Why are we perpetually surprised (or not, depending on how you look at it) at the failure of so many at both the organizational and individual level to take cybersecurity seriously? I would argue that most people are placing cybersecurity exactly where it should be when it comes to the myriad risks in their lives, and that is unlikely to change until it is far too late for some.
On the radio the other day there was an interview with an airline crash investigator. Airline crashes are rare, and when one happens the investigation defines “comprehensive.” But contrary to what amateurs or outsiders may think, there is really only one reason why an investigation is conducted:
It’s not to let the families know what happened and it’s not to let the lawyers know what happened, it is to prevent this happening again in the future. That’s absolutely the reason for an air crash investigation.
Closure for the families? Don’t care. Assigning blame so lawyers can address issues of liability? Don’t care. I mean, investigators are human beings, they care on one level, but the true motivation for a crash investigation is singular: reducing the probability that what caused this crash ever happens again. I know you don’t pay attention, but airlines have safety briefings for a reason. They de-ice control surfaces for a reason. You can design and engineer and test all day long, but sometimes problems don’t surface until thousands of hours of flight time under real-world conditions has been logged. To that point:
Aviation has never been safer because we have essentially conquered most of the problems that emerged in the first century of commercial flight. But now we’re starting into the second century of commercial flight and there’s all sorts of new and different challenges.
She goes on to point out that one of those challenges is cybersecurity, but it is not necessarily the most pressing challenge. Why? The interview doesn’t get that in-depth but it is worth noting that ransomware-for-cockpits is not a thing; aircrews not groking how automation works is most assuredly a thing.
Stealing credit card numbers, bank account details, social security numbers, medical files, even taking over one’s entire identity doesn’t equate to death. The economics of cybercrime today are such that malicious actors can cause pain, but victims are readily made whole again. In such an environment why would we expect cybersecurity to get better? Why would we expect individuals to care? Why would we expect businesses to do anything more than is absolutely mandated? We don’t catch enough bad guys to provide closure or make a dent in the level of malicious activity. The industry has successfully fought off efforts to assign liability. The system is basically designed to ensure we will remain low-level victims in perpetuity.
We don’t learn from incompetence, we don’t learn from inconvenience, we don’t even learn from pain: we learn from death. Cybersecurity will get better when people die in sufficiently large numbers.“Cyber” has certainly killed, but as callous and morbid as this sounds, it hasn’t killed enough. How much is enough? I suspect a lot more than have died due to pilot error.