The gap between the ‘real world’ and the ‘cyber world’ narrows everyday.
In the ‘real’ world, when a crime is committed, the natural instinct is to feel sympathy and compassion for the victim. Feelings of anger towards the perpetrator are very common, but these feelings rarely, if ever, translate onto the victim also. Why would they?
In the cyber world, when a crime is committed, blame is often equally apportioned between the victim and the perpetrator, and even more intriguingly, it’s not unusual that the victim is dealt a bigger slice of the blame pie.
This difference in behavior from the physical to online world perplexes me. After all, a crime is a crime and a victim is a victim. So why are people so quick to stick the knife into the victims of cybercrime?
Take WannaCry for example. WannaCry used an exploit stolen from the US National Security Agency and dumped online by the hacking group Shadow Brokers. It was then picked up by the perpetrators of the ransomware attack who some security experts linked to North Korean hackers, some linked to Russian hackers, some linked to Chinese hackers…you get the idea.
As news of WannaCry spread, you might have expected that the public, the media and industry experts would have been pointing the finger at the Shadow Brokers, the unconfirmed hacking group that released the exploit, or even the NSA (that’s a grey area that I don’t have enough column inches for in this editorial).
In reality, what happened is that everyone leapt to shame the NHS about its use of Microsoft XP (this later transpired as less relevant), to blame the government for the lack of financial resource, to criticize Microsoft for ending support for XP, to shame NHS staff and others around the globe for ‘stupidly’ clicking on phishing links.
The WannaCry narrative evolved fascinatingly in the days and weeks that followed the initial attack and many of the assumptions about why the attack was successful in the first few days of reporting were later proved invalid. I don’t want to get into the details here though – you can check out our news feature on page 8 and Top 10 on page 26 for that – my point is that most people, including some of our industry’s own professionals, were quick to play the blame game, shaming the victims. I’m not claiming that everyone who was affected by WannaCry was practicing perfect cybersecurity. Instead, I am asking for perspective and morality.
Back to the real world: Can you imagine a scenario where, say, a man or woman was mugged by an armed burglar down a poorly-lit path late at night, and when reported, the primary reaction was to criticize the victim for choosing to walk down that path or for not carrying some kind of personal safety alarm? Of course not, it would be callous and inhumane.
So why is it common practice to do this in the cyber world? I’m going to call it: It’s not OK.
WannaCry is just one example. The same thing happens time and time again when data breaches are reported, phishing attacks are successful or when an organization falls victim to a debilitating cyber-attack.
Users misuse complicated technology. Maybe we’re building technology wrong, maybe our security products aren’t effective enough, maybe we should have built cyber eco-systems with security built-in from the start. Either way, blaming the user gets us nowhere.
On a related but slightly different tangent, the trend of blaming users’ ‘stupidity’ for weaknesses in security posture is one that continues to haunt me. I’ve attended so many conference sessions or carried out so many interviews where the message “the user is stupid, the user is the weakest link” has been paraded with a helping of eye-rolling and a splash of superiority thrown in.
To a certain extent, I get it. Some users are uneducated about the threats out there, and as a result, their actions can weaken their security position. However, users misuse complicated technology. Maybe we’re building technology wrong, maybe our security products aren’t effective enough, maybe we should have built cyber eco-systems with security built-in from the start. Either way, blaming the user gets us nowhere.
The way in which a person’s behavior differs in the cyber world from the physical world is a theme that is explored in a different context in Mary Aiken’s book, The Cyber Effect. Last month she was inducted into the Infosecurity Hall of Fame and I was lucky enough to conduct the induction interview with her onstage at Infosecurity Europe. You can read my interview with her – and my interview with Dame Stella Rimmington – in the Q3 issue. The latter was certainly a career highlight.
So before I sign off, allow me to reiterate one thing: In the cyber world, like in the physical world, attacks do happen, and real, often devastating, consequences are felt by the victims (as is explored in Wendy M Grossman’s feature in the Q3 issue). When these attacks occur, I urge you to consider who is really to blame, and who deserves compassion. After all, the cyber world is very, very real.