The idealistic role of technology has always been to make our lives easier, better, safer. The unintended consequence of such a "noble" vision, though, is that sometimes we as consumers just assume the technology industry is selling more products by serving this public interest. We disengage rather than ask more complicated, critical questions.
Additionally, we are taught to be cost-conscious in our consumption, so personal technology investments are often a race to the price bottom. Given the choice between paying more for a secure thermostat, or buying the cheapest one found online, many will select the economical option. When cost and user-facing features are the primary purchasing drivers, security will lose every time.
For motivated technology vendors, that's not such a bad thing — it means less scrutiny and accountability. But from a consumer perspective, it's incredibly detrimental.
More Eyes, More Accountability, More Progress
Good things almost always come when technology steps out of the shadows and elevates to a "mainstream" issue.
Look at smart assistants. When first introduced, consumers assumed these devices were purely helpful in nature, there to automate and streamline simple tasks through verbal commands. It wasn't until years later that people began to critique their "always-listening" features as a privacy overstep. This public backlash resulted in Amazon, Google, Apple, and other manufacturers offering more transparency about the information smart assistants collect. They also made it easier for users to prevent and delete voice recordings.
The "mainstream" effect is a powerful force for change. And it's time that happens in cybersecurity.
Cybersecurity Awareness Is Improving — but It's Not Enough
Most people only think about cybersecurity when they get a fraud alert from their bank, or when their employer's IT department tells them to change their password. Even then, unless end-users experience a consequential impact to their lives, they tend to deprioritize security over convenience. Companies and society overall have included intrusions and loss of privacy as a "cost of doing business."
Due to an abdication of personal responsibility ("I don't need to worry about security, that's what the tech teams are for!"), general fatigue (many have become numb to the steady drumbeat of breaches and attacks), and an overall lack of cyber education, everyday people don't actively think about cybersecurity.
And though awareness is improving — a recent Harris Poll found that a third of Americans believe defending against cyberattacks should be a top priority for the federal government this year — it's not enough. All too often, security suffers from a bystander effect where nearly everyone within an ecosystem assumes another party will address the problem. The other issue with a broad ecosystem is that pain is rarely felt by enough people to create a sense of shared, sustained urgency.
How We Can Collectively Make Cybersecurity "Mainstream"
Given how critical cybersecurity is — affecting our ability to fill our cars with gasoline or rely on the meat packing supply chain — no one can afford to duck responsibility. Improving cybersecurity is a collective effort. Here are three achievable steps the government, private sector, and the broader public can take to start moving the needle.
- States can pass stronger cybersecurity legislation: For example, California's Song-Beverly Consumer Warranty Act ("lemon law") contain a section that applies to electronics costing more than $100. The manufacturer must make replacement parts available even after a warranty period expires. Such a law can and should be expanded to require technology devices to have sufficient memory and data storage capacity to handle security updates, and the law should establish standards for when and how updates must be provided. Ideally and by default, updates should be applied with minimal consumer intervention. Unfortunately, at this time, measures like this will have to be a state-by-state effort, as an update to national laws like the Magnuson-Moss Warranty Act are unlikely.
- Private sector must set higher standards: Much as the private sector has adjusted to government requirements that electronic devices be planet-friendly, companies need to plan for a "security lifecycle" that extends beyond the 0, 90, or 365-day warranties typical of many consumer electronics. Forward-thinking companies should also look at establishing an industry association certification for devices that meet a published security standard.
- Companies need to proactively bring consumers into the conversation: Consumers must be brought deliberately into the fold. We've witnessed past success with consumers demanding products that are more recyclable, and less harmful to the environment. Businesses can help create a similar consumer security demand by developing an industry standard with a designated certification logo for products and packaging, as mentioned above.
Technology has — and will continue to be — a powerful force in our society. But for too long, we have let cybersecurity run in the background, expecting it to work. We can no longer afford that kind of apathy. Cybersecurity affects all of us, and it's time to make it the national, public-facing issue it deserves to be.