October: Cybersecurity Awareness Month and Its Discontents

Thursday marks the start of the 17th annual Cybersecurity Awareness Month, and - if reports are to be believed - few people are very happy about it.

By many measures Cybersecurity Awareness month has been a success. Without a doubt: awareness of cyber risks has grown steadily during that time and that awareness is influencing behaviors and attitudes. A survey by the firm Privitar in August found that three quarters of respondents were "concerned or very concerned" about protecting their personal data. Forty two percent of those said they wouldn't share sensitive data with a business for any reason.

Consumers are also more willing to judge those firms by how well they secure the data they've been entrusted with. For example, a study of Canadian consumers by KPMG found 9 in 10 were "leery" of sharing personal or financial information with an organization that had suffered a data breach or cyber attack. Eighty four percent of those KPMG surveyed said they would stop doing business with a breached firm altogether.

Awareness Isn't Enough

But it is hard to argue that more awareness has resulted in better outcomes for businesses or consumers. There are some glimmers of hope. Verizon's Data Breach Investigations Report (DBIR) showed steady progress, for example, in getting users to stop clicking on phishing links in emails. But if you step back, there's a sad consistency to the data on cyber threats, attacks and methodologies in DBIR, IBM's X-Force Threat Intelligence Index and similar reports, even as particular varieties of threats ebb and flow.

Why haven't 17 annual Cyber Security Awareness months paid dividends? Probably because "awareness" itself isn't really an important end. After all: greater awareness of cyber threats may well be attributable to its growing presence rather than any public relations campaign. Who could miss blaring headlines about massive data breaches at firms like Equifax, Target, Home Depot and Yahoo!?  

Beyond that, mere awareness isn't nearly enough to beat back a complex, global and societal ill like cybercrime. After all, organized crime was and is a widespread problem in the United States, Europe and elsewhere. It's responsible for billions of dollars in losses to the U.S. economy as well as endemic problems like racketeering and human- and drug trafficking and more. Still, we don't have "organized crime awareness month," because everyone recognizes that the problem of organized crime isn't one that better public awareness will help to control.

Historically, it has been changes to laws and enforcement tools, as well as greater awareness, that have made the biggest difference in cracking down on organized crime or other complex societal ills like smoking and drunk driving. In the case of organized crime, for example, it was the Organized Crime Control Act and the Racketeer Influenced and Corrupt Organizations Act  of 1970 started to turn the tide: striking at the heart of organized crime groups by providing legal mechanisms to hold superiors criminally accountable for illegal acts they ordered subordinates to commit.

Wanted: New Tools

The same transformation in our laws and societal expectations needs to occur in relation to cybersecurity threats as well. "Cybersecurity Awareness Month” needs to focus more on regular consumers and users demanding accountability for breaches and better disclosure," said Jason Crabtree, CEO of QOMPLX.

Calling on consumers to use password managers and multi-factor authentication is important, but naive given the scope of the problem, Crabtree argues. Better would be to impose consequences on firms that apply lackadaisical and insufficient care and controls on sensitive data. Laws like California’s CPPA are a start, but the U.S. still lacks a robust, federal data privacy law and there is evidence already that consumers are struggling to use the tools CPPA has provided to them.

International Cooperation Needed

Looking beyond consumer awareness and responsibility, there is a clear need for greater public investment in combating cyber criminal syndicates and tamping down nation-state sponsored hacking. In an era in which shadowy cyber criminal groups can rake in millions through ransomware and business email compromise scams, greater international cooperation is needed to identify, hunt down and arrest cyber criminals. So long as cyber criminal gangs can operate at a distance and with impunity from countries that turn a blind eye to their illegal operations like Nigeria, Russia, China and Ukraine, nobody will be safe.

On nation-backed hacking and cyber operations, leading nations need to pursue multilateral “non proliferation” with the same zeal as was seen in the aftermath of the nuclear arms race. That’s especially true as cyber attacks increasingly come with physical consequences, including the (Russian attributed) attacks on Ukraine’s power grid and even the recent ransomware outbreak that caused disruptions to patient care at the hospital chain UHS. While there have been glimmers of this type of approach (as with the Obama Administration’s detente with China), no comprehensive, international agreement has been reached on the rules of engagement in the realm of cyber conflict, let alone cyber de-proliferation.

Of course, these types of agreements and changes are complicated and take years to hammer out and implement. But they’re also the most likely to actually curb cyber attacks and affect lasting changes in the threat landscape for businesses, communities and individuals.