Will cybersecurity safety ever equal air travel safety?
Aviation safety provides an aspirational model of a safety success story when you consider that over the past 50 years, even as total passenger miles have exploded, commercial airline fatalities have plummeted.
The commercial aviation industry has an admirable safety record, but can the lessons learned over the past decades in that industry be extended to improve the state of cybersecurity safety? When it comes to the ongoing discussion about issues related to cybersecurity safety, some of the most respected names in the business have been making an important case that we need to do much better.
The improvements in aviation safety are inarguably worth it: as the number of passengers carried annually has increased by an order of magnitude, the average number of fatal airline accidents has plummeted: flying is now anywhere from 100 to 1,000 times safer than driving, depending on the evaluation criteria used.
Former Facebook CISO Alex Stamos tweeted in October: “It would be great to move InfoSec norms closer to aviation safety, where close-calls are disclosed in a standard, centralized manner and discussed rationally by experts who extract lessons from the mistakes of others,” adding “we currently don’t live in that world.”
In the world we inhabit, cybersecurity safety seems to be modeled more on automotive safety than aviation safety, and that’s the problem.
The U.S. National Highway Traffic Safety Administration reported that 37,461 died in traffic accidents in 2016; the same year, the Aviation Safety Network reported that 258 people died in commercial airline accidents. Unlike drivers, pilots must undergo extensive and ongoing training, must perform extensive system checks on their aircraft before leaving the hangar, and are held accountable for any incident that occurs while the aircraft is under their control.
Clearly, cybersecurity safety has a long way to go, still. As Kevin Beaumont, the U.K.-based security researcher, pointed out in November: “Usually it’s us, the IT bods, being idiots for building a system so fragile one employee can bring down by clicking the ‘wrong’ link. Imagine if planes were built so the passenger could bring down a plane by pressing a button at their seat.”
Under the current model, cybersecurity safety depends on the expectation that billions of end users will be knowledgeable about cyber threats and how to defend against them as well as being aware of the need for antimalware software and patching and staying up to date on security practices and generally taking the initiative to maintain cybersecurity hygiene while also reporting any cyber incidents.
Put another way, every connected device is covered with buttons, any one of which, if pressed at the wrong moment, could “bring down” not just that device, but any number of other connected devices.
Cybersecurity safety is still up in the air, so to speak, for many reasons starting with a lack of sensible regulations and agencies to investigate, share and learn from failures. But disastrous cybersecurity safety failures aren’t seen as harming the whole industry. Consider what Mikko Hypponen, chief research officer at F-Secure, tweeted this week about one magnificent, ongoing failure of security: “I can’t believe that we are *still* fighting Office macro malware now, 20 years later.”
Airlines have a vested interest in keeping air travel safe because if passengers fear for their lives many of them will stop paying to fly. Even if they don’t particularly want to be regulated, those airlines will still accept government safety regulation because safer skies means less losses from crashed planes as well as more passengers willing to pay to ride on safer planes.
The tech sector needs to step up and accept responsibility for cybersecurity safety in the same way the aviation industry did for air travel safety, and that will only begin when vendors are held to higher standards; when vendors, enterprises and government agencies can agree to investigate cyber incidents and focus on cooperation in using that information to improve cybersecurity safety; and when consumers and all end-users can be confident that they can use their devices and the internet safely — and without being victim-blamed when things do, inevitably, go wrong.