The way we talk about cybersecurity is a mess. Even as Russian hackers and ransomware attacks continue to make headlines, the media coverage can’t seem to get past a level of vagueness that invites readers to throw their hands up in frustration. The payback: learned helplessness that stops us from dealing with the problem.
But this isn’t just Trump’s fault. Mass-media coverage continues to leave readers under-informed about what happened, as well as why and what they should do when a new cyber attack is uncovered.
All of this can leave readers and listeners feeling confused, disempowered or worse.
We’re not all doomed
In his recent role as cybersecurity commentator, Trump told reporters at a New Year’s Eve party at his Mar-a-Lago estate in Florida that“no computer is safe.” He suggested that if you want information sent securely, you should have a courier hand-deliver it.
The president-elect has company in that view. I see it all the time in comments here when I write about cybersecurity. And computing professionals spend so much time arguing that any one security scheme is fatally flawed that Facebook (FB) chief security officer Alex Stamos calls this nothing-is-safe mindset“security nihilism.”
(Bizarre subsequent plot twist: The company reported to have done that work for the FBI, the Israeli firm Cellebrite, itself admitted last week that hackers hadbreached one of its servers to extract customer data. So you should also suspect claims of bulletproof security.)
“Companies or victims far too often revert to silence that enables criminals to continue to proliferate,” commented Alex Rice, founder and chief technical officer of the security firmHackerOne.
Social engineering is distinct from hacking
A lot of coverage can’t even differentiate between exploiting vulnerabilities in software versus “social engineering” that fools fallible humans into giving up their passwords.
The former is easier to fix. “90% of all hacks could be prevented simply by installing the patches we already have,” observed Jeremy Epstein, the security researcher whodocumented crippling flaws in Winvote voting machines.
The latter, as we’ve seen in the repeated success of phishing emails, isn’t just a matter of correcting code.
TheNew York Times’ unpacking of how Russian attackers successfully targeted not just Democratic National Committee servers, but also phished the personal email accounts of senior party officials, including Hillary Clinton campaign chair John Podesta, was a painful but educational read in that regard.
Trump did make one good point in his New Year’s Eve musings when he said “hacking is a very hard thing to prove, so it could be somebody else.” The next day, the Post was walking back its report of Russians hacking Burlington Electric.
You should generally remain skeptical of initial claims of who’s at fault in this area. In particular, security experts say that victim-shaming won’t help.
Said Epstein: “If we have stupid systems — I’ve built some stupid systems — where clicking on something causes something really bad to happen, we should blame the designers of that system.”
There are things you can do
Collectively, this treatment of cybersecurity at best leaves people to figure out on their own how to avoid the fate of whatever company, organization or celebrity is in the news. At worst, it teaches learned helplessness.
Cybersecurity stories should remind you of those things, HackerOne’s Rice emphasized.
“What concrete actions can I or should I take?” he asked rhetorically. “In many cases, the answer here is a depressing ‘Nothing. You are individually helpless.’ But even that is helpful to call out.”
