By NICK ESPINOSA, Security Fanatics, South Barrington IL
"How we face death is at least as important as how we face life.”
As we entered this year, I could not help but recall those words from Star Trek II: The Wrath of Khan — one of my favorite movies. By all accounts, 2017 ended up being the year of the hacker in many ways. From Equifax to Uber, the SEC to the NSA, it seemed like every aspect of the human experience was affected by cybersecurity and privacy concerns.
To date, 2018 has been an even more prolific year for hacking. So, it’s time to establish a universal language and understanding of those foundational facts that govern our data-security lives. With that in mind, and without further ado, here are my five laws of cybersecurity. While there could easily be more, these five will forever be the immutable universal constants that govern this topic and our existence in relation to it.
LAW #1: If There Is A Vulnerability, It Will Be Exploited
As I mentioned in my first article for Forbes last year: “Consider for a moment that when the first bank was conceived and built, there was at least one person out there who wanted to rob it.” In the more modern era, since the first “bug” was found in a computer, we’ve been looking for ways to bypass the framework or laws that govern a computer program, a device or even our society. Consider that there are those in our society who will try and hack everything within their capability. This could be obvious with more basic exploits, like the person who figured out how to obstruct their car’s license plate to go through a tollbooth for free, or the more obscure, such as infecting a complex computer system to derail an illegal nuclear weapons program. Finding ways around everything for both good and bad purposes is so ubiquitous today that we even have a term for it: “Life Hacking.”
LAW #2: Everything Is Vulnerable In Some Way
We cannot assume that anything is off the table and completely safe anymore. State-sponsored hacking is an excellent example of this. Government intelligence has been astonishing over the years in gaining access to an opponent’s systems when they were thought to be secure. Publicly, we’ve seen a series massive data breaches over the years from corporations that spend millions annually on cyberdefense strategies.
From Target to Anthem Blue Cross, these are corporations that hold millions of records on virtually every person in the United States combined and fall under multiple government requirements and compliance laws for data security, yet here we are. Beyond obvious targets, we can also find more obscure examples that can affect us all on a global level. For decades, we have assumed our computers’ processors are essentially safe and harmless, doing the job they were designed for. At the beginning of 2018, it was revealed that for decades these workhorses have been carrying a massive vulnerability that could allow malicious hackers to wreak havoc on all of us. From minor to major vulnerabilities, Law #2 is inescapable.
LAW #3: Humans Trust Even When They Shouldn’t
Trust, quite frankly, sucks. Yes, it’s an essential part of the human experience. We trust our significant others, trust by virtue of faith in whatever religion we adhere to and also trust in the infrastructure around us. We have an expectation that the light switch will turn on the light or that the mechanic we pay to perform the oil change in our car will actually do it. We cannot have a functioning society without a sense of trust, and this is why it’s our greatest weakness in cybersecurity. People fall for phishing scams, assume that the anti-virus program they bought for $20 will turn their computer into Fort Knox (it won’t) or believe the form they’re filling out is legit (it sometimes isn’t).
It sounds weird to say we need to combat trust, but we do if we’re going to survive against the nonstop hacking that takes place.
LAW #4: With Innovation Comes Opportunity For Exploitation
The world is full of brilliant people. Bill Gates created a global computing platform to get humanity on the same page. Mark Zuckerberg created a social media platform used by billions globally. Alexander Graham Bell invented the telephone, which made the world a lot smaller. However, with each innovation and evolution in our technology comes certain exploits. We live in the age of IoT, and by virtue of this, our lives have, hopefully, been made better. One of the first big examples of this is the Ring doorbell. It made adding a video camera to your front doorbell easy and very easy to monitor through a mobile app. Life was good with the clearly innovative Ring device — until a security vulnerability was discovered. The company has since fixed that exploit, but as is always the case, we are waiting for the next vulnerability to be discovered. And naturally, it’s made even worse by Law #3.
LAW #5: When In Doubt, See LAW #1
This one isn’t a cop-out. Every single law written here comes down to the simple fact that no matter what the concerns or problems are with regard to cybersecurity, they all stem from a vulnerability of some kind. If we ever forget this, we are doing nothing but asking for trouble.
Our ability to properly defend ourselves comes from understanding that human nature makes these laws immutable. When we start thinking like a hacker is when we can actually stop them, so here’s to hacking the future together for our own security.
####################
The author is a CIO, keynote speaker, author & radio show host, and a member of the Forbes Technology Council. As chief security fanatic at the consulting firm Security Fanatics, based outside Chicago, he has spoken multiple times at Mechanical Contractors of America Association events.
This article first appeared in Forbes magazine. It is reprinted here and in our October print edition with the author’s permission.