[ Background Sounds ]
>> I thought I'd pull out what
I thought were the core themes
that matter whatever level you're talking about.
So whether you're talking about the what can
we do on the global level to what can we do
on the business level to what can
I do at home, there's six themes
that matter, and the six themes are this.
The first is knowledge matters.
It's absolutely vital that we
demystify this realm if we ever want
to get anything effective done in securing it.
We have to move past the situation
where we view it for the it crowd,
or as one White House official put it to me,
he described cybersecurity as
a quote domain for the nerds.
The Internet used to be a
domain only for the nerds.
Now we all depend on it.
The security of it is equally
not just for the nerds.
We have to move past the situation where the
president received a briefing on cyber issues,
and then reportedly asked for a repeat
it back quote this time in English.
That's not a knock on Obama.
That would happen at pretty much
every single major corporation,
university, think tank, you name it.
This leads to the second
key theme - people matter.
Cyber security's one of those wicked problem
areas because it has all sorts of complexities
and tradeoffs, but it's wicked
not because of the technical side.
It's because of the people part.
Now the people part makes it useful as a
writer because you can spice up a story.
You know, you can, everything from
the foundational role that porn played
in the history of the Internet to the time
that Pakistan accidentally kidnapped all
the world's cute cat videos for a day.
It actually did happen.
You can use stories like this, but the bigger
point is that if you want to set up a response,
again, at the global level to business,
agency, whatever level, you have to understand
that the people behind the
machines are inherently part
of every threat and every needed response.
Now to go into a little bit more depth because,
you know, we're at an institution of learning,
this also is how we need to reframe
one of the most critical areas
of this is is cybersecurity
just a technical issue
or is it also a human capital
and human opportunity issue.
So think about it this way.
In 2008, the Department of Homeland Security
had just forty people working full time
on cybersecurity.
Since then, that number has
been multiplied by fifty.
And, of course, DHS is not stopping
saying, well, that's enough.
It'll continue to grow.
Take what happened at DHS, and that repeated
at pretty much every agency out there,
whether it's the Department of Defense,
the Health and Human Services to,
you know what I mentioned,
the New York State government.
To also playing out at companies, and, again,
companies that are technology companies
to companies that are car
manufacturers, you name it.
So when you see that play out,
you quickly realize hold it.
We've got an issue here.
We've got a people problem
that's also a policy problem.
Essentially, the cybersecurity
job market is growing
so fast it's outstripping available labor pools.
And it's not just a numbers game.
There are [inaudible] not just a quantity issue.
There's also a quality issue.
One survey of hiring managers found that they
were, only forty percent of them were satisfied
with the quality of the people that they
were recruiting and hiring in the space.
So, and, again, go back to
the broader point of the book.
Don't just think about this
as the people that work,
who either come out of the computer science
department or work in the IT department
because whatever department in the business
or the government agency you work in,
you will be leading, managing,
making decisions on cybersecurity.
To use Target as an illustration,
guarantee you, the public affairs people
at Target wish they had a playback here in
terms of un, better understanding cyber than,
it's not just what happened
in their own networks,
but how they talked about it after the fact.
So the point is you've got this gap.
Now, it's a classic bad news/good
news story, though.
It's incredibly what, how
do we deal with labor gaps?
We throw money at the problem.
So it is a great time to be someone with
the skills or someone coming out of a school
with the skills because the
salaries are good and growing.
In fact, one study found that cybersecurity
folks are making 37 percent more on average
than other people coming out of IT.
So set aside whether you're going to go
become, you know, a writer, a poet, a plumber.
Just within the IT field, you're more
likely to make more in this space,
but that good news story, it means
it's also good news for institutes
and programs interested in
having the capacity to train.
It's, of course, a bad news story for the
companies and agencies that are trying
to hire people because they're
bidding against themselves.
This is even more so for
government because that's a problem
of how do we often train someone up and then
we see them taken away and bidded back at us,
particularly within the military side.
It's also, you can think about this as a human
capital opportunity at the regional level.
So if this is a 120 billion dollar
industry, where are the people who work in it
and the businesses they work in it going to
be located, and you're seeing [inaudible]
in the state and local level everyone looking
at hold it, we could be a hub for this.
We want ours to be the cybersecurity version
of Silicon Valley or Detroit with automobiles,
etc. So there's a competition here.
That competition and how I just discussed
at least to the third theme - incentives.
Throwing money at a problem is
basically trying to incentive a solution.
And what I'm getting at here is
if you, beyond just the money,
if you want to understand why something
is or isn't happening in cybersecurity,
don't just look at the network design.
Look at the incentives in play.
Look at the payoffs, the
motivations, the relative costs,
the organizational culture,
the reward structures.
There is a reason why finance companies are
so much better at their own cybersecurity.
In that critical human value,
we teach our kids of sharing,
which is so important in cybersecurity.
Finance companies, there's a reason why they're
so much better than power companies are.
But, again, don't just focus on
the sexy scenarios we always hear
about the power might go out.
Actually, the health care industry has the
greatest number of reported intrusions.
As one cybersecurity expert put it quote
if our financial industry regarded cybersecurity
the way the health care sector does,
I would stuff all my cash in a mattress.
This role of incentives also
points to what government can
and should be doing in this space.
In some situations, there's a trusted
information provider, and in other situations,
changing market incentives, which is what
we also call standards and regulation,
which we've seen play out
in so many other fields,
but we're behind the curve in this field.
Fourth, history matters.
There's a history to how we got here with the
Internet, and it's important to understand that,
but it's also important to learn
from history outside the Internet.
So, for example, if you're worried about
a realm commerce and communication,
and you're particularly worried about
this mix of criminal actors, state actors,
and then this fuzzy thing in the middle
of state link maybe criminal actors.
Well, learn from the age of sale, and how
they dealt with pirates and privateers,
which there's a lot of parallel, privateers
to what we're dealing with
cyber malicious and alike.
Or if you want to understand
what government should be doing,
then why not look at the most
successful government agencies in history
and say how do I learn from them.
In particular, the story of this,
that we explain in the book is the
Centers for Diseases Control, the CDC.
If you don't know the story, it's a great one.
The CDC starts with a couple scientists
taking a ten-dollar collection,
and this organization goes on to stop
malaria inside the United States,
smallpox on a global level.
It also serves as a crucial back channel
to the Soviets during the Cold War.
All these great things.
So let's learn from that.
This leads to the fifth and the
last point that I'll make here.
Ben Franklin had a saying quote an ounce
of prevention is worth a pound of cure.
The CDC did studies and found 200 years after
Ben Franklin said that he really was right.
That if you wanted to succeed in public health,
prevention is so much more
important than just the cure.
Ben Franklin was also right in cybersecurity.
While we want to overcomplexify this,
the reality is that very basic steps
of cyber hygiene would go
an incredibly long way.
One study found that they would stop
up to 94 percent of all cyber attacks.
Now, when people hear that,
sometimes they go [inaudible].
I'm really special.
Well, one, statistically, we can't
all be in the six percent; two,
if you speak to your IT department, they would
say if I didn't have to spend so much time
on the low-level stuff, I could focus
in on the high-end stuff; and, three,
if you study pretty much every major successful
advanced threat campaign, they typically get
in through low-level means that
basic cyber hygiene would stop.
In fact, the most important example
of this is actually the most important foreign
government penetration of US military networks,
and it happened when a foreign spy agency did a
candy drop, which is a lot like what it sounds.
They drop not candy but a
shiny object in the dirt
of a parking lot outside a US military base.
A soldier walking by saw that shiny
object, was curious, picked it up,
it was a memory stick, and
then he grew more curious.
Well, I wonder what's on this thing.
And he physically walked
it inside the military base
and plugged it into his classified computer.
That was the most successful foreign
government penetration of US military network.
As I joke, that's not just cyber hygiene.
That's basic hygiene.
That's the five-second rule, but the point
here is this prevention and thinking about it
as a hygiene matter also allows
us to come at it in a broader way.
I teach my kids cough your mouth when
you cough not because it protects them.
Think about for a minute.
There's no value to protecting yourself
when you cover your mouth when you cough,
but it's because we'll never get at this
issue unless we all have this collective ethic
of bearing responsibility for everyone
that you connect with across the day,
whether you're talking about
coughing or your cyber hygiene.
And so to bring the story full
circle, at the beginning of the talk,
I explained how I was seven years
old when I first saw a computer.
It was actually a Commodore.
Now the idea that this machine would one day
steal people's money, steal people's identity,
be a weapon of mass disruption, I
would have begged my dad not to turn
on that dangerous device, but today,
we completely accept that because
of all the incredible what back then
were super powers it's given us.
Back then, the idea that you could instantly
know the answer to any question, that was,
you know, Professor X from the X-Men.
Now it's Google.
And so the point here is that the same
as it was back then I hope is
how it will be in the future.
We have to accept and manage the rest of this
world because of all the wonderful things
that we can achieve in it, and
that, to steal a line from the title
of the book, is what everyone needs to know.
Thanks.
------------------------------ca9e230cb5af--
