Incident Response, TDR

Valid operator’s permit required

It seems as though each week brings a new horror story in which a computer caused immeasurable grief to an untold number of people. Every lost laptop, database hack or phishing attack brings a new chorus calling for government intervention. I agree that it is time for the government to act, but not by passing laws which define new crimes and levy harsher penalties.

I believe it is time for the government to save us from ourselves. Consider the following historical perspective. In the earliest days of the automobile, one did not need an operator's license to drive, but the pool of available drivers was limited by the physical demands of driving.

Then something happened. Cars become easier to operate. In time, the National Highway System was formulated, enabling previously unimagined speeds. All of these developments combined to provide the individual with a means of impacting – often catastrophically – those around them.

Fast forward 70 years. In the early days of computers – even personal computers – a certain degree of technical ability was required to operate one. In short, the pool of available computer users was limited by the technical demands of computing.

Here, too, something happened. Computers become easier to operate. They became more powerful. And they became cheaper, meaning there were more of them in businesses and in homes. As they continued their evolution, the internet came into being, enabling greater connectivity.

All of these developments combined to provide the individual with yet another method of impacting those around them. And as the headlines attest, the results often are catastrophic.

So perhaps once again it is time for the government to step in.

Doctors, accountants and hair stylists all are required to prove in some manner that they are competent enough to practice their trade. And yet anyone can buy a computer, hook it up to the internet, and hack or be hacked.

It may be that the time is ripe for the government to develop a standard: a minimum knowledge baseline that an individual must demonstrate they have acquired before being allowed to use a computer.

We could follow the student driver model, whereby someone interested in purchasing a PC must attend a class on best practices, such as how to deploy anti-virus, spot phishing emails, and safe surfing. Included would be a sufficient amount of one-on-one time with the instructor, who can walk the student through known danger zones and point out the warning signs. Only after completing the course, and then passing a rigorous exam, would that person be allowed to buy and operate a computer.

The end result is that we all would be safer.

Will this happen? Of course not. Still, perhaps this idea could be used as a springboard to discussion about what we, as information security professionals, can do to help the larger
user community.

Simply warning people about email scams and malicious code on websites is not working. For whatever reason, the user community believes they can do it themselves. Therefore, the critical question to ask is, what makes a task complex enough to spur someone to seek the assistance of a professional?

If we have a toothache, we don't attempt to diagnose and extract it ourselves. We go to a dentist. When dining out, we may ask the waiter to recommend a wine to accompany the meal. Or, we ask the clothier, “Which tie do you think goes with this shirt?”

So the question I would pose is, what can be done to make the average computer user seek us out in the same way? Let the dialogue begin.

Michael Seese is an assistant vice president in the corporate security services division of National City Corporation of Cleveland, Ohio. He can be reached at [email protected].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.