Chris Olson, CEO of The Media Trust, laments the complacency of today’s cyber industry and explains why the most vulnerable online—particularly minors—can easily become victims of digital crime.
Those of us in cybersecurity have a bitter pill to swallow: if our goal is to protect ordinary people from digital crime, it’s not working. Attacks are on the rise, and so are victims — but more important: the cyber industry doesn’t exist to solve these problems in the first place.
Many of us got into cyber because we wanted to make the world a safer place: we wanted to protect kids from a variety of shadowy dangers and online weirdos; shield senior citizens from con artists trying to steal their life savings; and even make sure the local carwash owner wasn’t a victim of ransomware. The Internet is a remarkable landscape for connection and commerce, but it’s also a playground for villains who relish in hurting the defenseless.
But the truth is cybersecurity’s chief goal is to protect billion-dollar companies from liability for data breaches. As a bonus, we sometimes prevent the breaches, but that’s kind of a side benefit. We help governments protect state secrets from digital espionage, oh and occasionally we end protecting average citizens too.
All these things are good: without them, modern society would fall apart in a week.
The problem is: it’s good enough for the cyber industry, but not it’s not good enough to protect the kids. To change that, let’s talk less about cybersecurity and more about digital crime.
Cyber defenders are focused on providing security at scale to government agencies and corporations, where security itself is often a lower priority than proving due diligence in a court of law: if you can’t prevent a data breach, preventing a lawsuit is good enough.
Complacency at Scale
Every year there are more data breaches, phishing attacks and ransomware incidents than the year before, and every year the amount of money lost to digital crime increases. With all the money funneled into cybersecurity, why don’t we see real improvement?
Because cybersecurity has a “good enough” problem: it’s hamstrung by several factors that lead to complacency, and a lack of concern for the real victims of digital crime. Here are just a few:
- Misaligned incentives. Cyber defenders are focused on providing security at scale to government agencies and corporations, where security itself is often a lower priority than proving due diligence in a court of law: if you can’t prevent a data breach, preventing a lawsuit is good enough.
- Lack of innovation. Those who have been in the cyber industry for a long time know the drill: attackers break through existing defenses; defenders sell repackaged solutions (AV, firewalls) with minor improvements; then we have conferences to discuss what went wrong; rinse and repeat. There are rarely any breakthroughs in tools or techniques because the status quo is good enough.
- Wrong mentality. In the cyber industry, individuals disappear behind abstract metrics. When cyber defenders are able to directly protect individuals – for instance, from data breaches – they will often accept collateral damage, because the gap between 99% and 100% is prohibitively expensive to close. In a word, 99% is good enough.
For big institutions – and hence for the cyber industry itself – a 1% failure rate is not a big deal. But when 1% equates to hundreds of thousands of victims or even more, it’s a very big deal for ordinary people. This becomes all the more clear when we stop talking about cybersecurity and start talking about digital crime.
Digital Crime? Nah—It’s Just Crime
The jargon and statistics surrounding cybersecurity insulates cyber professionals, legislators and law enforcement officers alike from the reality of digital crime. For them, it belongs in the same bucket as botnets and crypto jacking – esoteric nuisances of modern life which neither warrant the full force of the law, nor special considerations from private companies.
But at the end of the day, digital crime is just crime, and should be treated as such. Imagine the following scenarios:
- A high school student needs to put together a bunch of documents into a single PDF for a project. They see a digital ad for a “Free PDF compiler“—it’s an ad-supported browser extension that’s really a conduit for other bad actors to take over the device and infiltrate the family’s finances. That’s just theft.
- An elderly woman gets a tech support popup while browsing a major news site, calls the number, and ends up with her bank details stolen, along with most of her savings. That’s just theft.
- A small business owner gets ransomware which shuts down his business computers and point of sales devices. That’s just break-in and extortion.
- A cancer patient stumbles upon dangerous misinformation on a popular media site which causes them to buy risky supplements and forego standard medical care. That’s just fraudulent misrepresentation, negligence, or worse.
In 2022, more than 800,000 people reported being the victim of an Internet crime. In a world where 800,000 people reported being the victim of a robbery, break-in or extortion attempt each year, state and local governments would surely take appropriate actions to protect their citizens. Meanwhile, organizations who were tied up in these crimes – even indirectly – would make tactical, daily efforts to prevent them.
Who Is Looking Out for Your Kids?
Explaining the failures of the cyber industry is one thing and fixing them is another – but fixing them just can’t wait. As we speak, online criminals specifically target vulnerable groups – including the elderly, children and the financially disadvantaged – to exploit their desperation or lack of digital literacy.
With the arrival of generative AI, digital actors will soon have access to tools that make their job much easier. The Internet is about to become a far more dangerous place for those who most need protection.
Unfortunately, nobody thinks it’s their problem: a state CIO says their job is to manage information technology systems, not protect citizens from malware or fraud. Local law enforcement might agree to take responsibility, and even provide a phone number – but often, they won’t know how to help anyone who calls it.
Cooperation on the New Frontier
In many ways, we are all living on the frontier of a brave new world. Just like settlers on the Old Frontier, sometimes we have to band together against the bandits, thieves and outlaws who operate just beyond the reach of the systems that should protect our friends and loved ones.
A great example is help from private institutions – universities, schools, assisted living homes and churches can provide data to help security researchers identify online criminals who target vulnerable groups, and block their access at the source. Until cyber organizations and governments catch up, protecting the vulnerable from digital crime is a team effort, and everyone should participate.