That the simple numerology of the year we're living in poses a threat says a lot about the current state of cybersecurity.
Plenty of people are cautioning that continuing the custom of abbreviating dates, and thus identifying 2020 as simply "20," provides an opportunity for fraudsters to alter dates.
There are a number of ways this could be a problem—for instance, a promissory note dated 4/13/20 could be changed to read 4/13/2019 and thus be interpreted as if another year's worth of debt is owed. Likewise, someone who found an un-cashed check dated 4/13/20 could add a "21" to the end of it and potentially cash it next year.
Whether this kind of scam is likely to occur or not is beside the point. The fact that it's even come up is what's important. It's a simple and powerful reminder that securing our information is no longer the job of security geeks with pocket protectors working in a room filled with server racks. It's become a universal theme of life in the 21st century.
For more evidence of this, look no further than the California Consumer Privacy Act that went into effect January 1, 2020. This legislation gives consumers in the state unprecedented rights to access, delete and restrict sharing of their personal data.
As I consider these two threads in the days leading up to the annual RSA Conference that convenes in San Francisco next week, I can't help but come to an unavoidable conclusion: The cybersecurity community still has lots of work to do.
Not only have we apparently created a world in which committing fraud can be as simple as writing a couple of numbers; the reality that we need legislation to provide people with assurances that their data is safe is a declaration that our institutions have dropped the ball.
In fact, considering the events that have swirled through the industry grinder at the past few RSA Conferences shows just how pervasive these themes have been:
-At the 2017 Conference, a lot of the discussion zeroed in on the FBI's efforts to get Apple® to provide backdoor access to iPhones seized from the shooters in a terrorist attack in San Bernardino, CA.
-In 2018, the security world was trying to grasp two unacceptable revelations: (1) That Russia may have successfully swayed our presidential election by hacking into the Democratic National Committee's computer system and leaking emails on Wikileaks, and (2) that Yahoo had disclosed the hacking of 1.5 billion user accounts.
-In 2019, the industry hand-wringing centered around two events: (1) the Facebook/Cambridge Analytica scandal in which Facebook users' data was harvested and used to sway voters, and (2) the devastating Equifax hack that exposed the financial data of nearly 150 million people.
Each of these cases highlight organizational failures: an inability to understand the threat that backdoor access is seen to be; an alarming lack of checks and balances in securing national elections; huge blind spots that have been allowed to fester at the intersection of politics and social media; and inexcusably ineffective data protection practices within some of our most prevalent institutions.
Nearly two months into 2020, we haven't had a large-scale security event galvanize the entire marketplace the way previous years' big stories did. History tells us this is an anomaly, and that the next big breach is a matter of when, not if.
But as the industry prepares for its biggest annual gathering, I want to point back to what I wrote before last year's Conference: Namely, that cybersecurity has become more about people than technology. A year later, that is more true than ever.
Maybe that was always the case, but there was a time when having locked-down network perimeters provided plenty of assurances. And make no mistake, the technological innovations that cybersecurity vendors are bringing to the marketplace are astounding feats of engineering, as anyone who attends this year's Innovation Sandbox event will no doubt be reminded.
We can spot intrusions, automate reactions and provide real-time alerts like nobody's business. We're marshalling advanced analytics, machine learning and facial recognition. We're orchestrating multi-cloud environments, engaging in digital forensics and sharing security intelligence more than ever.
But all the technology, sophisticated new processes and outside-the-box thinking we can throw at the problem will mean little without the human element. We need decision makers to really care about security rather than just appear to care; we need rank-and-file workers to fully grasp that they are the most important line of defense; and we need those who knowingly undermine these efforts to be held accountable.
Cybersecurity really is a human pursuit, a matter of behavior modification more than anything else. Next week, tens of thousands of humans will gather to consider this and all matters security-related, and with a little luck, we'll take another step toward working together in this very human way, supported by the amazing technologies and processes that great security minds come up with.
So, as you attend sessions, learn of amazing new innovations and hear stories that alternately inspire you and make your hair stand on end, remember this fundamental and unavoidable human truth: We're all in this together.