If McGruff can't handle this alone, who will be the lead dog?

We need to do a better job of educating folks about cyber threats and what each person can do

By Robert B. Dix Jr.

Robert B. Dix Jr. is vice president for government affairs at Juniper Networks. He previously served as the staff director for the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee. 

The challenge of protecting information and information systems is not new. What is new is that society is being impacted in a different and more sinister manner than ever before. As a result, we must now be thinking about unprecedented ways to protect ourselves and our information assets.

The problem is, many people have no idea how to protect themselves against these growing cyber threats, including identity theft — a consumer fraud and burgeoning underground criminal activity that is costing Americans billions of dollars a year. Loss of intellectual property and trade secrets threatens our economic security and even our national security.

It’s been estimated that as many as 80 percent of exploitable vulnerabilities would be mitigated with basic cybersecurity hygiene, such as patching, anti-virus updates, password management, and so on. These simple tasks do not require huge investments or large information technology staffs — but they do require greater awareness and education.

During last May’s historic speech on cybersecurity, President Barack Obama called for a national public awareness and education campaign as one of 10 short-term action items. Who will lead that effort? Who will be the public face that raises awareness for home users, small business, non-profits, and computer users of all ages to improve their cyber hygiene and raise the bar of protection for all of us?

History provides us with plenty of examples of failed efforts to legislate or regulate personal behavior — in fact, during my time on Capitol Hill, I saw many examples of a rush to legislation that produced unintended consequences, where the cure itself was often worse than the disease.

Instead, we need to do a better job of educating folks about cyber threats, risks, vulnerabilities and consequences — and most importantly, what each of us can do to improve our cybersecurity.

Over the years, we have relied on Smokey the Bear to help us learn how to prevent forest fires, McGruff the Crime Dog to raise our awareness about crime prevention and DARE to warn kids and parents about the dangers of drugs. The ongoing successes of Smokey, McGruff and DARE were achieved after children began to remind their parents of the basic crime and fire prevention tactics that these friendly but persuasive figures taught them.

With the continued leadership of the White House, and the help of a McGruff-like figure, we can forge a national campaign that includes our preschool, K–12 and higher education students; provides enhanced training and awareness for employees across the public and private sectors and recruits Internet service providers in a collaborative partnership that routinely reminds us all to better protect ourselves from cyber thieves and miscreants. The Homeland Security Department has made a good start with its National Cybersecurity Awareness campaign.

So as the president directed, let’s get to it. Hey, it might even put a little fun into cybersecurity for a change.

Featured

Reader comments

Fri, May 21, 2010 Realist

What foolishness! Of course attackers are going to pick the lowest hanging fruit first. But patching is not easy or inexepensive to resource scarce shops. The IT security industry preaches this pap constantly. A well patched system is not a secure system; it is only a less vulnerable system. Systems were not designed to be secure. All serious adversaries have zero day attacks sitting on the shelf that can p0wn fully patched systems. Low assurance systems = sitting ducks!

Thu, May 20, 2010 Bill Caelli Australia

STOP IT! Stop blaming the end-user for the massive security disinterest of the ICT industry itself in providing the necessary secure environment for the modern economy. Years ago the Computing Research Association and the NSF sponsored a "Grand Challenges" in information security summit in Virginia and the overwhelming concensus, on a limit of 4 challenges, included: "Give users security they can UNDERSTAND and EASILY MANAGE." The industry HAS NOT DONE SO - just look at Windows VISTA and aborted Microsoft "Palladium" project. In almost every other industry, the latest being the financial services arena from Wall Street, the role of Government has been to protect the safety and security of its citizens and that means, normally, that action occurs over an INDUSTRY FIRST - not its "victims", oops "customers". The ICT industry is now a mature industry and not the fledgling needing a "hands-off", "light touch" legislative regime anymore. That industry is supplying the very base for the "digital economy" and thus has become a pillar for national security. So, once again - STOP IT! STOP BLAMING THE CUSTOMER. After all, did we blame the driver for the Toyota problems? NO.

Thu, May 20, 2010 Jeffrey A. Williams Frisco Texas

What would be better is better EV non-spoofable digital certs to protect users PC's from being hit by many forms of attacks.

Thu, May 20, 2010 Michael Bartholf Virginia

We have undergone public awareness programs; both internal to an organization and in open forums such as this; and yet hackers still get in, patches are applied but not properly validated, and people still make what Bill Cheswick calls "moronic" mistakes. The fact that a person can attend a user security awareness refresher class and a few minutes later make an absolutely idiotic mistake tells me that one of three things is occurring. One, there is no accountability for mistakes. If a person makes one, there is no penalty applied. Two, there is no absolute requirement to ensure that something has been done. Yes, patches are applied. But how many times have we applied patches only to find the same patch vulnerabilities showing up on the next scan? And three, there appears to have been a major reduction in the use of common sense. If the Number One password is 123456, we have a larger problem than beter training. We are vulnerable because we really have not made it a priority other than by regulation to practice solid security. Until enforcement becomes personable, all the classes and training not solving the problem.

Thu, May 20, 2010 John Ellingson Virginia

A major vulnerability is the intersection of the human and digital spaces. Frequently the attacker is invited in the front door through social engineering. There are readily available solutions to this problem -- it al involves clear and reliable identification of the person seeking entry. This cannot be accomplished with username and password systems, or biometrics. The crucial question of who really is the person using the information or biometric. Are they using their own identity or a stolen one? This is the question that must be answered every time. From that information seen in context their intent can be determined and social engineering effectively defeated.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above