Global headlines were made last month when hackers broke into U.S. government databases. Personal records of as many as 4 million employees were stolen from the Office of Personnel Management and the Interior Department. Although no clear suspects have been identified, many are pointing fingers at China. However, this is just the tip of the iceberg. Consider this story from The Atlantic:
“In October alone, Russian government hackers breached unclassified computer networks in the White House. They also penetrated the State Department’s unclassified email system. A National Weather Service employee was arrested for downloading classified information about American dams. The next month, the U.S. Postal Service revealed its employee information had also been illegally obtained.”
Attempts to steal data are scary in their number, their potential danger and their variety. Clearly, we’re not in a very good place. On one hand, anybody with any sense understands that placing data within the grasp of hostile governments and organized criminals is a very dangerous business and that preventive steps must be taken. However, it seems that human nature and corporate inertia aren’t translating those generally acknowledged fears into concerted action.
That’s not to say, however, that nothing is being done. It is. Security companies and other experts make recommendations, such as using encryption on all data – not just Social Security numbers and other obvious items – and doing so at every stage of the data’s journey through the network.
While some folks are no doubt listening, the big picture remains troubling; the story in The Atlantic was published last month, not ten years ago. Why has the crisis persisted? Why is security still such a problem?
Three main answers emerge:
It Takes Buy-in to Fight Hacking
Perhaps the greatest health risk associated with voluntary human behavior is smoking. Headway has been made however. One of the reasons is that the danger is very obvious on a visceral level; if you smoke, you are far more likely to get lung cancer and heart disease. Your kids will suffer. The same painfully obvious rationale exists in the world of seat belts. If you don’t use your belt, injuries suffered in an accident will almost certainly be worse than if you do. Today, most people buckle up without even thinking about it.
Both of these examples have very clear and obvious cause and effect: The impact of poor security is a bit more conceptual. Not changing passwords periodically – or even keeping the out-of-the-box default password and user name – is obviously dangerous. People get that, but on a more cerebral level.
The tendency to ignore security isn’t changed by the hacking news. Finding out that a foreign country potentially accessed millions of sensitive personal records is troubling. But it’s a bit vague. Yes, something bad may happen. But it certainly doesn’t have the impact of watching a family member smoke two packs of cigarettes a day.
It’s Complicated – Literally
There are a million “attack surfaces” and “attack vectors”. In simpler terms, the slightest opportunity can be exploited. They grow quickly (and will explode with the emergence of the Internet of Things). Everything is in play, from the technical (key loggers sending passwords and social security numbers to botnets) to the human (sophisticated phishing attacks tricking people into voluntarily revealing valuable information). Thus, security is not a single challenge that must be met. Like cancer, it is a series of closely and distantly related problems that don’t have a single solution.
There's a Lot at Stake So the Bad Guys Are Just as Smart as the Good Guys
In the good old days, the villains were isolated misanthropes bent on proving their brilliance or making some arcane political point.
Now, the bad guys are formidable. The amount of brains, the sophistication of their research tools and the breadth of the knowledge and distribution networks at their disposal are as great as they are in any lucrative, for-profit business sector. Indeed, “speed to market” – or, more accurately, “speed to hacking" – is perhaps faster in the underworld. After all, it figures that the layers of bureaucracy will be less in a criminal enterprise.
The arc of security looks to be moving in a negative direction. The breaches aren’t slowing and it seems that, as time goes on, true privacy may be a thing of the past. At the end of the day, though, a sense of gloom and doom is a necessary step. It will give way to improvements and progress. The key is to convince people that the battle is far from over; it’s now time to get tough and take things seriously.