While preparing for a cybersecurity 101 community talk that I would give in the next month as part of a volunteer community outreach programme, I felt somewhat concerned about how far behind the layperson is in catching up with the digital world.
I never expecting doing cybersecurity half a decade ago. Then, I was an idealistic Physics major who wanted to go to graduate school, get a PhD and obtain tenure – the most secure job one could find (pun unintended). However, plans changed, resulting in me entering the cybersecurity domain sometime in mid-2016. At that time, all I knew about cybersecurity was pure hobbyist knowledge, such as a little-known hobby in trying to understand computer viruses. In those days, antivirus bulletins could neatly classify viruses as “polymorphic” and the main threats were destruction of master boot records, rendering the computer unavailable on reboot. Spyware was the “in-thing”, and “Sub7” was the face of Trojan horses.
Much has changed from the hobbyist days. The digital world as we know it today was not quite imaginable last decade. Similarly, I dare not predict how the digital world will transform itself the next decade. Cybersecurity challenges go hand-in-hand with the changes in the digital landscape. One notable example is in the proliferation of cyber-physical systems like self-driving vehicles. Moreover, the world of malware has also changed, from annoying DOS viruses that were rather amusing to ransomware or backdoors, none of which would amuse any victim that finds out about the threat.
One reason why I felt overwhelmed was the vast digital world that I think the layperson has little clue about. Some laypeople still shoot pictures of their boarding passes to show “proof” of overseas travel. Other laypeople have no idea about the sheer amount of information one could collect through open-source intelligence (OSINT), thanks to the web crawling and archival services on the Internet. Many people who buy smart devices have little idea about their inner workings, let alone realise the need to secure them.
Two and a half years into the cybersecurity domain does not make me an overnight expert. The diversity of systems is simply too great, and it is almost impossible to try to understand every single system imaginable. There are typical information technology (IT) systems, such as banking web applications, and operational technology (OT) systems, such as monitoring of a power plant. Increasingly, thanks to yet another transformation in the digital world (data analytics and sense-making), more projects revolve around IT-OT integration. Usually there will be an IT system that features data analytics and visualisation dashboards, with integration to multiple OT systems. The sheer diversity of the systems we have today is mind-boggling.
The complexity of today’s systems to a cybersecurity professional should not be under-estimated. As laypeople begin to rely far more on the digital world today than ever before, do they know how to navigate safely in the digital world and understand the risks of their activities? How much of a “101” do we need to teach the layperson? Moreover, unlike the physical world, where intuition typically helps us know what is safe and what is not, the digital world lacks such an intuitive response. One need not look further than acknowledging that digital money is spent with less control than physical money, even if both are of equivalent value. Such a concern is not new; it has reared its ugly head in social problems such as gambling addiction.
It is also clear that the digital world today is so intertwined to the physical world today that ramifications in the digital world will affect the physical world. Hence, there is no running away from “digital world literacy”, of which being cyber-safe is one of them. Then again, if someone from Physics could transition to doing cybersecurity in two and a half years with a decent level of competency, I think I should be more optimistic that fellow laypeople will, too, eventually understand what being cyber-safe entails. We have got to try harder to educate everyone to understanding some cybersecurity.
P.S. I will return to the “Building Vulnerable Machines” series in the next few posts.