Decades ago, the auto industry fought tooth and nail against adding safety equipment. Teaching drivers was the way to make the roads safer, it contended.
One can see a similar parallel with the debate over improving cybersecurity today. Last week, The Awareness and Outreach Task Force issued recommendations for raising cybersecurity awareness with proposals for everything from public service announcements to a teaching tour for C-level execs.
"Generally, many private enterprises, public entities and home users lack the resources to adequately manage cybersecurity risk," the task force said in its report. "Internet users must be made aware of the importance of sound cybersecurity practices and given more user-friendly tools to implement them."
The task force falls under the auspices of the National Cyber Security Partnership, a coalition of trade associations including the U.S. Chamber of Commerce and the Business Software Alliance. Some have said the recommendations perhaps frame security as a problem because users don't know enough, rather than as a consequence of insecure products.
There is nothing wrong with the recommendations per se, said Alan Paller, director of research at The SANS Institute. But the recommendations' thrust is "users are stupid," he said.
For Paller, user awareness is about 25% of the problem. The rest is finding ways to minimize security issues. Instead of recommending the government mandate security, he suggests the federal government can use its unique size as a technology purchaser to mandate software vendors sell products with recommended levels of security. "It's the only big thing the government can do," he said.
For example, Paller said computers should come with virtually everything turned off. The user would then be prompted to download patches when turning on services. He'd also like to see a secure way for people to download software updates they can trust.
Currently, many users are caught when they get a new system, which features an operating system that needs to be patched out of the box. "They get hit before they are able to download the necessary patches," Paller said.