Hot Topics
CISO Suite Cybersecurity Security Awareness Security Boulevard (Original) 

Will the Cybersecurity Literacy Act Make a Difference?

Avatar photo by Michael Vizard on February 17, 2022

On this episode of The View With Vizard, Mike Vizard talks with CyberGRX CISO Dave Stapleton about the Cybersecurity Literacy Act, its promise and whether or not it will actually make a difference. The video is below followed by a transcript of the conversation.

Michael Vizard: Hey, guys. Thanks for the throw. We’re here with Dave Stapleton, who is the CISO for CyberGRX. They are a maker of a platform that helps you manage third-party risks in your software that people are using. Dave, welcome to the show.

Dave Stapleton: Thank you very much, Michael. I’m happy to be here.

Michael Vizard: We’re going to talk about this American Cybersecurity Literacy Act. Is this a meaningful piece of legislation, or is it just grandstanding on the part of some politicians lately because we are seeing everybody learning how to say the word cybersecurity?

Dave Stapleton: I’ve got to say I certainly hope it is meaningful and that it’s not just some grandstanding. I think it’s something that’s probably overdue. As a country, and as a society, I guess you could say even on a global scale, we need to be better at recognizing cyber threats and learning how to address them. If a piece of legislation from the government can help us get there, I think I’m all for it. I certainly hope that it is meaningful and not just something to make it look like you’re taking action when you’re not really intending to do much.

Michael Vizard: What exactly does it call for? What is going to be the onus on the average citizen?

Dave Stapleton: I think what they’re planning to do, and there are not a lot of details out just yet, but what I’m hearing from the folks who are sponsoring this bill is that it is intended to create a platform for education for just your everyday citizen to better understand what type of information do they have that is valuable and perhaps attractive to cyber threat actors? What type of techniques might those threat actors use to try to gain access to that information or the systems that store and process that information, and then what can you do to be kind of cyber-aware and identify those techniques when they’re trying to be used against you, and how to respond to them. There are a lot of different ways that people might think of to do those things, but they might not always consider responding to law enforcement, or forwarding some of that information on to other entities.

I think it’s a combination of just basic cyber awareness, really understanding what are we talking about here, and why is this a big deal, and then educating our populace to be able to make the right responses when those things occur. The idea behind that, I think, is that, one, in the sort of private sector, if you will, that’s super important. There is a lot of highly valuable information that is being processed or transmitted by just your everyday, average private citizen, but those people also work for businesses, and some of those businesses are involved in things like critical infrastructure. I think if we can start with just all of our individual citizens and educate them, we can see, hopefully, a trickle-up effect, if you will, as we get into critical infrastructure, even in the government space where these people are actually spending a lot of their time working.

Michael Vizard: Have people become now the first line of defense, and do cyber security in organizations kind of understand the implications of that?

Dave Stapleton: Yeah, I think they always have been, to be honest with you. One thing I think we can always trust threat actors to do is try to find the path of least resistance. Most often, unfortunately, that is through humans. It’s us, as individuals. A threat actor can leverage kind of some of our human nature to find the path of least resistance to their ultimate target. For example, if I was some sort of a hacker or part of a criminal organization, and I wanted to gain access to a particularly sensitive information system or set of data, I could try to persistently identify some type of vulnerability, probably a zero-day vulnerability, and then work with my technical teams to create an exploit for that vulnerability, find a way to launch that appropriately, and do all that work.

Or, if possible, I could try to compromise a human who already has access to that data that I want. If I can disguise myself as that person and take on their identity, then I can metaphorically just walk right past the security guards and directly into the secure area that I want, and just bypass all the security safeguards. I think oftentimes the human element, the identity element creates the easiest pathway to what these threat actors are really trying to get to, rather than trying to come up with some highly technical scheme or hack to get at it.

Michael Vizard: Hypothetically speaking, I would posit that 5 to 10 percent of all the people that I personally know, and I do love them, but they’re just flat out stupid.

[Laughter]

Let’s just assume that the general populace is the same way, 5 to 10 percent of the people just are never going to get this, so can we really secure these environments if we’re counting on these people who we know are just not up to the task? What are we supposed to do?

Dave Stapleton: Sure. Yeah, I mean we don’t put all of our eggs in one basket. I mean, certainly, I think that humans are sometimes the weakest link in the chain, but they’re not the only link. There are other tools that cybersecurity professionals have to help us identify a threat that’s come through and maybe made it past our human capability to filter those things out. So often, you’ll hear about something like phishing. Phishing is a great way for a bad actor to try to gain credentials that they would use to spoof your identity and then access a particular system or area, so a human should be trained to identify the signs of phishing. Oftentimes, it comes with some sort of urgent matter. It’s something that we want to evoke panic in a person.

Going back to what I was saying earlier, where human nature is such that our flight or fight syndrome kind of kicks in, even if it’s not something that’s a physical threat. Sometimes it’s something like saying, “Your Amazon account has been compromised, and we need you to immediately log back in to prove your identity so that we can unlock your account and continue our investigation.” People see that and go, “Oh my god, my Amazon account,” so they just click the button, put in their username and password, hit Go and they get this screen that says, “Thank you so much for helping us out.” Well, they just gave their username and password to some sort of a hacker. We can leverage those things. We need people to understand that when they get those unsolicited, unexpected e-mails, that that should trigger something in their mind.

Before they just acquiesce and do whatever the e-mail is asking them to do, the first thing, “Wait a minute. This doesn’t seem right. This seems like this could be one of those phishing e-mails. Let me just go to Amazon.com and try to log in and see what happens that way, rather than interacting with this e-mail at all.” I think that’s part of the purpose of the ACLA, is to give people that kind of understanding and that capability. But, in those cases where we have maybe your 5 to 10 percent who are just not going to get it, I think I have some relatives who might be in that category based on some of the questions that they ask from time to time, we do have other tools in place to look for anomalous type activity associated with, let’s say, authorizations or access. “Is Michael typically logging into his Amazon account from a particular city in the United States?” and then, “I don’t know where he’s logging into that same account, but he’s in Russia now.” Those are things that we can do that don’t depend completely on an end-user to be the only piece of defense that we have.

Michael Vizard: What do you say to folks who are outside of IT and, if you talk to them today, they will tell you that they think it’s all broken. They have basically decided that the technology is failing them, and all these security issues have something to do with our inability to execute on the grand vision? Are we in danger of losing the faith of the populace that counts on the technology?

Dave Stapleton: I can see where they’re coming from. Certainly, if you’re paying any attention in the news, you don’t have to be a cybersecurity nerd like I am and pay attention to particular news sources. This is the stuff that’s coming in on all your major kind of news channels, front and center, “New cyber attack, likely Russia,” but those kinds of things, people are hearing it a lot, so I can understand why they might feel discouraged and feel like, “Hey, technology is failing me, or the people who are supposed to be in charge of this stuff are failing me.” I think it’s a little bit more nuanced and complicated than that, as many things are. There is kind of a trope that says that a bad actor only has to be right one time and the security teams have to be right 100 percent of the time. There are just millions of cyber attacks that are being launched every day around the world, and, yes, every once in a while, some are going to be successful.

That is a reality I think that we have to face, but I do have a lot of faith in security teams and technology organizations who have security as a priority as part of their mission, that they are doing the right things to identify and respond to these types of threats as much as is humanly possible. That being said, the reality is we’re just not going to catch them all, and sometimes things are going to get through, which, going back to this piece of legislation, I think it’s one of the primary areas where it can be so helpful, is because we’re not just relying on corporations to defend us from these types of attacks. We’re enabling and empowering our citizenry with the skills that they need to protect themselves.

Michael Vizard: All right. I think you just said keep calm and carry on and we’ll win this thing eventually.

Dave Stapleton: That’s right, but that would have been much shorter.

[Laughter]

Michael Vizard: Are the platforms going to get better? Are we going to see technologies that will help us win this battle ultimately? Is AI going to rescue us from ourselves?

Dave Stapleton: Well, AI is an interesting one because you’ve got to think that if the “good guys” want to use AI to better their defenses, then the bad guys probably are trying to use AI to make their attacks more effective. That’s potentially a double-edged sword, when we talk about AI. I think that, overall, the technology is getting better, we do have better defenses, so one of the things that’s becoming more popular, at least in the corporate space, is for authentication mechanisms. A lot of folks know about multi-factor authentication, or two-factor authentication at this point, where it’s more than just your username and your password that gets you access to whatever it is you’re trying to access. Usually, we’ll use something like an authentication app that has a one-time password code that just changes maybe every 15 or so seconds, and you have to also have that code.

It makes it difficult for someone to compromise your account if you have MFA enabled, and so we obviously want everyone to be using MFA whenever and wherever they can. But, even MFA is going to eventually start to show some cracks, and we are seeing a few of those types of things start to pop up now where there are certain types of vulnerabilities that might let someone squeeze in the middle of that MFA function, as well. One of the newer trends is something called FIDO2. This is password list authentication. It’s using biometrics that presumably your threat actor, who may be trying to access your account, has no access to you whatsoever, and cannot access your fingerprint or retinal scan or some of those types of things.

I think those are going to become more and more popular and more ubiquitous in commercial technology, that individual users are using on their iPhones or android phones, that type of thing is going to become more popular, and more individual applications, third-party applications will have that as an option, if not start to make it be the default action for things like authentication.

Michael Vizard: I feel like maybe we should just start over. If I look back in history, the core problem is the Internet kind of assumes that everybody on it is friendly, at least when it was originally designed, and now we’re talking about going to these zero-trust architectures, so how deep into the Internet can we get or should go to kind of make it more secure? Should we just kind of say we’re going to have a giant Internet mulligan and start over?

Dave Stapleton: There is something kind of compelling about that. I don’t know that I’ve heard anyone voice that idea with a sincere interest in tearing down the Internet and rebuilding it. I think that for our everyday citizens, unfortunately they’re in a situation where this thing is, I don’t know if it’s too big to fail, but it’s too big to just start over, and they don’t have a whole lot of control over some of the mechanisms and inner workings that make the Internet as a global sort of communications device work for us. That’s not something that most of us have an influence on. It really does just go back to do you understand what you personally have? Do you understand what threats to your personal assets there are, how to recognize those threats, and how to respond to them?

Yeah, the zero-trust phenomena is one that I think we could have seen coming for quite some time after the Internet proved to be a place where amazing, great things could happen. But, there is also opportunity for a lot of exploitation, extortion, and some bad actors to take advantage of that situation, as well. I don’t think we’re going to get an Internet reboot, though. I’m not seeing Internet 4.0 or something on the horizon that’s going to find some way to segment that off. The problem is, again, going back to kind of identity-based attacks, how would we even accomplish that? How would we know who to let in and who not to let in? How do you know who the good guys are and the bad guys are?

There are a million ways to obfuscate your kind of identity or your true intentions, and I don’t know that there is a way that’s been invented yet. Maybe this is an area where AI can help us out in the future, but I don’t know of a way currently that we can just prevent and have absolute faith or trust that we know for certain what a particular user or entity’s intentions are going to be, so I don’t think we’re going to scrap the Internet just yet and start over.

Michael Vizard: All right. Well, at least maybe we can look forward to that cybersecurity section of our civics test that will be coming out way one of these days, but we’ll see how it plays out. Dave, thanks for being on the show.

Dave Stapleton: Well, thank you so much. It was a pleasure to be here.

Michael Vizard: All right, guys, back to you in the studio.

[End of Audio]
Recent Articles By Author
Avatar photo More from Michael Vizard
Michael Vizard , ,
Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 756 posts and counting.See all posts by mike-vizard