Why Can’t People Take Cybersecurity Seriously - And Why Is It Imperative They Do?

By Stuart Itkin, SVP & CMO at NeoSystems

In late January 2023 a large balloon from China was detected in US air space over Alaska. It was first sighted in February by civilians over Montana. It caught the attention of both the media and the public and spared widespread concerns about espionage as the balloon’s path traversed several military installations. The balloon, claimed by the Chinese to be a weather balloon, was considered by many to be a direct threat to national security. There was broad coverage of the incident by all U.S. news outlets; you couldn’t turn on the news without hearing about it. CNN, Fox News and The New York Times all ran prominent stories reporting on it. Members of the public called for the balloon to be shot down as soon as it was detected. Ultimately, the balloon was ultimately shot down by the U.S. Air Force but not until it was over the Atlantic Ocean.

Throughout the incident, there was growing sentiment that our country needed to act decisively to deter any potential threats from China.  Any!

Have there been any other potential threats from China? Cybersecurity experts and the Intelligence Community agree that China is one of the most active and persistent state actors involved in cyber-espionage against the United States. While the number of daily Chinese cyberattacks is not publicly disclosed, it is estimated that thousands of attacks occur every day targeting the United States government, critical infrastructure, and U.S. businesses. 

So, why was the media’s coverage of the weather balloon incident so intense? Why was the public’s response to the incident so strong? Still, we barely hear a word or barely see a response to any of the thousands of cyber-attacks that occur every day that pose a real threat to our national security. Why aren’t companies, especially those within the Defense Industrial Base, heeding the Department of Defense’s requirements to implement and maintain the cybersecurity measures specified in NIST Special Publication 800-171 and DFARS 252.204-7012?

Could it be that we just don’t believe these potential cyber threats are real? There is undeniable evidence that they are. Take for example the Sea Dragon Incident. In 2018, the Washington Post reported the "Sea Dragon Incident" which involved the theft of 614 gigabytes of highly sensitive data from a defense contractor by Chinese government backed hackers. The data stolen by the Chinese included tactical plans for submarine warfare, details of a supersonic anti-ship missile, and information on submarine sensors and signal processing used to detect enemy vessels. Had the breach not been detected, the information obtained by the Chinese could have been used to compromise the U.S. Navy’s advantage in underwater combat and stealth operations and to exploit potential weaknesses in U.S. systems.

Beyond the Washington Post, the incident was reported by Reuters, CNN, NBC News, The Hill and defense and cybersecurity-focused news outlets, but never became a mainstream news story; its half-life was about a week. If you were to ask a hundred people today if they remembered the weather balloon incident, almost all, if not all, would say “yes”. If you were to ask the same people if they remembered the Sea Dragon incident, I doubt that you would see many, if any hands. Why was there so much outrage expressed over a balloon floating across the country yet barely a concern about an incident that could have compromised the U.S. Navy submarine fleet and its ability to serve as a nuclear deterrent? Is it that we consider only those things we see, touch, feel, or hold in our hands to be real. Picture the image of a weather balloon in your mind. What do you see? Describe it. Now picture 614 gigabytes of data . . .

We appreciate the value of something you can see, touch, feel or hold in your hands. Something digital, not so much. When MultiMate version 1.0, an early software word processing program delivered on a floppy disk, was introduced in 1982 at a price of $500 (about $1,650 in 2024 dollars), the general reaction was “why should I pay $500 for a floppy disk?” even though that floppy disk, when used on an IBM PC, replaced a hardware Wang Word Processing System that cost over $30,000. The IBM PC at that time cost about $2,500. People couldn’t appreciate the value of the digital content on that floppy disk because they could not see or feel it. They didn’t have a problem, on the other hand, seeing the value of the hardware Wang word processor. 

So, if it’s difficult to understand, appreciate, or value something that can’t be seen, touched, felt, or held–something that for all intents and purposes is “invisible”, then why would someone be concerned about protecting it?

Manufacturers appreciate the value of their physical inventory. They don’t hesitate to purchase physical security measures such as fencing, access-controlled locks on doors, security cameras, and even security guards. They don’t hesitate to purchase smoke and fire detection and sprinkler systems. And they don’t hesitate to comply with governing regulations. Similarly, when record keeping transitioned from physical to mostly digital in the 1980’s and 1990’s, financial records, contracts, even personnel files were historically kept in locked, often fire-proof filing cabinets in a locked room only accessible to the few who had the physical key to the door and the file cabinets. Those records could be seen, felt, touched, and held in one’s hand. Today, unless sent to a printer, or for only the short time they are displayed, they are invisible.

The biggest impediment to cybersecurity is the fact that we lack the ability to understand the invisible or to appreciate its value (unless it’s too late; been lost, stolen, or compromised). In general, people are not willing to make the same investment in protecting digital assets as they are physical assets and they are not willing to adhere as strictly to governing regulations for the protection of those assets.

Over many years of developing and selling cybersecurity products, I came to appreciate that my competition wasn’t a specific product or a specific company. I wasn’t competing against Tenable, Cisco, Fortinet, CrowdStrike or Proofpoint. Instead, I was competing against the cheapest, easiest alternative that allowed someone to check a box on a compliance form. “Do I have a solution for secure collaboration with suppliers?”  “Yes”, then box checked. “Does it work properly, am I even using it?” That was never the question.

Because we don’t appreciate the value of the invisible; and we are motivated to check the box rather than provide adequate protection to those intangible digital assets we don’t comprehend, the impediment to cybersecurity becomes the compliance mentality that broadly exists. “Am I compliant?” That’s all that matters. “Am I secure?”  That’s a different story.

When one only thinks about compliance, they neither appreciate the value of what they are protecting nor ask the question, “Is what I am doing actually providing adequate protection?” The requirement says a username and password are required for system access. A password with a minimum length of 4 characters could allow someone to check the box, but if they understood why the requirement exists and how a password prevents unauthorized access, then they may realize that the bare minimum still leaves them vulnerable. They would insist on longer, stronger passwords with multifactor authentication. But they will only do this if they are thinking about security, not compliance.

We only value our digital assets when it’s too late, generally after a breach. As Joni Mitchel said in the Big Yellow Taxi song, “Don't it always seem to go. That you don't know what you've got 'til it's gone. They paved paradise, put up a parking lot.”

The biggest challenge we face is not getting people to comply with cybersecurity regulations. It’s about getting them to care about cybersecurity. It’s about getting them to “value what you’ve got” before they pave paradise and put up that parking lot.  Ultimately, we need to be asking the question, “Am I secure?”, not “Am I compliant?”.

Getting people to take cybersecurity seriously is imperative. There are invisible virtual weather balloons targeting our organizations every single day. As we recognize National Cybersecurity Awareness Month, I urge you to acknowledge those virtual weather balloons are there, and they pose a far greater threat to our national security and to our businesses than that physical balloon first seen over Montana ever did.