Have We Reached The Cybersecurity Saturation Point? You bet!

The modern world has adopted digital connectivity and willingly transitioned to a state of technology dependence faster and more thoroughly than ever before. The sheer volume of new product that passes for innovation these days has marketers struggling to come up for actionable phrases synonymous with ‘upgrade now because, well, it’s just better, okay!’.

With all that connected technology comes the opportunity for abuse and as it turns out, the evolution of modern language is ill-equipped to formulate sufficiently clear phrases to get across the message “hey, smart guy/gal, that cybercrime thing you’re contemplating? You will go to jail for it. Long time. No family. No Netflix.” Budding cybercriminals, now spurred by inconsequential barriers to entry, are taking advantage of cybercrime-as-a-service (CAAS) promises of financial independence and seductively anonymous, effortless profitability. If only.

“Will you be having some crumpets with your cybercriminal activity this morning sir?” — Creative Commons Attribution-ShareAli
“Will you be having some crumpets with your cybercriminal activity this morning sir?” — Creative Commons Attribution-ShareAli

Just as entrepreneurial criminals are desensitized to the vague threat of incarceration, public apathy about their activities is peaking, with each major data breach grabbing fewer headlines and at best topping the charts for about a day. Tops.

It could be said that any sufficiently advanced society has reached a functionally useful peak of technological sophistication that coincides with a certain cybersecurity saturation point.

When I’m asked to comment on a breaking issue on live national TV or radio, the request is almost always for an interview within the hour, lest it escape the public consciousness and be relegated to the pile of Past-Cybersecurity-Events-that-Were-Interesting-at-the-Time. Content providers struggle to make it all impactful, engaging and sexy.

For instance. I could tell you that 200 million devices running VxWorks have serious security vulnerabilities and you wouldn’t give it a second thought. I could even tell you that VxWorks powers some 2 billion devices around the world and it wouldn’t ring any bells.

But what if I upped my clickbait game and told you that some Mars rovers, SpaceX’s Dragon and a slew of IoT medical devices use the same technology? Still sounds like an unclear and vaguely distant threat that presents no risk worth worrying about. Besides, you’ll likely get notified if there’s been yet another breach impacting you and your data, so why worry? You can’t do much about it anyway beyond matter-of-factly completing the application for another year of free monitoring on offer, right? Fun fact, according to a RAND study, more than a quarter of US citizens receive such letters annually and almost two-thirds take advantage of the credit monitoring offer, if only to feel like they’ve done something. Those who don’t bother applying for the free coverage often cite the fact that it would unnecessarily supplement the monitoring they receive from yet another breach in which they had previously been victimized. It’s all become so blah.

But wait! If you don’t care about the Vx thing, or the Mars missions and all that other stuff, I bet I can still get you to come back after reading the next sentence and click on this link. It will occupy your mind, if only for a few moments, with some cybersecurity content.

Honda’s ASIMO doesn’t look a day older than he/she/it did 15 years ago. This early retirement thing is great for robots.
Honda’s ASIMO doesn’t look a day older than he/she/it did 15 years ago. This early retirement thing is great for robots.

To wit, those 200 million boring and uninteresting devices impacted in this story include one you care about — or did at some point in time — Honda’s beloved ASIMO robot — ostensibly trying to enjoy a comfortable retirement — is sadly also vulnerable to getting remotely hacked because it depends on VxWorks.

And that’s a robot tale that’s the closest thing to a human interest story.

Or it would be, if it were presented as part of the story about this major security lapse (you did go back and click on that link, didn’t you?). But it’s not, and so we’re doomed to read another quasi-technical article with incendiary overtones that doesn’t necessarily grab us any more than did any other from the past week.

Serious vulnerabilities deserve the public’s attention, if only because they raise awareness about predatory services and consumer products with surveillance capabilities, the potential for abuse and the impact on those close to them. But they must be presented in a way that’s not boring, intimidating or difficult to understand. The public is not apathetic — we are simply overwhelmed by distractions, conflicting messages, false claims and very, very little disposable energy.

Is it time to bring back storytelling and take the time to compose an interesting presentation about dry, cybersecurity topics without using fear and negativity. If there’s a positive way to spin clickbait and make it engaging, educational and dare-I-say-it, entertaining, I’m willing to give it a shot. Watch this space — I’m putting together a team for a fall introduction of a cool new podcast format designed to keep audiences interested and informed without FUD.

Thanks for reading.

Fīat jūstitia, ruat cælum. Personal musings on data protection fails, snafus & oddities, collected & edited by Claudiu Popa; author, educator, booknerd.