October is National Cybersecurity Awareness Month in America, which you probably know by now, what with President Obama's announcement and a whole host of related coverage from the Department of Homeland Security and other interested parties. Of course, one of the main messages of Cybersecurity Awareness Month is that we are all interested parties. When it comes to securing cyberspace we could do worse than borrow a phrase much used during World War II: "We all need to do our bit."
That bit includes making sure your computer is properly protected against malware before you connect it to the Internet. An unprotected computer is more likely to be recruited into a botnet that cyber-criminals then use to launch a distributed denial of service attack on a bank or a branch of government, or to send spam or phishing messages, or commit any number of despicable and fraudulent acts.
However, protection against threats like that depends on more than bits of technology. We all need to make sure that we use digital technology responsibly. For example, if you're reading your email or hanging out on a social media network like Facebook, and you see a message saying Apple has decided to give away 1000 Limited Edition iPads in memory of Steve Jobs, then "doing your bit" means resisting the temptation to click on the link to learn more. Even if you are running up-to-date anti-virus software and a firewall, there is still a chance a link like that will result in malware getting onto your machine. Besides, it only takes a moment's reflection to figure out that Apple is not likely to be doing something like that. And it only takes a few seconds more to perform a Google sanity check by googling a few words, such as: steve jobs memorial ipad scam.
All of which may strike some readers of this blog as old news, but what is old news to you might be a revelation to someone else. Consider the group of 50 people to whom I spoke about cybersecurity at a business convention last week, effectively a random sample of "typical" citizens. All of them use computers. All of them connect to the Internet. All of them handle a certain amount of sensitive information in their work. And all answered in the affirmative when I asked if they know how to use a computer. Yet a show of hands revealed that very few of them had any formal computer training; even fewer had received any training in computer security.
So, I would argue that there is much work to be done in raising the general public's awareness of the need to exercise care when using digital devices and connecting in cyberspace. But with a whole month devoted to the topic, you might wonder if there could possibly be too much awareness? According to Art Coviello, the CEO of RSA, that is possible. In remarks before congress last week Coviello implied, according to our friends at Infosec Island, that "the complicated nature of cyber intrusions is such that over-hyping data loss events to the public does little to stem the problem."
I sympathize with this view, but only to a point. There is a risk that a drumbeat of privacy breaches and ever more sophisticated malware discoveries will lead people to think the cause is hopeless. Those of us who work with this stuff all the time should not under-estimate how disheartening it can be for Jane Q. Citizen to hear about yet another piece of malware that can hide on her machine, steal her user names and passwords, mine her hard drive for personal data and secretly send it to the other side of the planet, while posting bogus messages on her Facebook and Twitter accounts, sending out large amounts of spam and joining, via sophisticated remote control channels, tens of thousands of other infected machines directed to carry out denial-of-service attacks that generate money for criminals through extortion of website owners.
The answer is to be fair and balanced. We need to let people know the problems that we face and make sure that they take them seriously. At the same time we need to offer practical tips for thwarting the bad guys. We need to let people know there is a lot of cybercrime out there but, as Cameron Camp reported on Friday, arrests are being made.
Later this week I will be highlighting other recent successes in law enforcement and some helpful resources for those who want to spread just the right amount of awareness. In the meantime it would be great to know what you think about efforts to raise cybersecurity awareness among the general public.