In recent years, high profile cyber events such as the Office of Personnel Management (OPM) data breach and the SONY hack have received significant public and media attention, which in turn has increased the level of attention given to larger issues of cybersecurity. With such attention, it is easy to understand why government officials and many others continue to focus on the consequences of major cybersecurity events.
However, it is also important to understand that the source of many such intrusions often has been attributed to a failure to implement basic cybersecurity protection. Many times lost in the dialogue is recognition and acknowledgement that approximately 80 percent of exploitable vulnerabilities in cyberspace are the direct result of poor or no cyber hygiene, basic fundamental measures that will improve any user’s cyber protection profile.
From home users to small and medium sized businesses to even larger enterprises, there are protection steps that are low cost or even no cost that will raise the level of cybersecurity and make the illicit activity of the bad guys more difficult and more expensive.
The AFCEA International Cyber Committee prepared an analytical examination of the economics of cybersecurity that point to the value of investing in basic cyber hygiene.
While no one wants to have their identity stolen or their bank account compromised, many folks simply do not know what to do. Providing access to information that will help users of all levels of sophistication better understand how to protect themselves in a digital world is an imperative to overall security and resilience. The explosion of intelligent devices and the Internet of Things punctuates this need.
Shortly after President Obama assumed office, he commissioned an examination of the state of cybersecurity across the United States. In a May 2009 speech at the White House, the President released the Cyberspace Policy Review - Assuring a Trusted and Resilient Information and Communications Infrastructure. Included was a series of near term and longer-term action items. Near Term Action item number six called for an effort “to initiate a national public awareness and education campaign to promote cybersecurity”.
A comprehensive and sustained national education and awareness campaign focused on cyber hygiene that engages a wide range of stakeholders and further elevates attention to this important matter is long overdue.
While the US Department of Homeland Security’s “Stop. Think. Connect.” campaign and the National Cyber Security Alliance’s Stay Safe Online efforts have each contributed important elements to the foundation of a national campaign, there is much more work that should and needs to be done to scale these initiatives to have an ongoing national impact.
Other models also exist -- such as the UK Get Safe Online initiative -- that provide information for individuals and businesses about raising their cyber protection profile and can help inform a national program in the US.
Through leadership from the White House, Congress, leaders in industry, media, non-profits, and other stakeholders as well as state, local, tribal, and territorial governments, a comprehensive, sustained, and broadly embraced effort will produce meaningful results in raising the bar of cybersecurity and thereby, improving the security and resilience of our nation.
Empowering average citizens, small businesses, and cyber stakeholders everywhere with knowledge about measures that they can implement or steps that they can take to better protect themselves in cyberspace will improve overall security and resilience. Reinforcing messages such as “don’t click it if you don’t know it” will help remind users to be cautious of links and e-mail attachments from senders they do not know. Periodically changing passwords and ensuring regular computer and smartphone system updates are examples of basic hygiene measures that will make a difference. Educating users is a key ingredient to an overall national cybersecurity strategy.
A collaborative consortium of citizen-facing government departments and agencies, trade associations across a wide range of industry sectors, print, broadcast, online, and social media enterprises, K – 12 and higher education, non-profit organizations of all types, and many others could leverage their existing communications networks to help educate their constituents and members about how to better protect themselves in cyberspace. Sadly, we have plenty of history and examples now to dissuade the notion that “it can’t happen to me”. The seeds of creativity drive the imagination to consider how we can all contribute to making a difference in cybersecurity.
This is in no way intended to suggest diverting attention from the important ongoing work to improve operational capabilities to improve detection, prevention, mitigation, and response to the more sophisticated and dangerous cyber-attacks that could imperil our nation’s critical infrastructure and our everyday way of life. However, our efforts to disrupt activities by cyber criminals, nation states, and even terrorists, should not cause us to ignore the 80 percent cyber hygiene factor. If we are successful in raising the bar of cyber protection, it will make the nefarious efforts of the adversaries more difficult and more expensive.
As a nation, we are only as strong as our weakest link and collectively, we must remain committed to educating folks about those basic cyber protection measures that will improve their overall cyber protection profile.
This effort will not happen overnight. But, it is way past time to accelerate the implementation of Near Term Action Item number six from more than seven years ago in 2009, and build on the good work that continues to form the foundation for a comprehensive and sustained national campaign.
Imagine for a moment that the White House issued an executive order directing every federal department and agency that has a citizen-facing website to include a link to Stay Safe Online, pointing folks to information about cyber protection. That is leadership and certainly not a heavy lift.
Imagine if every Member of Congress added a link to Stay Safe Online on their constituent website’s home page. Directing visitors to a site where they can obtain information about cyber protection. That is leadership by example and certainly not a heavy lift.
Imagine if businesses, trade associations, chambers of commerce, non-profit groups, and so many other stakeholders simply included a link on their website or reference in their newsletters or other print / online / social media communications conduits to Stay Safe Online, leveraging the current and emerging content that addresses a wide range of users and basic protection measures. Many folks just do not know what to do and pointing them to a site where they can get information will help clarify much confusion.
Imagine the momentum of public service announcements pointing users to where they can get information about how to protect themselves in cyberspace… television, radio, movies, online, social media… directing viewers and listeners to where they can get information about basic cyber protection measures.
The AFCEA International Cyber Committee has published a White Paper, Driving Cybersecurity Awareness Home!, that examines an approach to this opportunity in greater detail.
As we begin Cyber Security Awareness Month 2016, let us collectively and collaboratively leverage the national attention that will occur this month, to drive forward to demonstrate the leadership necessary to implement a comprehensive and sustained national cyber education and awareness campaign. This can be achieved by building on the good work of the National Cyber Security Alliance, the Department of Homeland Security, and others and in fulfillment of Near Term Action item number six from the President’s Cyberspace Policy Review.
Addressing basic protection measures in cybersecurity matters. We all have a role. We all can contribute. Working together we can make a difference. Let’s get to it!