Why Nobody Cares About Cybersecurity
Paging Henrik Ibsen
Nobody cares about cybersecurity. Business leaders don't care, citizens don't seem to care, a few in government seem to care—but that's because they want to break cybersecurity, not strengthen it.
Why does nobody care? The security of our devices, the security of our data, increasingly the security of our cars, planes, dams, power plants, is critical to our current way of life. In business, nobody seems to care about cybersecurity until the company suffers a breach—and even then, it is frequently dismissed as the cost of doing business. Only in extreme situations—like the Maersk hack—do we see companies waking up to the existential risk they face.
I spent seven years working as a cybersecurity reporter, and the last year working in industry as a cybersecurity engineer. I spend half my time talking myself blue in the face at people who should know better—but either can't understand cybersecurity issues, or simply see no reason to get worked up by it.
Everything is fine. It's not raining. So what if there's a few dozen holes in the roof? You paranoid lunatic, why you get so crazy.
I've spent years trying to understand this problem, and the best answer I can come up with to this problem is to cite Henrik Ibsen's play, "Enemy of the People."
A small town in Norway opens a thermal spa as a tourist trap. The townspeople are rubbing their hands in glee at expected profits. The town physician tests the water--it is full of contagious bacteria that will kill people! The plan to open the thermal spa must be halted at once!
This was the 1880s. The reaction of the townspeople was much like the reaction to cybersecurity issues today: "Oogie-boogie invisible things are going to kill me?? Are you crazy?? We're finally going to make some money and you want to kill the money machine?? WTF is wrong with you??"
The Hungarian doctor who discovered that handwashing saves lives died alone in an insane asylum. The medical profession in the 1850s thought he was crazy.
Today we wash our hands before we eat, after we use the toilet, etc. We do this without thinking about it. But it took generations for human beings to get used to the idea that "invisible germs can kill people."
But we don't have generations. We don't have decades. We may not even have years.
Businesses that fail to understand the severe--in some cases, existential--cybersecurity threats they face will go under. Democracies that fail to understand the existential threat to their political liberties cybersecurity issues pose will not be democracies for much longer.
It is difficult to not be depressed or pessimistic as a security professional. But if we give up we guarantee failure. The only thing we can do is to continue to state the problem as clearly as we can for all to hear—if they choose to listen.