Skip Navigation
BlackBerry Blog

Cybersecurity Island, the Unfortunate Reality Show

FEATURE / 11.26.19 / Pete Herzog

The show starts as billions of contestants are forced to grab all the cybersecurity products they can off a boat and get to shore. With just their wits and a default Windows install, it’s clear to them now that they are truly devoid of all the safety they’ve never actually had.

As they drag themselves out of the ocean and need to choose yet another unique password for a site they’ll visit just once, the host greets them:

“Welcome to Cybersecurity Island! You’re on your own here. Try not to die.”

Here on Cybersecurity Island they’re left to fend for themselves with the help of complex cybersecurity equipment they can’t figure out, in a hostile environment full of thieves, scammers, and freshly graduated, self-touted cybersecurity experts relying on answers from the cybersecurity community.

Who’s going to harm them first? Who’s going to harm them the most? Let’s watch and see!

Welcome to the (Cybersecurity) Jungle 

Unfortunately, Cybersecurity Island is not a show. I mean, how cool would that be?! But it is real and it is billions of people left on their own to suffer through the difficulty of securing themselves online. So if you want to see it, just turned to your left and you’ll see yet another person struggling with cybersecurity. And the cybersecurity community is at fault.

“But how?!” you cybersecurity industry cog demand, as you feign indignation and innocence. “We are the cybersecurity community and we take care of each other! We take care of our friends! We take care of the people who are not friends but pay us! We try so hard to make them all safer!”

Do you? Let’s talk seriously for a moment. Do you?

You’re not going to really answer but that’s okay, I didn’t expect you to soul search for me just yet.

Just. Yet.

The first thing the cybersecurity community will tell you is that they hate the word cyber. Apparently, there’s one person somewhere who took all the names before (network security, information security, data security, computer security, etc.) and combined them overnight. Personally, I think it’s tidier now.

The next thing they’ll tell you is that they hate the people in it. But in the same breath they’ll tell you they love the community. Yes, it makes no sense. No, I’m not making this up.

So how do we go from “the cybersecurity community is a messed-up place” to billions of people having no real cybersecurity? It’s because when something is so messed up that it can’t take care of itself, full of in-fighting, paranoia, and ego, you get a community that can’t take care of others. It also can’t even really understand others. Or apparently, itself.

It does things like, “Here, pick a mixed-case passphrase with numbers and symbols, memorize it, and don’t re-use it anywhere,” to the user. When they complain they get, “Install a password manager app and figure out how to use it even though you probably don’t understand a word I’m saying.”

And then when the password manager’s website gets hacked and all their accounts are hijacked we tell them, “Well you should have used 2FA despite us not telling you what it is because we can’t come up with a more user-friendly description and we want you be even more dependent on your mobile phone.” And then when the user gives up and goes back to writing passwords on sticky notes again the cybersecurity community starts patting each other on the backs until they start fighting between each other again.

Okay, maybe that seems like a bit of an exaggeration for the sake of making an entertaining article but it’s totally not. If you want to see an actual exaggerated version of that, check out the cryptocurrency community. That’s all I’m going to say about that because they’ll skin a person alive who challenges them.

Are We Really Making Things Better?

Now some people feel it’s all getting better. And I tend to agree that there are some highlights. After all, there’s me. Did you just throw up in your mouth a little? Tends to happen.

Seriously though, there’s all sorts of cool ideas out there for cybersecurity products and lots of money to fund them. More and more companies are stepping up to make sure their users aren’t cybersecurity marooned. And that’s great for thousands of these users. Maybe even millions. Unfortunately, the problem is had by BILLIONS. So that’s a huge difference. To put it in perspective, a million seconds is about 11 days. A billion seconds is about 32 years. So helping millions still leaves billions unhelped.  A community responsible for the safety of all people online shouldn’t leave such a huge number of them stranded and still high-five each other. Because cybersecurity, despite the great things happening in products, is still globally getting worse.

As an ex-NASA engineer with three graduate degrees in Mathematics from MIT which I cosplay, I always like to look at the numbers to answer such questions. So let’s put on our white lab coats and look at the numbers.

If you’re really doing your best at securing these people, the numbers should show it. Think about it: times you’re caught cheating on your spouse, bones broken from gambling debts, raccoons in your bedroom at night, and episodes of the Kardashians you’ve watched, all seemingly prove success when the numbers go down. Well, it’s the same with cyber stuff. Cybercrime, cyberbullying, vulnerabilities, and breaches all being smaller numbers than the ones before it would seemingly prove success.

But what’s actually going down is security effectiveness.

According to the breach testing service provider Picus Security, effective utilization of security controls went from 40% in 2017, to 30% in 2018. And this isn’t due to cybersecurity getting more expensive, because the average number of security products in these organizations increased from four to five in the same time period. So basically resources for managing security controls went from 25% to 20% in the same time period. Effectiveness down. Resources to manage effectiveness down. What’s scary is that this isn’t some interview statistic either, it’s from a company whose main service is verifying the overall effectiveness of live security controls on real companies and so is an actual, real-world tested metric.

If you have doubts, go look up the rest of the numbers yourself because everything I find on implementing security is worsening. Which is crazy because the effectiveness of security products is actually going up. That’s like saying all these people marooned on the cybersecurity island are worse off despite that we keep giving them better equipment. What that means is that they just don’t know what to do with it.

So Who You Gonna Call?

The truth is that cybersecurity is failing because the cybersecurity professionals are failing. The support system to help them is the cybersecurity community, which is obviously failing them. Which means the poor users are alone out there because despite all the awesome equipment there’s nobody who knows how to use it well enough to rescue them. Which means you should brace for imminent disaster.

I get it that that’s what every zealous-but-ignored scientist says in the beginning of an environmental action movie. I’m sure you can picture me in my lab coat right now looking up over my laptop with my thick framed, prescription lenses slightly askew, remove them, and say, “Oh no,” before calling the Pentagon. And I might because it’s that kind of problem.

It’s kind of like how schools keep making kids buy laptops and expect them to have mobile phones to remotely collaborate in groups but the actual capability of these kids to know that a Google isn’t a browser and the Internet is not WiFi is at an all-time low. And if you think I’m expecting too much of them, watch how they can do ridiculously elaborate edits on an Instagram story yet not be able to add a static IP address to their laptop.

I’m sorry to say but the least realistic part of the Jurassic Park series is that teens are capable of doing anything at all to figure out how to work those mechanical doors and pods to stay alive. If it’s not a social app feature, they can’t do it. So they’re not getting off cybersecurity island on their own.

Look, I’m not throwing this in your face because I think it’s high time you had joy and satisfaction beaten from your life with a crowbar made of statistics. I’m not trying to rub in your face that your cybersecurity community sucks at cybersecurity and sucks at being a community. I do it because I love you. *Hug emoji* 

And if you find yourself saying, "Well, it could be way worser," you need to shut up. Not because you're wrong, or stupid, or your grammar sucks but because positivity is infectious, and finding the silver lining in any of this is the bubonic plague of positivity, the same kind that encourages people to accept problems like homelessness, sleeplessness, and monogamy because “it’s worse elsewhere.”

And the only way you’ll get off this cybersecurity island alive is to acknowledge it’s pretty damn bad here and commit to doing something about it by starting with you.

Pete Herzog

About Pete Herzog

Guest Research Contributor at BlackBerry

Pete Herzog knows how to solve very complex security problems. He's the co-founder of the non-profit research organization, the Institute for Security and Open Methodologies (ISECOM). He co-created the OSSTMM, the international standard in security testing and analysis, and Hacker High School, a free cybersecurity curriculum for teens. He's an active security researcher, investigator, and threat analyst, specializing in artificial intelligence (AI), threat analysis, security awareness, and electronic investigation.