Today, for want of a budget, the Federal government is shutting down. If the nation suffered a massive cyber attack today what would happen? If you think the government is going to defend you against a cyber attack or help you in the aftermath of a digital catastrophe – budget or no budget – think again. The government cannot save you, and you can no more count on timely assistance in the online world as you can in the physical one in the aftermath of a disaster. Help might come eventually, but your ability to fight off hostiles or weather a digital storm depends largely on what you can do for yourself.
The vast majority of the time, natural or man-made disasters are things that happen to someone else. People who live in disaster or storm prone areas know that at any given moment they may have to make due with what they have on hand, consequently they prepare to deal with the worst-case scenario for a reasonable amount of time. The reason you don’t see people in the mountain-west or north-east in FEMA trailers after massive snow or ice storms is a culture of resilience and self-reliance.
How does this translate into the digital world? Don’t efforts like the Comprehensive National Cybersecurity Initiative and all the attention foreign state-sponsored industrial espionage has gotten recently belay the idea that the government isn’t ready, willing and able to take action in the face of a digital crisis?
Federal agencies are no better at protecting themselves from digital attack than anyone else. The same tricks that lead to a breach at a bank work against a government employee. Despite spending tens of billions of tax dollars on cyber security we continue to hear about how successful attackers are and that attacks are growing and threatening our economy and way of life. The increasing amount of connectivity in industrial control systems puts us at even greater risk of a disaster because very few people know how to secure a power plant or oil refinery.
It’s not that the government does not want to make the Internet a safer and more secure; it is simply ill-equipped to do so. Industrial-age practices, bureaucracy, a sloth-like pace, its love affair with lobbyists, and its inability to retain senior leaders with security chops means “cyber” will always be the most talked-about also-ran issue in government. You know what issue has shut down the federal government this week? It isn’t “cyber.”
Protect you against threats? What leverage do we really have against a country like China? Cold War approaches won’t work. For one, you’re probably reading this on something made in China; your dad never owned a Soviet-made anything. We cannot implement “digital arms control” or a deterrence regime because there is no meaningful analog between nuclear weapons and digital ones. Trying to retrofit new problems into old constructs is how Cold Warriors maintain relevance; it’s just not terribly useful in the real world.
So what are we to do? Historically speaking, when the law could not keep up with human expansion into unknown territory, people were expected to defend themselves and uphold the rudiments of good social behavior. If someone threatened you on your remote homestead, you needed to be prepared to defend yourself until the Marshal arrived. This is not a call to vigilantism, nor that you should become some kind of iPrepper, but a reflection of the fact that the person most responsible for your safety and security online is you. As my former colleague Marc Sachs recently put it:
“If you’re worried about it, do something about it. Take security on yourselves, and don’t trust anybody else to do it.”
What do you or your business need to survive in the short- and long-term if you’re hacked? Invest time and money accordingly. If computer security is terra incognita then hire a guide to get you to where you want to go and teach you what you need to know to survive once you’re there. Unless you want to suffer through the digital equivalent of life in a FEMA trailer, you need to take some responsibility to improve your resilience and ensure your viability.