Cybersecurity forecast: Heavy smug
A cybersecurity 'expert' thinks ransomware victims should be punished for being stupid. We beg to differ.
When you think of rockstar hackers and infosec pundits, I'm sure it's easy to imagine people who are humble, kind and patient, and never look down on anyone who would reuse a password.
OK, maybe infosec types aren't known for doing benevolence all that well when they need to communicate with those not in the know about computer security. And when they do, they seem to prefer to do it from a stage and safely behind the title of "expert." Case in point: the much-ballyhooed talk being given at the Aspen Ideas Festival, where a professor at Rochester Institute of Technology, Josephine Wolff, is making a case today for punishing people when they're not good at computer security.
For "Who Should Safeguard Our Data," Wolff seems to think the sheep need to be taught a lesson. Specifically, she's proposing to the elite thought leaders gathered at Aspen that the careless should be punished for getting hacked or for being in the vulnerability chain, even if unknowingly.
The underlying reason for swapping out the carrot for the stick is that, according to Wolff, the only way to get internet users to take things seriously is to make them pay. Specifically, to create "concrete penalties and consequences" for what she calls our "liability" and "complicity" in "participating in bots, falling for phishing attacks, failing to install security updates and other basics of computer hygiene."
She explains more in a little pre-Aspen piece called Should the Careless Be Punished for Getting Hacked? that was framed with the subhead, "A computer security expert grapples with how to better protect us from cyberattacks."
In a tone that's not at all reproachful, Wolff suggests that botnet and ransomware victims, or those who click "links and attachments in those phishing emails and carelessly surrender their login credentials or the contents of their hard drives" might be well-meaning. Yet these witless yet earnest idiots, I mean, us, "play an enormous and devastating role in many (perhaps most) of the major cybersecurity incidents that occur today."
Like, maybe instead of presenting Aspen attendees like Secretary of State John Kerry, Vice President Joe Biden and Mitt Romney with bad ideas for computer security policy, we could instead present the powerful upper crusts with innovations around teaching basic security practices to the greater public. Or we could talk about influencing enterprise decision-makers to allocate big budgets into security-savvy employee training.
Better yet, we could press the bigwigs at Aspen to push for digital privacy and security lessons in public schools. Because maybe, just maybe, it might be the jobs of computer security "experts" to make users smarter and safer, and places of heavy influence like Aspen might be a place for crazy ideas such as this. Rather than more of the smarter-than-you, smug and dangerously reductive mentality that's alienating hackers and infosec from the very people they're supposed to be helping in the first place.
Unless it's easier to adopt an us-vs.-them mentality, and then throwing a user screwed by unknowingly becoming part of a botnet in jail becomes a pretty attractive way of waging someone's perverse infosec class war. Wolff was clear to make a distinction between those who are targeted by "sophisticated" attackers, and everyone else whose mistakes earn her description of "stupid." Because enforcement is challenging, she extrapolates, in her apparent class system of hacking victim crime and punishment. She's not helping diminish the growing perception of hackers, computer security "experts" and infosec academics as smug jerks.
Don't worry. Professor Wolff finds this all as distasteful as we do. "All of these are questions worthy of greater discussion and debate –– as unpalatable as it may seem, at first glance, to contemplate the possibility of individual liability for unintentional complicity in computer crimes."
Knowing the infosec "expert" juggernaut and how it rolls along, I'm sure there will be a good number of people who agree with the professor. There are definitely a lot of hackers and infosec personalities who might think punishment would be better than doing the work of figuring out how to actually help people who don't know the first thing about security. I mean, when someone's calling you an expert and giving you a sliver of fame or notoriety, it's far easier to fall into lockstep with Wolff as she characterizes commoners, I mean users, as liable for being complicit with their "poor computer hygiene" and "stupid mistakes."
Maybe I'm being harsh. But let's not forget that for every Wolff, there's a Facebook CEO, a Google CEO and a Spotify CEO who made "stupid" mistakes and practiced "poor computer hygiene" by reusing passwords, and got hacked. One has to wonder where these rich and powerful men would end up in Wolff's world, though I doubt it would be the same as everyone else.
And that's the problem here, isn't it? Everyone's getting hacked, and everyone's security is critical. So it's more urgent than ever to fight bullshit like Wolff's, because our security is just as important -- and is equally vulnerable -- as that of the richest and most powerful people in the world.
And you shouldn't be punished for not being a security professional, especially by so-called experts who talk about pastoral responsibility while completely missing the point about who they're supposed to be protecting.