Those of us in cybersecurity have a bitter pill to swallow: if our goal is to protect ordinary people from digital crime, it's not working. Attacks are on the rise, and so are victims - but more importantly, the cyber industry doesn't exist to solve these problems in the first place.
Many of us got into cyber because we wanted to make the world a safer place: we wanted to protect grandma from criminals trying to steal her money - we wanted to protect our local carwash owner from ransomware - we wanted to protect our kids from online weirdos.
That's what people want us to do, and that's what most people think we do.
But the truth is, we protect billion-dollar companies from liability for data breaches (as a bonus, we sometimes stop the breaches). We help governments protect state secrets from digital espionage (as a bonus, we sometimes protect their citizens too).
All these things are good: without them, modern society would fall apart in a week. The problem is, it’s good enough for the cyber industry, but not good enough for grandma. In order to change that, we can begin by talking less about cybersecurity and more about digital crime.
The Problem With ‘Good Enough’
Cybersecurity has a “good enough” problem: every year there are more data breaches, phishing attacks and ransomware incidents than the year before, and every year the amount of money lost to digital crime increases.
Why don’t we see real improvement? For one thing, the way things are is good enough. The cyber industry is hamstrung by several factors that lead to complacency, and a lack of concern for the real victims of digital crime. Here are just a few:
- Wrong incentives – the incentives in cybersecurity are completely tied up with big money and big institutions. Cyber defenders are focused on providing security at scale to government agencies and corporations, where security itself is often a lower priority than proving due diligence in a court of law: if you can’t prevent a data breach, preventing a lawsuit is good enough.
- Lack of innovation – those who have been in the cyber industry for a long time know the drill: attackers break through existing defenses – defenders sell repackaged solutions (AV, firewalls) with minor improvements – then we have conferences to discuss what went wrong: rinse and repeat. There are rarely any breakthroughs in tools or techniques, because the status quo is good enough.
- Wrong mentality – in the cyber industry, individuals disappear behind abstract metrics. When cyber defenders are able to directly protect individuals – for instance, from data breaches – they will often accept collateral damage, because the gap between 99% and 100% is prohibitively expensive to close. In a word, 99% is good enough.
For big institutions – and hence for the cyber industry itself – a 1% failure rate is not a big deal. But when 1% equates to hundreds of thousands of victims or even more, it’s a very big deal for ordinary people. This becomes all the more clear when we stop talking about cybersecurity and start talking about digital crime.
Digital Crime is Just Crime
The jargon and statistics surrounding cybersecurity insulates cyber professionals, legislators and law enforcement officers alike from the reality of digital crime. For them, it belongs in the same bucket as botnets and cryptojacking – esoteric nuisances of modern life which neither warrant the full force of the law, nor special considerations from private companies.
But at the end of the day, digital crime is just crime, and should be treated as such. Imagine the following scenarios:
- An elderly woman gets a tech support popup while browsing a major news site, calls the number, and ends up with her bank details stolen, along with most of her savings: that’s just theft.
- A small business owner gets ransomware which shuts down his business computers and point of sales devices: that’s just break-in and extortion.
- A cancer patient stumbles upon dangerous misinformation on a popular media site which causes them to buy risky supplements and forego standard medical care: that’s just fraudulent misrepresentation, negligence, or worse.
In 2022, more than 800,000 people reported being the victim of an Internet crime. In a world where 800,000 people reported being the victim of a robbery, break-in or extortion attempt each year, state and local governments would surely take appropriate actions to protect their citizens. Meanwhile, organizations who were tied up in these crimes – even indirectly – would make tactical, daily efforts to prevent them.Who Will Protect Grandma?
Explaining the failures of the cyber industry is one thing and fixing them is another – but fixing them just can’t wait. As we speak, online criminals specifically target vulnerable groups – including the elderly, children and the financially disadvantaged – to exploit their desperation or lack of digital literacy.
With the arrival of generative AI, digital actors will soon have access to tools that make their job much easier. The Internet is about to become a far more dangerous place for those who most need protection.
Unfortunately, nobody thinks it’s their problem: a state CIO says their job is to manage information technology systems, not protect citizens from malware or fraud. Local law enforcement might agree to take responsibility, and even provide a phone number – but often, they won’t know how to help anyone who calls it.
Cooperating on the Frontier
In many ways, we are all living on the frontier of a brave new world. Just like settlers on the Old Frontier, sometimes we have to band together against the bandits, thieves and outlaws who operate just beyond the reach of the systems that should protect our friends and loved ones.
With the help of initiatives like Proxyware, private institutions – such as universities, schools, assisted living homes and churches – can provide data to help security researchers identify online criminals who target vulnerable groups, and block their access at the source. Until cyber organizations and governments catch up, protecting the vulnerable from digital crime is a team effort, and everyone should participate.