government agency – they manage the information of federal employees, to include huge amounts of extremely sensitive information.  OPM processes government security clearance paperwork – information that could be devastating if it fell into the wrong hands.  That security clearance data contains everything from who possesses security clearances to in-depth information about those people’s lives.  Often considered the “holy grail” of counterintelligence, the OPM data is some of the most sensitive unclassified data the U.S. has.

If the government was unable to protect data that sensitive, can we trust them to protect anything else - or to regulate private cybersecurity?  In 2013, the U.S. intelligence community spent more money on countering weapon proliferation than on cybersecurity, spending only 8% of its so-called “black budget” on “enhancing cybersecurity” (Fung).  While financial allocation is always a controversial issue in government, there is rarely debate about funding cybersecurity in Congress, and unfortunately that conversation needs to happen before it’s too late.  The OPM data breaches were hardly an isolated incident.

A 2016 report detailing over five years of audits made by the Department of Homeland Security into the Transportation Safety Administration’s cyber-security policies was scathing.  Issues in their program incorporated the entire spectrum of information security failures – from lack of training, to lack of physical security, from crippling server vulnerabilities, to no established system to report incidents (Blue).  The TSA takes a lot of heat for many of its policies, but their cybersecurity issues are rarely mentioned or brought to public light.  While there hasn’t been public mention of a prolific data breach within the TSA, without reporting procedures in place it’s unlikely that information would even see the light of day.

The problem with discussion of data breaches, network intrusions, or information compromise is that there are no immediate ramifications of those attacks.  Data stolen from the government may be used by foreign countries or entities to implement policies, or used to aid the conduct of espionage or other state level activities.  The most common effect of these issues on a normal person is identity theft.  While identity theft can be devastation on an individual level, it’s hardly a stimulating news story, and unlikely to get much press or political coverage.

The reality of cyber-attacks is that they can affect almost every aspect of our lives.  Hollywood likes to dramatize hacking incidents, with lone wolf “hackers” taking down traffic light systems or disabling power grids.  The problem is, these examples might not be too far off.

As technology develops further and more traditional systems begin to rely on high levels on computer and network infrastructure, the potential consequences of poor cyber-security become more severe.  In a 2012 TED talk, titled “All your Devices can be Hacked,” Avi Rubin discussed the terrifying potential for more overt cyber-attacks.  Rubin detailed the capability of hackers to break into and control everyday objects ranging from pacemakers to cars.  

While most people may shrug their shoulders at the thought of some of their data going missing, everyone should be highly concerned about the potential for their car to be remotely controlled and hijacked.  That TED talk debuted in 2012, and in just the five years since, everyday tools like cars have grown even more reliant on computer systems and network technology.  As these systems grow more complex, the possibility for vulnerabilities increases at the same rate. The average person may not need to worry about being assassinated by hackers, the possibility of smaller scale crimes, such as auto theft via keyless entry, are problems that can (and do) affect many people, and will only become more frequent.

Chris Roberts, a cybersecurity consultant for the FBI, managed to gain national attention when he claimed he was able to access the systems of an airplane he was in, mid-flight, and gain control of them  (Perez).  In a post 9/11 world, the hijacking of an aircraft is one of the most terrifying scenarios most Americans can imagine, but even this incident faded from the public eye fairly quickly.  If Roberts was able to do it, then the potential exists for any number of hackers to do the same thing, and with the U.S. government’s track record on cyber-security, this reality should terrify most Americans.

The private sector hasn’t fared much better at cyber-security.  One of the most prolific data breaches recently was in late 2013, when Target lost personal and financial information of over 70 million people (Rosenblum).  70 million is a staggering number, and the fact that intimate bank account and credit card information was compromised is even more egregious.  As people swipe their cards or punch in their information to order online, how many consider where that information goes?  

While there is an implicit expectation of trust between the government and citizens, to what extent are private companies and organizations responsible for protecting their customers?  Stores are expected to be safe places and typically have physical security measures like guards or cameras that people can verify on their own but they have no option other than to trust in the invisible layer of protection that is that organization’s cybersecurity.

Even when it comes to protecting their own interests, private companies have demonstrated an safeguard to protect their assets.  In a cyber-attack that has been blamed on North Korea by U.S. officials, Sony’s servers were compromised in 2014, resulting in the loss of both employee information and company secrets.  Sony agreed to an 8-million-dollar settlement with its employees, who sued on the grounds that Sony was negligent in maintaining their cybersecurity infrastructure (Pettersson).

Those examples are just from companies that the public knows about.  “Data Brokers” are firms and companies whose entire business revolves around selling personal information that individuals may not have willingly gave up.  Their influence can be seen in ads on every website.  Data broking is a multi-billion-dollar industry that collects, collates, and analyzes information about individuals, creating profiles they can then sell to companies in order to facilitate targeted advertising (Kroft). 

When Sony’s information was compromised, it was a major news story for a short time, mostly because of the alleged involvement of North Korea and Sony’s fame.  If a data breach occurred at Acxiom (a data-broker firm that made over $800 million in 2015), what are the odds that news organizations would pick up the story, let alone provide major coverage to it?

The public needs to be more informed about issues of cybersecurity in order to hold these organizations accountable.  Personal information exists in the hands of so many companies and on so many servers that the stakes are simply too high to continue ignoring the issue.  Almost every aspect of the daily lives of billions of individuals involve computers and the internet.  What can we do to work towards a solution?

While the growing nature of the cyber realm means that every advancement can introduce new vulnerabilities, there has been success in developing solid, sustainable cybersecurity practices.  The sooner we collectively begin to find solutions to current problems, and implement measures to prevent future issues, the better foundation we will have to protect our future.

In light of recent cyber-attacks and the potential meddling of foreign agencies in the 2016 U.S. presidential election, the Obama administration published Presidential Policy Directive 41 (White House - Office of the Press Secretary).  The policy sets a broad framework for the U.S. response to cyber-attacks and incidents.  PPD 41 establishes jurisdiction of government agencies, dictates how future coordination will take place, and details what responses will happen after a cyber incident.

While this is a good start, a more overt, specific, and systemic approach must be taken to not only protect the public, but to provide assurance that the protection is actually effective.  “Securing cyberspace, however it is defined, is an extremely difficult strategic challenge that requires cooperation between the public and private sectors, military and civilian, of our societies” (Umberto vii). One of the major problems is that successful government cybersecurity practices and incidents are often classified, because revealing how they were successful would allow adversaries to adapt and overcome.  While the public doesn’t need to know every detail, they do need some level of reassurance in order to maintain faith that their safety is being protected and develop best practices to facilitate further protection.

In a research paper conducted by the NATO Advanced Research Workshop, authors from multiple countries highlighted some of the dangers faced today by cyber-attacks and details some of the best practices from various countries and organizations to combat it.  The threats are extreme, ranging from terrorist recruitment to financial cyber-crimes.  Solutions proposed are equally diverse, but the common theme is cooperation.  Cooperation between countries, businesses, and organizations, combined with adapting to the latest technology and best practices is the only way to create sustainable solutions to the plethora of cyber issues that we face today.

The problem with these solutions is that, while they create a nice talking point, it’s up to the public to keep these organizations accountable.  Taken from OPM’s press release after their incidents: 

“[The plan] provides a framework that is rooted in the use of human resources (HR) data throughout a lifecycle (“strategy to separation”), allowing for reuse of that data in our HR systems to support agile HR policies; establishes enabling successful practices and initiatives, and enterprise and business initiatives that define OPM’s IT modernization efforts; and creates a flexible and sustainable Chief Information Officer (CIO) organization led by a strong senior executive with Federal experience in information technology, program management, and HR policy” (U.S. Office of Personnel Management).

While that policy seems on the surface as if it would be effective, without oversight there’s no way to ensure these organizations are doing what they say they are.  It’s easy to imagine that OPM’s stance on cybersecurity before its series of failures was pretty much the same as the above statement.  

While the situation may seem dire, there is still hope that companies are not only implementing these systems, but that they are working.  In their article, “Attacking Cybersecurity from the Inside Out,” the authors detail ways that healthcare companies are currently succeeding in managing cyber-security issues.  With the average cyber incident costing a company about $4 million, these large healthcare companies have been forced to develop effective solutions.  We can’t allow those practices to exist in a bubble – it’s up to the public to ensure government and businesses adapt.  

I believe the most effective overarching solution is education.  Today’s children will grow up in an even more networked society than we have.  We owe it to society to make people more informed, so that they are better able to not only find solutions to these issues, but to hold government and business accountable and provide oversight.  While we currently have many failures in the realm of cybersecurity, if we start educating people now, there is hope we can develop systems to help prevent future issues.
