It seems that folks interested in cybersecurity fall into two camps: those holding their breath for government to step in and protect the public from cybercriminals through regulation, and those crossing their fingers that the legislative branch will continue to create cybersecurity awareness but ultimately leave it to the professionals.
Some fear that without government intervention, the number of data breaches will continue to rise because the financial implications of a breach, though expensive and continuing to increase each year, aren’t costly enough to really motivate businesses to spend the resources necessary to better secure their networks. Others fear that the government’s regulatory involvement will undermine the expertise of professionals and steer cybersecurity down a path that may help the situation in the short-term, but ultimately lose sight of security goals in the long-term due to legislation’s probable failure in adapting to the constantly changing threat landscapes.
So whose responsibility is it to protect the consumer? The government’s? The businesses supplying those consumers and other organizations with online access to goods and services? The consumers themselves? I would argue that some share of the responsibility falls into each of these camps, but none bear the whole of that responsibility exclusively.
On Friday, February 13th, the White House held its Summit on Cybersecurity and Consumer Protection at Stanford University. In attendance were representatives from law enforcement, President Obama’s administration, consumer advocacy groups, academia, and the security and tech industries. The conversations were interesting and important, given that cybersecurity affects the lives and livelihoods of enterprises, consumers, and the nation. Near the end of the summit an executive order was signed by the President promoting the sharing of cybersecurity information to help protect consumers from emerging cyber threats.
Check it out here: EXECUTIVE ORDER — PROMOTING PRIVATE SECTOR CYBERSECURITY INFORMATION SHARING
Acknowledgement by the current administration that cyber attacks are real threats with far-reaching impact is an important step forward in the effort to motivate consumers and enterprises alike to take their online activities and network defenses seriously. It brings the problems that accompany the ease with which the Internet makes doing business or everyday tasks to the top of a long list of hot-button issues the world is and should be talking about. Threat information sharing is a great way to promote the advancement of security technology, which is why Palo Alto Networks started the Cyber Threat Alliance. At a very minimum, this summit forced business leaders, consumers, and government officials to create the beginnings of a wider community focused on solving the cybersecurity problem. Through the leadership of this community and current and future administrations, I believe there’s a better chance that we’ll succeed in solving that problem.
The fact that the number of breaches is increasing in size and severity means that current approaches to security are failing. However, assigning blame is a difficult undertaking. Experian’s 2nd Annual Data Breach Industry Forecast, released in January 2015, stated that a whopping 59 percent of security incidents in 2014 occurred as a result of employees and negligence. Thousands of years of technology development still haven’t found a way to eradicate human error. In a recent PCI webcast from Black Hills Information Security, owner and security guru John Strand broke it down further: Good companies practice good security, evil companies practice checking compliance checkboxes. With that in mind, whose responsibility is it to protect consumers?
The government has a responsibility to consumers to do at least two things:
- Help educate them about using the Internet safely
- Positively reinforce that businesses secure consumer data well, and negatively reinforce poor security practices that lead to consumers being harmed
Businesses have a responsibility to their customers to protect their data by employing the best security products and practices. Consumers have a responsibility to those businesses to use the force of the free market and take their patronage elsewhere when those businesses fail to protect their information, and to educate themselves on safe Internet usage.
There’s another group that also has responsibilities here: the security industry. As vendors and security experts, we must produce competitive tools that help organizations achieve their security goals and educate the masses about cybercriminals and emerging threats. In a highly technical industry, we’re uniquely suited to unscramble the jargon and make cybersecurity accessible to everyone, techies and laymen alike.
How do you think the government should be involved? Whose responsibility do you think it is to protect the consumer from future data breaches?
More light cybersecurity reading from the White House, in case you’re interested: EXECUTIVE ORDER — IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY