Opinion, Berkeley Blogs

Guns and cyber security

By Steve Blank

The online world can be a dangerous place for the unprepared.  And it’s just going to get worse. It’s time to teach cyber security as integral part of the high school and college curriculum and to all corporate employees.

--

I grew up in New York City and for a few years heaven on earth for me was going to Boy Scout camp in the summer near the Delaware River.

But for me the best part was the rifle range. For a 12-year old kid from the city,  shooting target practice and skeet with a 22 rifle meant being entrusted by adults with something you knew was dangerous – because while they were beating gun safety into our brains every step of the way.

Boy Scout Handbook The camp had all the summer adventures a city kid could imagine: hiking, fishing, canoeing, etc.

From the minute we walked onto the shooting range to even before we got to touch a gun, we learned basic rules of handling weapons I still haven’t forgotten. You screwed up and you got yelled at, and if you did it again you got escorted out of the rifle range.

While target practice and skeet shooting were fun, safety was serious.

Over the years I would learn how to shoot an M-16 in basic training in the military, go through a basic combat course to go to Southeast Asia (when we acted like this was a lark, our instructor stopped our drill and said, “For your sake I hope the guys shooting at you were screwing around in their combat course.”  It got our attention.)

When I bought the ranch, herds of wild boar still roamed the fields. While we were putting in the miles of fencing to keep them out, I bought much heavier weapons to deal with a charging 400-pound boar and hired an instructor to teach me how to safely use them.  Each time gun safety was an integral part of training with new weapons .  For me, guns and gun safety became one and the same.

Hacking and cyber security

For consumers, online surfing, shopping, banking and entertaining ourselves have become an integral part of our lives. And with that has come identify theft, hacking, phishing, online scams, bullying, and predators online. As well as a loss of privacy.

boys scouts at rifle range But for businesses, the threats are even more real. Go ask RSA , Northrop, Lockheed, Google, Amazon and almost every other company with an online presence. Intellectual property stolen, customer data hacked, funds illegally transferred, goods stolen, can damage a company and put them out of business.

I think we’re missing something.

In the last 20 years 3 billion people have gained access to the web. Yet for most of them safety online remains a problem for other people. It pretty clear that for a company going online today is equivalent to playing with a loaded gun. The analogy of comparing the net with guns might seem stretched, but I think it’s an apt one. Guns have been around for hundreds of years, to provide food as well as wage war, but it wasn’t until the 20 th century that gun safety rules were codified and taught.

I think we need the equivalent of gun safety training for online access.

We now know the basic tools online hackers use. We know enough to harden sites to stop the simple hacks and to educate employees about basic social engineering and phishing attempts. It’s time to teach cyber security as integral part of the high school and/or college curriculum – not as an elective. Companies need to make cyber security education an integral part of their on-boarding process.

The Air Force Academy basic cybersecurity course is a good place to start (Stanford and other schools have a similar syllabi .) The class consists of basic networking and administration, network mapping, remote exploits, denial of service, web vulnerabilities, social engineering, password vulnerabilities, wireless network exploitation, persistence, digital media analysis, and cyber mission operations.

Lessons learned

  • The web is not a benign environment
  • Companies, high schools and colleges ought to make a basiccyber security course a requirement of getting online access.