MeriTalk - Where America Talks Government
Bob Dix

Delicious Digg StumbleUpon
View All Entries
Popular Tags
Posted: 12/15/2010 - 10 comment(s) [ Comment ] - 0 trackback(s) [ Trackback ]

While I applaud the recent efforts of the White House and the Department of Homeland Security to promote National Cyber Security Awareness Month (NCSAM), I'm afraid it's not enough. Do we have any reason to believe that the effort has improved our national ability to be safer in cyberspace? How many home users, small businesses, or students are better prepared to navigate the dangers of online predators, hackers, and criminals?

I believe we have much more work to do, including ensuring that our government agencies and industry partners are ideally aligned for collaborative cybersecurity detection, prevention, mitigation, and response. But we also need a commitment to a sustained and comprehensive national effort to build awareness of the cyber security epidemic that has infected the United States and the world. With the proliferation of cyber attacks, identity, and intellectual property theft now representing a true cyber epidemic, such an effort is long overdue.
I do not use "cyber epidemic" lightly, as recent surveys and data points demonstrate:
  • An estimated $1 trillion of intellectual property is stolen each year1
  • More than half of mid-sized companies have seen increased hacker attacks since last year, and 75 percent feel an attack could put them out of business2
  • 53 percent of critical infrastructure providers report that their networks have experienced what they perceived as politically motivated cyber attacks, three in five attacks were somewhat to extremely effective, with an average cost of $850,000 per attack3
  • Most breaches last year - and 98 percent of data stolen - were the work of criminals outside the victim organization, with organized crime responsible for 85 percent of all stolen data last year4
  • The Defense Department receives 250,000 "probes" an hour - six million a day, or 2.19 billion times a year5
Reports estimate that in 2009, more than 11 million Americans were victims of identity theft at a reported cost in excess of $54 billion dollars.6 This does not include espionage, extortion, or even more serious threats to our national and economic security. It is estimated that last year, more than 12 million IP addressed were taken over by botnets or "zombies," an increase of more than 50 percent in one year.7 Often used for the distribution of unwanted spam, these hijacked computers could be wielded to launch distributed denial of service attacks.
One wonders:  why are we not doing more to help people better protect themselves in an online world? A year and a half ago, the White House released the results of the President's Cyberspace Policy Review along with a set of 10 "near term" action items. Number six on that list stated, "Initiate a national public awareness and education campaign to promote cybersecurity." Other than each October's NCSAM exercise, it's hard to find evidence of a nationwide, sustained effort to build the awareness and education we need to raise the bar in our fight against ongoing cyber attacks. 
This Ain't Hard - Once We Begin
The good news is that we already have a proven, successful model that provides us with a roadmap for how to proceed - and to enlist all members of our society, because we all have a role.
In 2009, the world reacted to the credible threat of a potential global H1N1 epidemic. Here in the United States, awareness and education campaigns were launched that reflected  a coordinated, comprehensive, and committed effort led by the U.S. Department of Health and Human Services, the Centers for Disease Control, the Department of Homeland Security, and other agencies of the U.S. government. These campaigns were joined by similar efforts by state and local governments, academic and nonprofit institutions, and the private sector. We all mobilized in an effort to protect the American people from the threat of a medical epidemic.
Much of that effort was focused on teaching citizens about best practices and steps they could take to protect themselves from being infected by the very dangerous H1N1 virus. We all remember the simple guidance we received every day, at home, in our cars, and everywhere we traveled:  wash your hands often; cough into your sleeve rather than your hand; avoid close contact with others; clean surfaces likely to be infected; stay home if infected; travel tips; and so on.  
It strikes me that, with very little translation required, these 'stay safe' messages are also precisely what's needed to build awareness and use of simple, but effective "cyber hygiene" practices. Condensed into a short series of "Top Cybersecurity Tips," these practices could populate a comprehensive and sustained campaign to teach citizens, small business, schools, and other institutions about how to protect themselves from the very dangerous and pervasive threats in cyberspace.
Cyber Hygiene
The National Security Agency estimates that 80 percent of the exploitable vulnerabilities on government computers can be thwarted by basic cyber hygiene - simple steps that we all can implement to protect ourselves, and make it more difficult for the bad guys.8 Such efforts do not require large investments or IT staff:  a new study from Verizon concludes that only FOUR percent of 2009 data breaches would have required difficult or expensive preventive measures.9
For starters, here are some basic cybersecurity hygiene tips:
  • Keep your security software (firewalls, anti-virus/spyware) and operating system up-to-date
  • Protect your personal information online; change your password periodically
  • Scan your computer for vulnerabilities on a regular basis
  • Don't open attachments from untrusted sources
  • Secure your mobile phone (including secure access to your corporate files)
  • Backup your data regularly
  • Learn what to do if something goes wrong, or if you encounter suspicious activity
Sounds simple, right? Well, it is - once you know what to do, and are regularly reminded to do it. Hence the need for a national, sustained campaign, led by the White House and the Department of Homeland Security, joined by all Federal departments and agencies - especially those with high levels of direct citizen or business interactions (e.g., the Postal Service, Small Business Administration, Internal Revenue Service, etc.). 
We all have a stake in our global cybersecurity. In addition to the leadership role of the Federal government, an effort of this magnitude will also require the involvement of industry and state and local government leaders at all levels, as well as higher-ed and K-12 academic organizations, internet service providers, and a broad range of other partners and stakeholders in the public and private sectors. Some nonprofit organizations, such as the National Cyber Security Alliance, Center for Internet Security, and Internet Security Alliance are already involved - but we need more.
Our nation is facing a crisis of epidemic proportions. I don't profess to claim that national awareness and prevention campaigns can alone solve our cybersecurity challenges, but - as with the H1N1 virus experience - we do need a comprehensive and sustained national education and awareness effort to help us all understand how to better protect ourselves as we use and enjoy the many benefits of cyberspace.