During the recent RSA Conference in San Francisco, I was part of a panel organized by the National Cyber Security Alliance (NCSA). The subject was botnets, and the copanelists included people from the Department of Homeland Security, the FBI, McAfee and, of course, the NCSA.
As the panel went on, I became aware of an incredible irony that I was the person who was most against awareness training. After all, if you read any of my books, you will see that I state that awareness training is the most effective security expenditure.
Now I am accusing people who rely on awareness training as being negligent. I had to reassess my arguments.
A few years ago, if you told me that the Department of Homeland Security had a group of people assigned to do nothing but awareness training, I would have responded that it was a long time in coming. I would have praised them for finally putting money proactively toward trying to deal with the most common cause of security vulnerabilities: poor security awareness, ignorance, apathy, and so on.
Now I end up criticizing the DHS for being poorly proactive in their reliance on and touting of their security awareness campaign. Again, my mind was spinning to try to figure out where this disconnect was coming from.
I pretty soon realized the issue. Previously, when people exercised poor security awareness, they hurt themselves.
Now the big problem is that when they exercise poor security awareness, they hurt others. It completely changes the model, at least in my mind.
Before, when people left themselves vulnerable, they were the victim of a crime. They were the people who had their identity stolen. They were the people whose computers were trashed. They were the people who suffered in the end. Now, these "victims" are the facilitators of crimes against others. They are the enablers, the unwitting accomplices. These "victims" are the drivers of crimes.
So, essentially, I realized that awareness training is appropriate when people can hurt only themselves. However when people can hurt others, we need laws to protect ourselves from these people and to force them to secure themselves or to get off the Internet.
The root of all botnets is the poorly protected computers that are compromised. These poorly protected computers are typically poorly maintained PCs that run without basic software updates and security software enabled. If the PC user were the only victim, I couldn't care less. However, the reality is that these PCs enable distributed denial-of service attacks, which enable extortion against people and organizations that are doing everything right. They are the source of phishing attacks, which raise bank and credit card rates in the long run. They enable identity theft. They raise costs for computer bandwidth.
What it comes down to is that there are hard costs being absorbed by society because of poor computer security awareness.
In the real world, this would be a no-brainer. After all, you have to properly maintain your car or you have to take it off the road.
If your house is a mess, that is your problem unless it begins to attract rats and becomes a health hazard to your neighbors. Then, you can be fined until the situation is corrected. You can also be evicted or your house can be condemned if you allow the situation to go on. Everyone can apply for a driver's license. However, that license can be taken away if you endanger others when you drive.
Why, then, are people allowed unfettered access to the Internet, even if they clearly demonstrate that they are an imminent danger to others? It would be great if awareness training were successful and would make a significant impact. The reality, though, is that awareness training has proven itself less than reliable in making any significant improvement in the overall security of the Internet.
More important is that the threat to innocent victims continues to grow, as we seem to be relying only on security awareness and the lack of responsibility on the part of others.
Ira Winkler is president and founder of the Internet Security Advisors Group (ISAG). Contact him at email@example.com.