A Conservative Vision for Cybersecurity (Part III of IV) By Austen D. Givens
In January of 2016 I provided a conservative vision for addressing cybersecurity challenges in the post-Obama era before the James Sherman Society at Utica College. That vision emphasized four key points. I will now discuss the third of these four points.
Point #3: Conservatives should emphasize that cybersecurity begins with individual awareness of cyber threats and individual acceptance of personal responsibility for cybersecurity.
PEBCAK and PICNIC are the acronyms that your friendly tech support person does not want you to learn. The former acronym refers to a computer problem that exists between the user’s chair and the user’s keyboard. In other words, the problem in question is due to user error, not computer error. The latter acronym means that the problem resides in the user’s chair, not in her computer. Again, the issue in question here is attributable to the human operating the computer, not the computer itself.
Both acronyms point toward a fundamental truth that IT professionals admit openly: the vast majority of computer problems can be traced back to human behaviors rather than technical flaws.
For conservatives to advance a vision of cybersecurity, it is important for them to incorporate the time-honored principle of taking responsibility for one’s actions—or, some cases, inaction—in that vision.
Today prominent IT breaches continue to affect businesses and government agencies. But at the root of these breaches are human errors.
For example, in 2015 a breach of servers at the U.S. Office of Personnel Management led to the theft of more than 20 million federal employee records, including mine. China is believed to have been responsible for the theft. While this breach took technical sophistication to pull off, the underlying and far less discussed problem was OPM’s failure to assess the value of these personnel files in the first place, and to encrypt them accordingly. The breach was attributable to human oversights, not electronic issues.
A year earlier, banking giant J.P. Morgan Chase suffered a breach in which the accounts of over 70 million customers were compromised, leading to a theft of more than $100 million. That breach was traced back to a bank server that had not been updated properly, exposing the bank’s network to attack. Human negligence, not flawed computer code, made this breach possible.
Each case reminds us that individuals, as well as public and private organizations, must take ownership of their own cybersecurity measures. This means employing a healthy dose of skepticism when browsing the web, downloading apps, opening email attachments, and posting information online. This also means not relying on government assistance to be there in the event of a data breach or hardware failure.
The National Security Agency (NSA) and Federal Bureau of Investigation (FBI) have to date offered helpful advice and investigative resources to firms affected by cyber attacks on request. Yet in the context of a conservative vision for cybersecurity, this assistance should be understood as the exception, not the rule.
Whether the Trump administration will attempt to articulate a vision—any vision—for cybersecurity is uncertain. President Trump routinely blames others for his own mistakes. Taking responsibility for one’s actions is not part of the President’s worldview. A conservative vision for cybersecurity that places greater responsibility on the shoulders of individuals, rather than government agencies, will have to wait.
Austen D. Givens is Assistant Professor of Cybersecurity at Utica College.