A few days ago I moderated a panel at the ATARC sponsored Federal Cybersecurity Integration Summit. I discussed the panel here.
The topic for the panel was a look at The Future of Cybersecurity, what kinds of threats that we might encounter and what to do about it.
We had panelists with very different perspectives. One came from a career at NSA and two were professors, one focused on criminology and the other on cybersecurity.
One of the discussions that went on generated by a question from the audience was how much emphasis should be placed on improving the behavior of the people using technology since everyone now had access to so much. Some favored investing resources to make people more aware of security issues, in the same way we require driver’s education and taking some kind of test. Others emphasized the need to improve the capability of the systems themselves to be self-protective and possibly self-repairing (and probably a bunch of other self’s).
While the obvious response would be to say all of the above are important, that avoids the need to prioritize. As I have often pointed out trying to do everything everywhere generally means being successful at nothing anywhere.
Showing my at least notional thought on the issue, I posed a final question for the audience to ponder.
“Perhaps we need to change our focus when dealing with cyberhackers and cybercriminals. Right now we try to protect, to detect and to eradicate. It is possible we need to try and make such attacks irrelevant even when they are successful.”