Cybersecurity: a newcomer’s perspective
“You are terrified of your own children, since they are natives in a world where you will always be immigrants.” A Declaration of the Independence of Cyberspace (1996) – John Perry Barlow
The internet was built on trust, in the good old days you could use plaintext passwords everywhere, reconfigure services without credentials, connect to bank computers just through knowing its direction , etc. Trust worked for some time, the technical barrier needed to be a member of the cyber community was high enough back then to act as a filter, but as we advanced and user experience became easier and easier, the amount of users created the need to protect our assets.
“There is no algorithm that can perfectly detect all possible viruses” An Undetectable Computer Virus (1987) – Fred Cohen
Cybersecurity as a field is young. The first detected computer virus was found in 1971, in 1982 the first personal computer focused virus debuted (even though the term “computer virus” was coined a year later), the first worm went live in 1988. Although “agencies” were likely to have been exploiting computers since the late 70s and early 80s using a SIGINT approach, computers were not seen as a vulnerable asset by the general public until the mid to late 80s, when the first antiviruses started popping up around the globe.
Cybersecurity is young but, are the workers?
“Only 7% of cybersecurity workers surveyed were under age 29 and 13% were between ages 30 and 34. The average age of cyber professionals is 42.”
Approximately less than a 10% of the cybersecurity workforce was raised in a digital and cybersecurity aware environment. Of course, most of its older practitioners toyed with different facets of IT and security for years, but there is a big difference between our groups:
We, the 7%, did not enjoy the “built on trust”, we only suffered its repercussions.
In a diversity-oriented industry, where outsourcing and remote work is common, we tend to be forgiving when it comes to the background of consumers and workers (age being one of the big factors here) and how it affects our decision making while creating services.
A vital part of this is what it means when cybersecurity fails. It used to mean a small headache and perhaps some loss of profit, nowadays, at the most extreme it means people could die. We are heavily biased by our historical context and repercussions are at its current peak.
“security problems are primarily ‘just bugs’, those security people are f*cking morons.” – Linus Torvalds (2017)
Our world is too IT-reliant for the security level we offer, cars can be stolen remotely, or worse, driven remotely, biometric data is leaked by the billions, Malware-as-a-Service (MaaS) has become a reality in just a few years and keeps growing. What could have happened if Wannacry did not have a kill-switch? What if NotPetya happens again but without being restricted mostly to a single country? We can afford the 10 billion dollar loss NotPetya caused, but what about the electrical grid attacks during 2015 and 2016 on Ukraine? Are we ready for a massive critical infrastructure attack?
We need to start changing the mindset, “security by default” needs to stop being a motto and become a principle. A real one.