February 04, 2010, 9:12 PM — Shoring up U.S. cyberdefense should include educational programs that motivate private citizens to fight cyber threats through safer Web practices, much as school children were taught in the 1950s to hide under their desks and cover their heads in case of nuclear attacks, researchers say.
While the goals of a cyber program are much different, the public education requirements are the same, according to political science professors at the University of Cincinnati writing in the Journal of Homeland Security and Emergency Management.
"The general population must be engaged as active security providers, not simply beneficiaries of security policy, because their practices often create the threats to which government responds," say Richard Harknett and James Stever of the school's political science department.
The problem stems from the fact that anyone can get Internet access without training in best practices, the researchers say in their article "The Cybersecurity Triad: Government, Private Sector Partners and the Engaged Cybersecurity Citizen". Without knowing the rudiments of PC security, their machines can fall under the control of botnets that then carry out the plans of criminals or rival nations, they say.
They cite the coordinated attack that overwhelmed U.S. and South Korean government sites last July as being the type of attack that individuals can unwittingly participate in by allowing their computers to be taken over by botnets, the authors say.The awareness they call for has to go beyond simply "if you do not protect yourselves bad things will happen to you" and create a sense that cyber security is a civic duty.
"Most users remain unaware that not only is their computer data vulnerable, but that their insecure access to cyberspace can be exploited by others turning them into unwitting agents of coordinated cyber threats [both criminal and disruptive attacks],"they say. "Cybersecurity must become a national civic responsibility."
Many people who use the Internet and have even read stories about cyber exploits often don't recognize these attacks as part of a larger, more menacing threat. "For example, hacking by teenage pranksters is treated as a nuisance, not as breaking and entering or as a serious security threat with appropriate punishment," they say.
Similar attacks directed against the U.S. electrical grid could have more concrete and dire consequences, they say.