Steven Chabinsky, former Deputy Assistant Directory of Cyber for the FBI, says that we do rely too much on user awareness and we need to do a "180" from our current approach. In a recent interview on the ISMG Bank Info Security Podcast, he argues that we can't continue to rely on end users for security. Chabinsky was quoted as saying: "we have to stop thinking that cybersecurity is a problem that users can fix".
Chabinsky says that to solve this problem, the burden of cybersecurity must be moved as far away from the end user as possible. He describes this as a "180-degree shift from what we are doing now". Chabinsky suggests this approach in opposition from "having every user of critical infrastructure practice good cyber hygiene or by the adoption of the NIST cybersecurity framework."
He urges us all to adopt higher level international solutions such as:
- Greater threat deterrence
- Design of more secure products and protocols
- A safer internet ecosystem
Chabinsky goes on to use an analogy of the Flint water emergency. He points out that a federal, top-down approach was taken to repair the water infrastructure. In this case, it would have been absurd to expect every home and business in Flint to have their own response plan and invest in the monitoring and upgrade of their own systems.
The Solution is in the Somewhere in the Middle
I agree with Chabinsky that relying only on end users is absurd. I also agree that new, high-level solutions will be needed to fight and win the cybersecurity battle. But I think there'a a middle ground.
I feel the solution is a layered approach that includes strong user awareness with some of the changes that Chabinsky proposes. Moving cybersecuity as far from end users as possible is a recipe for disaster. Can we hope that a society unaware of the threats and controls will be secure if all the other pieces are in place? How locked-down would networks and systems have to be to completely eliminate user awareness?
User awareness is the front line of defense. It is critical to cybersecurity for the following reasons:
- Technical controls can and will fail
- New threats always change what users are exposed to
- A layered approach fills the gaps of other controls
- Social engineering means that the threat doesn't just come from a technical channel
- Awareness promotes a culture of security
When we train on cybersecurity user awareness, we often refer to a model of shared responsibility: we are all in this together. Other controls must be in place, but there aren't silver bullets. For that reason, user awareness is still a critical piece to cybersecurity and will be into the distant future.
To hear the interview in the ISMG pocast: