Bloomberg Businessweek sat down a couple months ago with five security experts including Robert Rodriguez, chairman of the Security Innovation Network and senior adviser to the Chertoff Group. The five were asked questions like "Is it important to determine who’s responsible for security? Is it the seller of the computer, the way that a seller of an automobile is responsible for a level of safety? What’s the alternative?"
An answer from Rodriguez, which built on an answer from Brvenik, recently was brought to my attention.
[SourceFire VP] Brvenik: We can make it harder, we can make it more expensive for the adversary, but they still have entry points. In order to truly solve this problem, we have to educate everybody from the start. Elementary schools should be teaching children before they’re ever online about the risks of it, and safe behaviors and how to identify bad things.
Rodriguez: I totally agree with you. Education, increasing awareness, and starting with a national ad campaign, almost like Nancy Reagan did with “Just Say No to Drugs.” It sounded silly to people in the beginning, but it was highly impactful.
While I am all for user education, I can hardly believe someone would cite Nancy Reagan's program as "highly impactful." I assume he means that in a positive way. I've always considered Reagan's slogan a complete and abject failure due to the emphasis on an inflexible and unthinking response to a complex problem. We might as well tell people to just say no to anything "cyber" because it can cause harm.
Perhaps Michael Hecht, a Penn State professor of crime, law, and justice, put it best:
Critiqued by some for reducing a complex issue to a catch phrase, Reagan's campaign is generally considered to have been unsuccessful, and the phrase "just say no" has become a pop-culture joke.
Hecht makes an interesting point about the slogans that work best and why:
…it is clear from a large body of research that students are more receptive when their peers are involved with delivering the message.
The nuance on these political issues is probably important. While I am for user education I am against a "Just Say No" program. Here's another example: while I am for passenger screening I am against the Chertoff Group lobbying to sell their millimeter wave scanner into airports. I guess I would have given Bloomberg's question a different response. I would agree with Brvenik and Rodriguez on user education but also would have disagreed with them. I would have emphasized don't blame the victim (different from Brvenik), don't be top-down and inflexible in reasoning (different from Rodriguez) and I would have said a reasonable level of liability should be put on manufacturers (more direct answer to the question).