The Cyber Gap Series — Part 4

Social Factor

Cultural History

While the influence of politics is perhaps the most overt factor, the path it has taken may reflect a broader social factor. Within the frame of time previously established (1970-present), we must understand how national culture, media, social psychology, and practicality created a social climate that would contribute to the creation of the gap. Historically, the citizens of the United States have maintained a healthy skepticism of big government and large corporations and their power. While this cultural attitude has had far reaching influence on all forms of industry, one effect that is directly relevant to the cybersecurity industry concerns the previously mentioned national directive issued under President Reagan.

The 1984 National Security Decision Directive Number 145 (NSDD-145)[1], was one of the most notable steps taken by the federal government to improve the nation’s information security posture, inspired the movie War Games. During the drafting of NSDD-145, Don Latham, the directives author, and Assistant Secretary of Defense[2], attempted to appoint the NSA as the sole agency responsible for carrying out the goals of NSDD-145[3]. Now, as a former NSA employee himself, it is unsurprising that Latham felt the Agency was the only one qualified to perform both offensive and defensive telecommunications operations. However, tendency towards skepticism arose in the form of Jack Brooks, a Democratic congressman from Texas and prominent civil liberties advocate, who lead the creation and passing of a bill that revised NSDD-145 and denied the NSA such authority[4]. With the National Security Agency currently being one of the leading recruiters for entry-level cybersecurity personnel, one cannot help but wonder what NSA retention of authority over NSDD-145 would have for the cyber skills job market; if a gap would still exist and whether the centralization of authority over all computers would have been an equitable trade.

Current examples of cultural skepticism include the continued debate over the government’s right to bypass encryption protections that private companies offer their consumers, even in the name of law enforcement. With a notable portion of the current populace expressing zero faith in the governments ability to protect their private information[5], it appears the debate over government access will continue to rage for the coming future. Paradoxically, the influence of culture plays an antagonistic role as well when discussing American skepticism. A Pew study determined that computer skills combined with culture influence the decision-making process when assessing the risks and benefits of taking computer security risks[6]. Perhaps unsurprisingly, the United States ranks low on uncertainty avoidance, theoretically caused by a greater level of self-perceived competency by individuals. This results in Americans typically sharing more information online as compared to other nations[7].

Media and Pop-Culture

Though cybersecurity is relatively young when compared to other industries, media coverage and portrayal has been present even in its adolescence. And not without impact either. Movies such as Tron and Wargames helped establish the lone hacker persona, with others such as The Matrix and Blackhat and television shows such as Mr. Robot further cementing pop-culture expectations of what hacking and cybercrime consist of[8]. Entire genres, such as “cyberpunk” and “techno dystopia”, have come to fruition to represent people’s innate fear of the future and technology, with Orwell’s classic novel 1984 being a prime example.[9]

The tendency to misrepresent cyberspace (a term that itself developed from cyberpunk science fiction) as a world of rampant crime pervades sources of news, both mainstream and alternative, that provide purportedly “objective” information. However, media portrayal of factual events in cyberspace and, by extension, cybersecurity, often go either over or underreported. An oft quoted line from the report to the United Kingdoms’ House of Lords Science and Technology Select Committee describes the Internet as the “playground of criminals.” This line, as well as Symantec’s commonly cited “212,101 threats” statistic, paint the e-world as a dangerous place. The reality appears to fall short of that expectation, with minimal reports of victimization from individuals and even lower numbers of cybercrime cases being processed[10]. Granted, these indicators may arise from the infamous “unknown unknowns”, yet the misrepresentation by media is unmistakable.

Media portrayal of this sort has several negative affects on the general populace. These affects are most easily understood through the lens of social psychology. The use of over/under-reporting, characterization tropes, and depicting technology as a form of esoteric magic leads to a loss of social capital. By this, I refer to the psychology of fear and the stereotype threat[11]. Preying on people’s fear can be effective in motivating individuals to action, however there is a low threshold for fatigue that, when the application of fear is overplayed, results in the targeted audience adopting an attitude of resigned indifference[12]. This is exacerbated by depicting the skills and tools needed to be a “hacker” as magic or requiring a genius intellect and knowledge of the esoteric. Such methods act as a form of gatekeeping that disconnects the general populace from understanding the core concepts of cyber-hygiene[13]. The stereotype threat is also at play when both fictional and nonfictional media rely on tropes to tell a story or inform the public. Continuously reinforcing such tropes may discourage the curious and disenfranchise those who consider themselves already a part of the cybersphere.

Practicality and Impact

The final social consideration should be the practical relevancy cybersecurity has had over time. As of 2019, American households host an average of eleven internet connected devices, a far cry from only 8% of households owning a single computer in 1984. From a relevance standpoint, the necessity of cybersecurity simply did not apply to most Americans. Even as recent as 2016, only 90% of American households had a computer in their home for everyday use[14][15]. When combined with cultural tendencies and media portrayal, the public lacks a concise understanding of what constitutes as an actual cyber threat that has direct relevance to them. This is further complicated by the optimism bias an estimated eighty percent of people fall into, believing that even if a defined and relevant threat was presented to them, they themselves were not going to fall victim. The result of this is a lack of direct political pressure to act on improving cybersecurity, with far reaching consequences.

[1] Federation of American Scientists. (n.d.). National Security Decision Directive Number 145: National Policy on Telecommunications and Automated Information Systems Security. Federation Of American Scientists — Science for a safer, more informed world. https://fas.org/irp/offdocs/nsdd145.htm

[2] Congress.gov. (1984, August 2). PN888 — Nomination of Donald C. Latham for Department of Defense, 98th Congress (1983–1984). Congress.gov | Library of Congress. https://www.congress.gov/nomination/98th-congress/888

[3] VanHooker, B. (2020, March 17). How the movie ‘WarGames’ inspired Reagan’s cybersecurity policies. MEL Magazine. https://melmagazine.com/en-us/story/wargames-ronald-reagan-cybersecurity

[4] VanHooker, B. (2020, March 17). How the movie ‘WarGames’ inspired Reagan’s cybersecurity policies. MEL Magazine. https://melmagazine.com/en-us/story/wargames-ronald-reagan-cybersecurity

[5] Pew Research Center. (2020, July 27). Americans and cybersecurity. Pew Research Center: Internet, Science & Tech. https://www.pewresearch.org/internet/2017/01/26/americans-and-cybersecurity/

[6] Halevi, Tzipora & Memon, Nasir & Lewis, James & Kumaraguru, Ponnurangam & Arora, Sumit & Dagar, Nikita & Aloul, Fadi & Chen, Jay. (2016). Cultural and Psychological Factors in Cyber-Security. 10.1145/3011141.3011165.

[7] Halevi, Tzipora & Memon, Nasir & Lewis, James & Kumaraguru, Ponnurangam & Arora, Sumit & Dagar, Nikita & Aloul, Fadi & Chen, Jay. (2016). Cultural and Psychological Factors in Cyber-Security. 10.1145/3011141.3011165.

[8] Malik, J. (2016, December 15). Five ways cybersecurity is nothing like the way Hollywood portrays it. CSO Online. https://www.csoonline.com/article/3151064/five-ways-cybersecurity-is-nothing-like-the-way-hollywood-portrays-it.html

[9] Wall, David. (2008). Cybercrime, Media and Insecurity: The Shaping of Public Perceptions of Cybercrime. International Review of Law, Computers and Technology. 22. 10.1080/13600860801924907

[10] Wall, David. (2008). Cybercrime, Media and Insecurity: The Shaping of Public Perceptions of Cybercrime. International Review of Law, Computers and Technology. 22. 10.1080/13600860801924907

[11] Baker, J. (2019, May 20). The human nature of cybersecurity. EDUCAUSE Review | EDUCAUSE. https://er.educause.edu/articles/2019/5/the-human-nature-of-cybersecurity

[12] Cyber, X. (2018, March 13). How can we change attitudes to cybersecurity and cybercrime? Medium. https://medium.com/secjuice/changing-attitudes-to-cybersecurity-and-cybercrime-1aef58cc9aa2

[13] Baker, J. (2019, May 20). The human nature of cybersecurity. EDUCAUSE Review | EDUCAUSE. https://er.educause.edu/articles/2019/5/the-human-nature-of-cybersecurity

[14] US Census Bureau. (2018, August 8). Computer and internet use in the United States: 2016. The United States Census Bureau. https://www.census.gov/library/publications/2018/acs/acs-39.html

[15] Pew Research Center. (2020, June 5). Demographics of internet and home broadband usage in the United States. Pew Research Center: Internet, Science & Tech. https://www.pewresearch.org/internet/fact-sheet/internet-broadband/