In this Edition:
Change Edition

Cybersecurity Awareness Month...Now with Added Facts!

Photo: Shutterstock

Happy Cybersecurity Awareness Month!

The quickly and ever-evolving cybersecurity landscape poses questions and challenges in medicine, law, and our very democratic process that we all need to consider. But, even when you’ve been anxiously awaiting the arrival of October to celebrate, it can be hard to know where to begin with cybersecurity awareness. But the fact of the matter is that we need to begin with facts. And so, this Cybersecurity Awareness Month, we asked the experts for their top tips and favorite fun facts.

Emefa Addo Agawu

Program Associate, New America Cybersecurity Initiative

As much as 85 percent of the nation’s critical infrastructure is owned or operated by the private sector.

From physical to economic systems and services, much of the infrastructure upon which Americans rely every day and in emergencies is not directly owned the government. Coupled with concerns over malicious actors with growing capabilities to exploit vulnerabilities in critical infrastructure systems, this underscores the criticality of information-sharing and other public-private partnerships to effectively prevent and respond to cyber incidents.

Adrienne Allen

Cybersecurity Consultant, Slalom Consulting

91 percent of "the most vulnerable" board members still can’t interpret a cybersecurity report.

There is still a significant lack of awareness at the board level about information security. Board members are accountable for steering the direction of a company, but many don't know what questions to ask about the company's security or how to evaluate findings. Board members and executives are also some of the most attractive spear phishing targets, so their lack of awareness may also end up allowing an attacker into a company.

Laura Bate

Program Associate, New America Cybersecurity Initiative

Of the top 50 U.S. university computer science programs, only three require students to take a cybersecurity course to graduate.

The shortage of trained cybersecurity workers has been well-documented, but a recent study by security firm CloudPassage starkly demonstrates that, at least in the short term, the traditional educational pipeline alone cannot provide enough workers to fill the current need. 

Nicole Becher

Manager of Offensive Security/Forensics/Incident Response, CipherTechs, Inc.

Malware authors, cyber criminals, and malware-as-a-service groups are remarkably organized.

They have open-source communities, help-desks, feature requests, bonuses and even holiday parties for their employees.  It’s also expected and commonplace for malware organizations to have administrative portals and dashboards for their “customers" so they can customize and tailor malware to their needs.  

Regine Bonneau

Founder and CEO of R|B Advisory LLC

99.7 percent of U.S. employer firms are small businesses and employ roughly 130 million U.S. workers.

This speaks volumes  and cannot be ignored especially when we know the human factor poses the largest threat when it comes to tackling cybersecurity. There needs to be a cybersecurity insurance program in place to assist the small businesses who store the largest amount of data in securing their infrastructure in an effort to minimize risk.

Mark Hagerott

Chancellor, North Dakota University System

Experience  shows that with early exposure to advanced math and computer science in K-12 education, students will enjoy greater affinity for and success in cyber fields later in college. 

The states of Maryland, Alabama, and Georgia  are recognized leaders in cyber programs, and in Huntsville, Alabama they pay cyber educators like football coaches. Now their insights and lessons are helping the effort go national.

Trey Herr

Fellow, Belfer Center’s Cyber Security Project at Harvard Kennedy School

In 2015, 99.9 percent of exploited vulnerabilities were compromised more than a year after the CVE was originally published. 

It's not what we don't know that hurts us. Time and time again, as the 2015 Verizon Data Breach Investigations Report shows, it's what we fail to do with the information we already have. 

Robert Lee

Founder and CEO, Dragos, Inc

The number one attack vector into industrial control system sites is: “unknown.”

Each year the ICS-CERT, a primary authority on industrial control system (ICS) security,  has reported this same result. The implication is that even the experts cannot tell how industrial control systems are being attacked.The ICS/SCADA threat landscape is not well understood.

Tyler Moore

Assistant Professor, University of Tulsa

Despite the widespread perception that the risks from data breaches have rapidly grown in recent years, an examination of publicly-reported data breaches has found that neither the size nor frequency of occurrence has changed since 2005.

Rob Morgus

Policy Analyst, New America Cybersecurity Initiative

None of the big "cyber breaches" in the last 24 months used a zero-day -- all leveraged poor defense. 

This fact, stated by Deputy National Manager for National Security Systems Curt Dukes, suggest that the importance of zero-days is (still) overblown. They still provide some utility to some attackers focusing on some targets, undoubtedly. But what the DBIR and other reports suggest is that scenario is relatively rare.

Katie Moussouris

Founder and CEO, Luta Security

In 2015, only six percent of the Forbes 2000 companies had a published communication channel to receive vulnerability reports from the public.

When we create safe incentives to encourage helpful hackers to report vulnerabilities, we create a digital neighborhood watch. Unfortunately, the current legal framework under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act can be used to silence or even criminalize these security researchers. For our collective safety as internet connected devices proliferate in our world, prosecute crime, not research.

Brian Nussbaum

Assistant Professor, University of Albany

80 percent of respondents to the 2016 National Association of State Chief Information Officers (NASCIO) annual survey say that inadequate funding is one of the major barriers to their jurisdiction addressing cybersecurity challenges.

Harvey Rishikof

Senior Counsel, Crowell & Moring’s Privacy & Cybersecurity and Government Contracts group in Washington, D.C.

The new European General Data Protection Regulation - (Regulation 2016/679) on the protection of natural persons with regard to the processing of personal data and on the free movements of such data will apply as of May 25, 2018.

This regulation includes among other things under Article 33 mandatory data breach notifications to supervisory authorities  "without undue delay" and where feasible, within 72 hours after awareness of breach; and under Article 34 to data subjects by controllers again "without undue delay" if breach is "likely to result in high risk ...." In short a, this implements new regime of obligation and notification.

Heather Roff

Senior Research Fellow, Department of Politics and International Relations, University of Oxford

Microsoft estimates that by 2025 there will be 4.7 billion internet users, with the greatest increase in internet users coming from emerging economies such as Cameroon, Pakistan, and Algeria, all of which will also have demographic youth bulges.

Machine Research also estimates that by 2025 the IoT connections will grow to 27 billion (we are at 6 billion now), and that these devices will generate over 2 zettabytes of data.  If all goes well, they estimate this market will generate 3 trillion USD.

Given that IT security specialists are already facing information overload, we will require more and  stronger forms of artificial intelligence, particularly machine learning, to make sense of the massive amounts of data flowing through our lives. This will require us to open up various portions of our lives—our ‘patterns of life’—to artificial agents tasked with protecting not just systems but us.   Thus if we are going to have greater security, we also need better AI.  Biased algorithms and faulty assumptions about human behavior will deepen insecurity and feelings of marginalization in the market place.  Its time to bring in the anthropologists, political scientists, sociologists and philosophers to work alongside the tech industry to ensure social as well as technical solutions to the problem of cybersecurity.

Paulo Shakarian

Assistant Professor, Arizona State University

According to Risk Based Security, There were over 14,000 software vulnerabilities disclosed in 2015 – which may partially explain why patching is so much more difficult in practice.

Peter Singer

Strategist and Senior Fellow, New America

This year, a botnet of some 145,000 cameras and DVRs was used to carry out an attack, while another involved as many as 1 million. The record-breaking attack was comprised on internet-connected devices designed without security in mind. The devices were exploited to form a network of machines with the capacity to bring down a notoriously well-protected website. If we don't start baking in security, the Internet of Things will instead become the Internet of Things that Watch and Hack You. 

Ian Wallace

Co-Director, New America Cybersecurity Initiative

In 2014, U.S. employers posted 49,493 jobs requiring a Certified Information Systems Security Professional (CISSP) certification, despite there only being 65,362 CISSP holders in the country in total (the vast majority of whom already have jobs).

This is from a report by Burning Glass's Cybersecurity Jobs Report 2015. The report not only shows a real and growing cybersecurity workforce challenge, but also that this issue is exacerbated by the fact that employers often require candidates with advanced credentials like CISSP. Such candidates are in short supply, in part because you need relevant work experience to be accredited, which implies a strong case for more apprenticeship and other, more imaginative, hiring approaches.

Dave Weinstein

Chief Technology Officer of New Jersey

75 percent of attacks spread from Victim 0 to Victim 1 in the first 24 hours, and over 40 percent of those spread within the first hour.  

Information sharing for cybersecurity purposes is only effective if it is automated to facilitate near-real time situational awareness. Machine to machine sharing is critical to mitigating the spread of attacks beyond the initial victim.


Josephine Wolff

Assistant Professor, Rochester Institute of Technology

In 2015,12 percent of people tested  of people tested click on a phishing email attachment (up from 11 percent in 2014) and the median time to the first click on the attachment is 3 minutes and 45 seconds from the time the email is sent.

Despite constant awareness-raising campaigns, we don't seem to be making progress in changing the level of suspicion with which people view their email.


Emefa Addo Agawu is a Program Associate in the Cybersecurity Initiative.

Laura Bate is a senior program associate with the Cybersecurity Initiative at New America.