Commenting on Radio Four, Major General Jonathan Shaw, a former head of cyber security at the Ministry of Defence, said the public need to increase their cyber awareness. He said there is a ‘special responsibility’ on all citizens to improve their ‘cyber hygiene’ as private computers are the easiest to attack, and the government should “launch a cyber hygiene campaign like they did with the AIDS epidemic in the 1980s.”
His concern is valid. The weakest point of entry to any network is its users and their home computers, laptops, smartphones and tablets. “We now rely on internet connectivity to support so much of our daily lives that Shaw’s call for an aggressive public awareness campaign can only be welcomed,” suggests Yogi Chandiramani, senior manager of systems engineering at FireEye. “Human error still accounts for too many cyber incidents, and a widespread lack of understanding – coupled with the increasing sophistication of cybercriminals – has led to a significantly raised threat level.” He agrees that education is essential. “Continuously educating and re-educating the public on the growing security risks would be a positive step for the government in controlling the threat.”
Ronnie Khan, MD EMEA North at Qualys, is in full agreement. “Organizations, public and private, are constructed of individuals,” he said. “Many of these individuals now bring their own device to work each day, such as a smartphone or tablet PC, often connecting to the network at some stage to access files or the internet. The need for these individuals to understand how to remain protected when outside the workplace’s network is becoming as crucial as the organization’s need to be able to secure its own infrastructure.”
There is a problem, however, over whether education actually works. Major General Shaw uses the AIDS campaign as an example – but the reality is, it didn’t work. “In fact, the epidemic has expanded, with the annual number of new HIV diagnoses nearly tripling between 1996 and 2005,” states the AVERT.org website. The danger in education is that it introduces complacency: people are still contracting AIDS, but it is no longer a public issue. It is the treatment of AIDS, such as HAART (Highly Active Antiretroviral Therapy), rather than public knowledge about it that has reduced deaths.
The question then becomes whether ‘education’ needs to be backed by treatment; that is, ‘enforcement’. This was the view taken by Microsoft’s Scott Charney back in October 2010. He also used a health metaphor. “Simply put,” he wrote, “we need to improve and maintain the health of consumer devices connected to the Internet. This will benefit not only users, but also the IT ecosystem as a whole. To realize this vision, governments, the IT industry and Internet access providers should ensure the health of consumer devices before granting them unfettered access to the Internet.” Charney was advocating the introduction of an cyber health-based MoT test for computers.
Given the shift of emphasis by Maj Gen Shaw from the device to the user, we may soon see additional calls for a driving test of cyber competence before people are allowed to connect. It would certainly improve security, but is unlikely to be politically acceptable.