In the movie “Back to the Future II,” protagonist Marty McFly travels forward to the year 2015. During a quick stop at Café 80s, Marty encounters two children, confused by the 80s-style arcade game in the store. When Marty shows them how to play, the kids retort with, “You mean you have to use your hands?”
We may soon have a generation of young internet users that quip, “You mean you have to use wires?”
Wireless LAN, Bluetooth connectivity or mobile data transfer (which will explode with the wider deployment of 5G) are ubiquitous today. So what does this mean to the everyday person? And what can the everyday person, along with their enterprise, do to minimize threats against their data? Today’s behavior means anyone can learn to handle some of their own cybersecurity problems when it comes to personal or corporate email and access concerns.
For proof that we are “going mobile” at high speed, consider in just four short years, we have gone from 2.5 billion smartphone users worldwide to 3.5 billon users. And in approximately that same time frame, mobile data traffic nearly quadrupled from 11.51 exabytes per month to 40.77, with an expected jump to nearly 80 exabytes per month by 2022.
What About Changes in Behavior?
Some of us remember the times of using one desktop computer for almost all of our computing needs. Then, there was an important behavioral aspect to it all. We used computers mostly for work, school or other specific functions, like for video games. We genuinely “unplugged.”
In my own life, there were two “whoa!” moments where I saw mobile devices were going to change our lives immensely from a behavioral point of view. The first came in early 2003, when I got my Sony Ericsson P800. While earlier smartphones existed, such as the Nokia Communicator Series or the Ericsson R380, these phones never had the computing horsepower or network support to conduct meaningful work over the internet. Sure, you could technically connect to the internet using them, but it’s only when we had handheld horsepower and 3G networks ready for use that our everyday actions would change because of it. For the first time, I was able to do work, such as emails, browse websites, view and edit files, take pictures and stay connected from my phone.
The next “whoa!” moment came a couple of years later where, in the middle of a sleepless night, I started reading the news on my phone and saw an intriguing book cited in an article. I immediately looked it up, bought it online — at 4am — and set it to be shipped to my home in a couple of days.
Realizing what I had just done was one of those “okay, this changes everything” moments.
And we’ll leave aside, for the moment, that timeframe in 2000, where I was sporting an Ericsson HBH-10 Bluetooth headset. Back then, it seemed like pretty crazy behavior to be “talking to yourself.” How times change.
We Didn’t Consider the Security Risks
We were — understandably — looking to move online at the speed of business. Or perhaps, more appropriately nowadays, it is better to say at the speed of convenience. Business and innovation forced us to look for efficiencies in order to gain an edge. We moved from wanting it fast to wanting it instantly.
Ask yourself: what can’t you do using your mobile device today? The list of what can’t be done constantly gets shorter as new services are launched. Do your job? Check. Order food? Check. Get yourself out of a jam while lost? Check. Make movies and music? Check. Oh yeah, you can still make calls too! Convenience got all the gold stars.
All these capabilities would be awesome if it were not for this one caveat. All our conveniences rely on something inherently risky: the internet.
If you are involved in any type of cybersecurity or privacy work, you need to appreciate that underlying reality. If you gloss over it you will be ignoring a basic problem. The history of the internet is rooted in insecurity.
We have inherited a system that was broken from the beginning. And that is not because the architects had any malicious intent. Rather, what they missed was the dual-use capability: the internet can be used as a weapon. By missing that, they missed planning for the security risks posed by the internet.
Therefore, as we shift to even greater mobile use, we need to be cognizant of not missing those risks that will compound the problem. As glorious as 5G looks, remember, it’s also an “equal opportunity” tool for malicious actors.
It’s Not All Gloom and Doom If Everybody Does Their Part
Sadly, it’s not like we weren’t warned. In May 1998, the United States Senate Committee on Governmental Affairs heard from a group of hackers, called L0pht. Despite their cool and sensible demeanor, their testimony is an oratory explosion. Regrettably, many of the problems they talked about back then still exist today. These include the reluctance to undertake costly overhauls required to improve cybersecurity or the decision to employ the “patch and pray” mantra.
But there is also one major difference today from when that testimony took place. We use the internet a heck of a lot more today than we did then. Technology has even altered how we consume information, with social media surpassing print newspapers as the avenue for news consumption.
The behavioral change itself has broadened the vulnerable surface, therefore increasing our security and privacy concerns. In 1998, when the above mentioned testimony was given, there were only 147 million global internet users; today we’re creeping up to 5 billion.
In other words, the impact of a breach has the potential to be that much more widespread. Breaches can now impact tens, even hundreds, of millions of people at a time. For example, according to the 2019 IBM X-Force Threat Intelligence Index, over one billion records lost or stolen in 2019 were on account of cloud misconfigurations.
Without doubt, we have made great strides to protect our data during these last 20 years. We have made impressive leaps in our breach detection capabilities. Tactics such as multifactor authentication and encryption are more widespread. In some cases, they are default tactics now. Artificial intelligence, monitoring and orchestration are all helping us make sense of what we are seeing and assisting us in our decision making. We have endpoint security solutions and threat intelligence feeds. Cyber hygiene awareness is cautiously on the rise amongst more stakeholders.
But even with all these improvements, we’re still missing the mark. Why is that? We touched on the first issue: inherent vulnerabilities with the internet.
Cybersecurity Lessons From Emergency Management
The second issue is us — the individual. Our behaviors are the problem. As we continue to go mobile, we need to do a better job at taking personal responsibility in the data protection fight. A mature cyber resilience strategy cannot rely on the enterprise taking on the brunt of the responsibility. Nowadays, all employees are part of the cybersecurity front line.
The Incident Command System (ICS) is a standardized approach to emergency management. The key functions of the ICS are normally:
- Using common terminology
- Integrating communication media
- Creating a unified command structure
- Coordinating resource management and allocation
Another key facet of the ICS is there is an incident commander. Think of the incident commander as the person who manages the show. Another key facet of how the ICS works in the larger local, state and federal interplay is “who does what” and “who supports what.”
So what does the ICS have to do with cybersecurity? It may be able to serve as an important primer on how to manage security and privacy responsibilities, especially for the individual. It can even be useful for the time prior to an emergency (or incident) striking.
Take Charge of Your Own Devices
In short: you need to be your own incident commander. You need to be responsible for your devices and the data. For example, even if you are using a corporate device, you cannot rely on the enterprise to deal with every issue that comes your way. If something seems off, do something about it. Don’t wait for the IT department to make a move.
It would be like asking a federal agency to put out a local fire. From a management perspective, that makes no sense at all. If you see something in your home that could be a hazard, you don’t call the emergency services right away. You evaluate if you can deal with it on your own first, then decide, if it’s beyond your capabilities to ask for help.
Handling Incidents Within Your Own Community
The way the National Incident Management System (NIMS) works is that prevention, protection, mitigation and response is a team game. It requires the entire group, where everybody has a role to play. As part of the NIMS, the feds don’t come in and call the shots; it’s the locals who manage what’s going on. When they get overwhelmed, they call for increased levels of support, such as state and federal agents.
And if you’re looking for a little more cybersecurity specific guidance on incident handling, check out NIST’s Special Publication 800-61, Computer Security Incident Handling Guide.
ICS and NIMS can serve as important tools on how we address cybersecurity concerns, particularly for individuals. Basically, each person is their own little town that has unique needs, capabilities and resources. Despite algorithms doing a pretty good job and almost knowing us better than we know ourselves, the truth is nobody knows you better than you.
Understandably, some hazards are easier to see than others. Spotting some smoke, or a fire, is a whole lot easier than spotting a spearphishing email by yourself. But that’s not to say you can’t learn that skill. Education does play a role, but when you are willing to become your own incident commander, everything comes together: the individual’s responsibilities, the enterprise’s responsibilities, technological capabilities and behavioral aspects.
Making Complex Cybersecurity Risks Manageable
Let’s be honest: we have designed a pretty complex system. The changes we make result in it becoming even more so. It’s actually pretty amazing to see society operate with so many moving parts. It was not too long ago that what happened in the next village didn’t really impact your life. Nowadays, what happens halfway across the world could have a direct impact on you. (Think nation-state actor launching a cyber attack in your homeland, removing your ability to pay for food.)
Think about it: in this work-from-home/remote era, are you using the same internet connection for your home and work activities or are you using independent and unassociated internet connections? Chances are it’s probably not the latter, meaning your home network could be the vector into your corporate one.
This is a complex challenge, no doubt. With data breaches on the rise and becoming more costly (even in intangible terms, such as the loss of intellectual property), industry is beginning to realize this is not a good way to do business. It may be a little late to the show, given the warnings of the late 1990s, but like they say, better late than never.
Therefore, kudos should go to the enterprise for at least trying to address the information security gaps from a technological perspective. That leaves the key gaps related to personal behavior. If left unaddressed, these are going to become wider on account of near constant mobile computing usage in our daily lives.
This is not a time to be sloppy in our personal habits. The ICS and NIMS are two emergency management tools that the cybersecurity and privacy communities should look at augmenting as a means to minimize their cybersecurity risk.
It is worth noting that the ICS, which dates back to 1968, is a child of the following problems:
- Lack of accountability
- Lack of common terminology
- Poor communication
- Insufficient planning
- Poor processes
- No effective way to operate between departments and agencies
- No incident commander to coordinate all efforts
- Inconsistent or differing organizational structures
Do these issues sound like the infosec challenges you may be facing? As we continue to “go mobile” in our technology use, add one more skill to your tool box. Be your own cyber incident commander.