The Cybersecurity Paradox

In “Our Neurotic
‘Privacy’ Paradox” by Jennifer Senior, which appeared in The New York Times of May
19, 2019, the reporter makes the following statement:

“Resignation [to the loss
of privacy] also explains the privacy paradox. It’s a perfectly rational
response to a situation in which human beings have very little agency.”

In the first place, if the
response is rational, how can there be a neurotic paradox?

Second, we have discussed
this privacy issue many times and asserted that privacy is considered to be a
right, whereas the implementation of cybersecurity measures is merely one way
in which to achieve privacy—another being physical security.

Nevertheless, many of the
attitudes that pervade Senior’s article apply just as well to cybersecurity as
they do to privacy.

The main difference is
that lawmakers and regulators, particularly in Europe, are able to come up with
enforceable privacy rules, yet have relatively little success in drafting and
enforcing laws and regulations about cybersecurity, other than broad
generalizations that are outdated and ineffective. Why is this?

We have compared the problem
of resolving cybersecurity risk to that of reversing climate change. When
really intractable issues arise, we humans seem unable, or unwilling, to
address them until it is far too late, at which point it is exorbitantly
expensive and relatively ineffective. Often, the damage has already been done,
and catch up only brings us to the level when events occurred, not to the
current, much less a future, standard.

As a result, we pin our
hopes on new technologies—primarily artificial intelligence and machine
learning—but these methods are also backward-looking and are very unlikely to
protect against new, improved attacks.

Whether this behavior is
due to lack of concern, a feeling of being overwhelmed, a reluctance to
dedicate the funds, or an unwillingness to give up convenience remains
inconclusive. Perhaps it is a combination of all of them, although in what
proportion seems impossible to determine.

We see this when there
are wars. The inability to agree upon a common approach leads to discord and
potentially to a conflict that neither side can afford. In everyday life, neglect
leads to disasters and catastrophes that are orders of magnitude more expensive
than the cost to correct the problem in the first place.

Perhaps this is just the
human condition. We live in hope that the problem will go away, that nothing
bad will happen, or that silver-bullet technologies will solve the problem. The
latter happens quite often, which only reinforces procrastination. In some cases,
having waited for some resolution pays off with a new discovery or a change in
regime or some other means of solving the problem. But not always—and not by a
long shot.

Nature has a way of
finding a new equilibrium, but one which may or may not be in the interests of humankind.
And sometimes the unpredictable falls in our favor, relatively speaking, as with
nuclear bombs which, it was feared, might have started a chain reaction in the
atmosphere that would have destroyed Earth as we know it, and make it
uninhabitable for human beings. Or it can go the other way.

So, if we have opted for
waiting to be saved from the impact of cybersecurity risks by some magical new
technology, we might be lucky—or there again, we might not.


*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2019/06/19/the-cybersecurity-paradox/