Beyond cybersecurity awareness
On September 30, President Obama proclaimed October 2016 as National Cyber Security Awareness Month. Throughout the month, the Department of Homeland Security and its private sector partners are holding events and engaging with the American public in an attempt to make people aware of the risks they face in cyberspace. As the co-founder and co-chair of the Congressional Cybersecurity Caucus, I have been involved with a number of these efforts in Rhode Island, and I strongly support the President’s continued focus on raising awareness.
Unfortunately, it sometimes seems as if our awareness efforts have been overtaken by a persistent drumbeat of headlines. Whether it’s major corporations being breached, government systems being compromised, or democratic institutions being targeted in an information warfare campaign, it can feel like the news is filled daily with cyber-attacks and their aftermath. When I started the Cybersecurity Caucus in 2008, cybersecurity was rarely if ever discussed in the halls of Congress. These days, there are weekly hearings on the topic.
This barrage of hacks is starting to take its toll on the public’s psyche. Recent research by the National Institute of Standards and Technology revealed that many people are suffering from security fatigue: they know that they are engaging in risky behaviors, but they are too overwhelmed to do otherwise. Cybersecurity awareness is not enough – we need cybersecurity empowerment.
The first step in cybersecurity empowerment is realizing that you, the user, have a lot of control over your safety online. Most compromises of companies and individuals are the result of common mistakes that can be remedied relatively easily. Use a password manager to help you generate and store strong passwords securely. Turn on two factor authentication – for instance, receiving a code by text message in addition to your password to sign into an account. And backup your data frequently.
We also shouldn’t expect technology to solve our problems for us. We all wish there was an easy fix to immunize us against cyber-attacks, just as we wish there was one vaccine that could keep us healthy. Unfortunately, that is simply not the case, so we have to keep updating our apps and washing our hands.
Perhaps the most important tool of cyber-empowered consumers is their wallet. There are a number of actions companies can take to better secure their products, but if their customers – both individuals and other businesses – do not demand action, we will continue to see software and devices that are trivially easy to hack.
The theme of Cyber Security Awareness Month for 2016 is “Our Shared Responsibility.” Empowered users of technology are necessary to improve our security posture, but they are just one part of the solution. Technology companies and Internet services providers need to make security a more simple and straightforward experience for all of us as users. The government needs to be prepared to help defend against and mitigate the rare, but often severe, attacks by other nation-states like Russia, China and Iran. The government also needs to incentivize and encourage businesses to adopt cybersecurity best practices.
I have long viewed cybersecurity not as a problem to be solved, but as a risk to be managed. No one entity has all the answers in this arena, but, working together, we can build a more secure Internet and continue to take advantage of the wonderful benefits connectivity provides.
Jim Langevin, a Democrat, represents Rhode Island’s Second District in the United States Congress. He is a senior member of the House Armed Services and Homeland Security Committees, and as the co-founder and co-chair of the Congressional Cybersecurity Caucus, has been a leader on cybersecurity policy.