News | Security finally has the awareness it needed. Now what?

Mohamed Hakim
News

The first week of October's Cybersecurity Awareness Month kicked off with a bang.

But it wasn't so much because the campaign itself succeeded at generating awareness about digital threats. Just three days into the month, former Equifax CEO Rick Smith testified to Congress about how the credit-monitoring company lost sensitive data on 145.5 million Americans, and Yahoo said that the infamous hack of its website actually compromised 3 billion accounts, not 1 billion.
Experts like Michael Kaiser and Phil Reitinger have dedicated their careers to warning the world about online threats from bad security. The National Cyber Security Alliance, where Kaiser serves as executive director, helped create the awareness campaign in 2004, but nothing has been more effective than the hacks of 2017 at making security a household word.
After being largely ignored for years, cybersecurity has shouted and shoved its way into the national conversation, thanks to significant attacks that affected personal finances, home devices and the political scene. Researchers saw the writing on the wall for years but often had a difficult time getting the public to listen to their warnings.
"It was my job to be responsible for things like raising awareness of cybersecurity risk," said Reitinger, CEO of the Global Cyber Alliance and a former cybersecurity director at the Department of Homeland Security. "And I have abjectly failed over the last 20 years, as has everyone else in the industry."
Talking about security can be complicated, and conversations are usually reactive, not proactive. You might have heard about the Apache Struts vulnerability only after Equifax failed to update a patch, or about the EternalBlue exploit only after the WannaCry attack locked up more than 200,000 computers worldwide.
Even now those names may leave you scratching your head.
It's a problem in other areas, too: We regularly hear about wildfires, but we don't talk much about fire prevention. And wow, were there some security infernos in 2017. At least once a month came revelations of a major hack, breach or security flaw. Here's a list of all the heavy hitters (we compiled this in November but will update it for the end of the year):
Security experts now have a rare moment when there's awareness in spades. Here's how we arrived at this point.
Hitting home
Massive data breaches have happened before, striking businesses such as Target, Whole Foods and various hotel chains. But none has had the lasting effect of the Equifax breach.
The credit-monitoring company collected Social Security numbers, credit histories, addresses, names and birth dates on Americans as part of its business. Then in September, it acknowledged that an attack had exposed the data of 145.5 million people.
At least in the Target and Whole Foods hacks, the victims had decided to go to the store, and they could choose to cancel the credit card they used. With Equifax, it's a different story.
"They had no choice that companies are taking their personal information and monetizing it," Sen. Catherine Cortez Masto, a Democrat from Nevada, said during a Nov. 8 hearing on Equifax and Yahoo. "They get stuck for the rest of their lives dealing with the results of a breach."
With most cyberattacks, the attention fades away after the news cycle moves on. But Equifax victims will be grappling with the damages for a long time. The exposed data has much more potential for harm than stolen passwords and credit card numbers.
Numbers game
The National Cyber Security Alliance's Kaiser has been warning about ransomware since 1989. But it wasn't until this year that the malware had a breakout moment and people started listening.
The WannaCry attack spread using a stolen NSA hacking tool, jumping from computer to computer across hospitals, universities, phone companies, airports and elsewhere. Within a day, the malware was found on computers in 150 countries, particularly on outdated versions of Windows. It was a particularly nasty example of ransomware, which is malicious software that locks devices until victims pay up.
"To have this massive number in a very short period of time, those kinds of events wake people up to the fact that they could be victims," Kaiser said.
The scale of the attacks grabbed the public's attention. Yahoo gave the public 3 billion reasons to worry about security. The Equifax breach affected nearly half the US population.
"We've never seen impact on consumers bigger than this year," said Tyler Shields, vice president of strategy for security company Signal Science. "Pretty much everybody was affected. That's what brought security into the mainstream lexicon."

Now what?
Security advocates finally seem to have the public's attention, and the hope is that people -- including lawmakers -- will take their advice more seriously.
Over the last year, Congress has held hearings on major breaches, proposed bills to help shore up shoddy security for the internet of things, and investigated foreign hacking related to the 2016 presidential election. It's a good start, but security researchers hope the new awareness isn't just a phase.
"We've got [the public's] attention, and now we've really got to go out there and help them step up their game," Kevin Haley, a director of security response at Symantec. "It's going to have to be people like us providing simple solutions. We're not going to turn every person into a security expert."
The security industry has an opportunity, but it can't drag its feet. Shields noted that every breach has a "decay period of awareness," meaning that eventually people will forget about it. Still, he said, "the awareness that comes out of these breaches, if we do it right, is very valuable."
Doing it right means explaining security concepts in a way that's easy to understand -- and getting people to actually adopt safe practices. Remember, Equifax was completely aware of its security flaws, but it didn't fix them. That's the challenging part. Making it happen could come through legislation, but that would be enforceable only with organizations.
The change won't happen all at once in 2018, or even in the next five years, Reitinger said. He actually thinks things will get worse over the next year, but that eventually, by the next decade, life should be better.
"The situation has gotten worse and the level of awareness has clearly gotten up," he said. "But it's not yet where it needs to be."