Moving Beyond Fear, Uncertainty and Doubt on Cyber AttacksSpecial Advisor to the Cabinet Office for the Government of Japan
Too often, the conversation on cybersecurity is predicated on fear, uncertainty and doubt (FUD): amplifying the latest news of how sophisticated hackers are becoming and setting off alarm bells when it comes to vulnerabilities.
Headlines only highlight the growing sophistication of hackers and introduce readers to terms like “botnet” and “Internet of Things,” often without the proper context. The danger in this, especially with so much noise about numerous well-publicized attacks, is that people become desensitized and lax about cybersecurity in general. This creates a herd mentality through which people will grow numb and feel helpless—what else can one feel about the recent breach that left 500 million users potentially compromised?
Meanwhile, our old ways of thinking about cybersecurity—using tools like checklists and best practices and clinging to outdated technology, such as traditional antivirus software—are making us complacent in the face of attackers who have spent the last decade evolving.
Government fiefdoms aren’t capable of mounting an effective defense against threats that cut across borders and jurisdictions. In addition, cyber threats now come in many forms. Attackers can infiltrate systems and go undetected for long periods—the average is seven months—while ransomware can cause immediate damage that remediation services do nothing to help. Physical systems and critical infrastructures are wholly dependent on digital controls that are equally susceptible to cyber attacks. Governments are trying to develop legislation while law enforcement agencies are trying to protect their people against a threat that transcends sovereignty.
Are We Really Communicating?
How do our traditional forums, such as cybersecurity conferences, help in this situation? We need a new kind of dialogue, one that takes into account how communication itself has evolved into something unprecedented.
We began several thousand years ago, with one-to-one, or direct, communication. Over time, the printed word and broadcasting turned communication into messages that come from a few sources, disseminating to networks of consumers. Now, the Internet enables any number of people to communicate with others, anywhere in the world, in real time.
As a society, we are interconnected and interdependent. But we have also opened up new means of attack via the automatically generated spools of data produced by sensors that form the Internet of Things. Think about it: This is the first time in human history that machines, not humans, gather and transmit information on a mass scale. Yet these advances also allow for equally devastating abuse and damage.
We can no longer afford to be embarrassed about cybersecurity breaches and try to avoid discussion of them.
Here’s how we can make this dialogue truly productive:
Let’s get real about being vulnerable. We can no longer afford to be embarrassed about security breaches and try to avoid discussion of them. Internally, organizations cannot indulge in a culture of blame when security is compromised. The problem must be quickly communicated up the chain while fostering a culture of prevention. This goes for business and industry collaborations as well as international information sharing. Security breaches are embarrassing on some level, but simply pretending to take care of them or finding a scapegoat is a dangerous precedent.
Let’s evaluate cybersecurity like we would other forms of risk. Business executives and boards of directors are in place to manage risk at the companies they govern, and cybersecurity can and should be thought of as another form of risk, like having property insurance. We need to better identify, assess, quantify, mitigate or transfer that risk, just as we would other types of risk. We need to move the ball forward instead of simply pointing out problems. That’s why we need a multi-stakeholder conference on this issue.
Let’s talk about cybersecurity as a business enabler. Want to leave the FUD conversation behind? We must look at all of the ways security by design can make businesses, governments and individuals more productive. We must agree that it isn’t just an IT issue and definitely not just a “cost center.” We will start being more productive—and adopt a prevention-based approach to cybersecurity—when we look beyond what technology to invest in and understand the positive effects of why we’re investing in it.
Can Japan Take the Lead?
Japan is an important and timely stage for the cybersecurity talks that were held there in November. Tokyo will host the Olympic and Paralympic Games in 2020, and it is bolstering physical security and cybersecurity ahead of this historic event. Observers worldwide are looking to Japan to take a lead in cybersecurity because of its high-tech prowess, the cachet and reliability of its “Cool Japan” brand, and because it’s at the forefront of population aging, a phenomenon that many other countries will experience.
It’s also high time that Japan becomes more tech-savvy and innovative. The International Monetary Fund and many other global research entities have pointed out that the Japanese economy’s productivity has declined and is losing out to global competition, suggesting that slow information and communications technology (ICT) utilization is a cause. Japan must act now and take the lead or face irreversible losses in the future.
In an increasingly virtual world, it’s easy to lose sight of the fact that human networks, relationships and trust are more important than ever. Those bonds can be strengthened in face-to-face discussions.
Meanwhile, we can’t allow ourselves to be passive when our opponents are actively engaged and financially motivated. Since we have such a determined foe, we need to challenge each other on the stage. We need to change from thinking defensively to thinking proactively on ICT.
This article first appeared on the World Economic Forum Agenda blog.