CISA Treats the Symptom but it’s not the Cure | Commentary
By Heather C. Dahl As Congress sweats its way toward August recess, a stench hangs over Washington more noisome than the swampy air: poor Internet hygiene. The U.S. is the blundering virtual traveller that caught everything. The Target compromise, where cyber-criminals stole credit and debit card data belonging to about 40 million customers and the Sony hack, which leaked not only valuable business secrets but also sensitive employee information, were the business equivalent of cholera and malaria. The Office of Personnel Management, which exposed the personal information of more than 22 million current and former federal employees — an epic security disaster if ever there was one — is government’s bubonic plague. Really, if cyber-insecurity were discussed and understood in terms of disease, we might be able to figure out a remedy.
Instead, Congress is expending its energy debating the merits and demerits of applying a Band-Aid. The Cyber Information-Sharing Act is an attempt to legislate data sharing between government and companies in order to identify potential cyber-threats. In theory, this isn’t a bad idea on the obvious grounds that data sharing takes advantage of distributed expertise in order to spot and solve problems. In practice, it doesn’t exactly inspire confidence: the federal departments struggling to guard your data will get access to even more of your data from companies that only do a marginally better job of protecting it. So instead of one doctor who didn’t wash his hands trying to save you, there’ll be lots of inadequately prepped doctors trying to save you. What could go wrong?
The underlying problem with CISA is that even if you could imagine the best, the most careful, controlled, secure, privacy-enabled, system for sharing data between experts on impending threats, it would still have a critical system flaw: it wouldn’t directly involve you. Again, to push the analogy with medicine, it would be like your doctors discussing all the ways your lifestyle was having a negative impact on your health without bothering to include you in the conversation, let alone suggest you change your behavior.
Public health works when the public is involved and motivated to act in its own best interests. And this is why preventing cyber-crimes requires far more than the government and private sector sharing information. It requires involving the public who are at risk, which is to say all of us who use the Internet. We click on malicious links, download infected attachments, or fall victim to online scams, which means we are often the point of entry for these devastating attacks on large organizations.
What CISA creates is a digital autopsy after the tech equivalent of the patient dying. Look, this is how the cyber-criminals won again! No doubt, this exercise could bring some useful information to life — a CSI for cyber-experts — but it doesn’t do much to prevent the rest of us from experiencing the next blue screen of death.
For CISA to truly make an impact and succeed it should expand far beyond simple collaboration of a select group of cyber-insiders. It should include teaching everyone about staying healthy in their digital world and learning the warning signs of cyberattacks so we can prevent digital crime rather than focusing the debate on a disease that’s already taken hold.
As it went with the great successes in public health starting with the user — hand washing, for example — so it must go with cybersecurity. It needs to be treated as a public health issue. Digital hygiene has to be instilled in school, at home, in the workplace, and in government. And given that even doctors have to be reminded to wash their hands, we need to be in this for the long haul. Remember, it’s our digital future and that of our children that is most at stake in this debate. We are the ones who, ultimately, have to recover after our identities have been stolen, our credit cards canceled, our sensitive personal information, or photos, have been distributed and sold in criminal underground markets. What CISA misses is that it is only by collaborating, with those who are truly on the front lines in this battle that can we win this code war.
Heather C. Dahl is co-author of The Cynja, a comic series teaching kids of all ages about the awesome world of cybersecurity and technology.