Cybersecurity Needs Communication, Not Legislation, Says ISA Lecturer Andy Green
KENNESAW, Ga. (May 17, 2018) — For Information Security and Assurance Lecturer Andy Green, the State of Georgia’s recent high profile cybersecurity issues have created a teachable moment for his students and for the public at large.
The ransomware attack on the City of Atlanta, the ongoing concerns about information security at MARTA, and the state legislature’s attempts to criminalize non-malicious unauthorized computer access have all sparked tough conversations in Green’s classroom – and across the state – about how secure computer data can realistically be kept.
Green, who spent years overseeing network and data security as a private consultant, says that while these incidents illustrate the importance of strong data security, they also underscore the reality that data is never 100 percent secure.
“You’ve got to understand that with technology, security is not the destination,” he says. “Usability is. The question is how do we partner those two things in such a way that users understand the risks they are taking, are not surprised when something happens, and know how to protect themselves.”
One of Green’s goals as an educator is not just to teach his students to communicate potential data security issues to their clients, but to do so without condescending or negatively affecting how clients use the affected software.
“Computer folks and security folks are not the best at public relations,” he says. “We can’t walk around saying the sky is falling every day. We’ve got to find a way to communicate our concerns with people in a way that shows we understand that they want to pay their water bill in the morning wearing their pajamas.”
Engaging with the Media
The recent news headlines surrounding Georgia’s cybersecurity challenges have given Green a platform to discuss rational, common sense data security practices with a wider audience. Throughout the last two years, Green has been featured in media outlets ranging from local television stations to national organizations like CNBC, Fox News, and Slate.com.
Green’s relationship with the media began in 2016 when 11Alive reporter Richard Belcher received an anonymous tip detailing shortcomings in MARTA’s data security program, including a lack of policies surrounding incident response and disaster recovery. Belcher reached out to Green, who explained how the shortcomings left MARTA vulnerable to attack.
Since then, Green has become a regular source for journalists looking to discuss cybersecurity issues in everyday language, which is how he helped break the Atlanta ransomware attack story earlier this year.
When a cyberattack crippled the computer systems of five City of Atlanta departments, 11Alive reporter Kaitlyn Ross contacted Green with a copy of a ransom note the city had received demanding $51,000 to return control. Green helped Ross identify the incident as a variant to the popular SamSam ransomware attack carried out against businesses, governments, and healthcare organizations across the country.
With many in the media criticizing the City of Atlanta for spending an estimated $2.7 million to recover the lost data rather than paying the comparatively low-priced ransom, Green explained that the more expensive option could potentially save money down the road.
“If, as part of that $2.7 million, the city is not just recovering day-to-day operations, but also taking steps to improve their overall security posture, then is that good spend?” he asks. “I think that’s a completely different argument than if they are spending $2.7 million just to recover.”
Green took advantage of the media exposure surrounding the ransomware attack to educate the public on how to protect themselves from threats. Specifically, he advised people to follow three essential behaviors online:
- Use a password manager to generate and maintain unique passwords for each account.
- Set up two-factor authentication, also called 2FA, wherever possible. 2FA adds extra
layers of security to user accounts. For example, an email provider using 2FA may
require users to make account changes from a specific device – like their personal
cell phone – even when entering the correct username and password.
- Always maintain a hardcopy backup of any critical data in addition to any cloud storage.
Senate Bill 315 Could Threaten Research
In addition to the MARTA issues and the Atlanta ransomware attack, Green has used Georgia Senate Bill 315 as a tool to teach his students and others about cybersecurity safety.
S.B. 315 was an attempt by the Georgia legislature to criminalize all unauthorized access of a computer system. Sponsored by State Senator Bruce Thompson and others, the bill was a direct response to vulnerabilities discovered in Kennesaw State University’s Center for Election Systems website by multiple cybersecurity researchers in 2017.
Under S.B. 315, the non-malicious network access conducted by the researchers – and by Green, who verified their findings – could be treated as an aggravated misdemeanor and punishable by a maximum one-year jail sentence and a $5,000 fine.
Like many cybersecurity experts, Green believed the bill would actually make computer systems less secure. By punishing anyone who accesses a system without permission regardless of intent, the bill would discourage legitimate research into system and network vulnerabilities.
“I agree that the act of compromising a system or network with malicious intent should be a crime,” Green says. “I don’t know anybody who disagrees with that. But what they want to do is give prosecutors discretionary authority and trust that they are able to discern who is a good guy and who is a bad guy. That way of thinking isn’t reflective of the world we live in today.”
Although Gov. Nathan Deal vetoed S.B. 315 in May, it is likely that the legislature will submit an amended version during the next legislative session.
Preparing Students for the Future
As the cybersecurity landscape continues to change, Green plans to keep encouraging his students and the public to think critically about data security. He recently co-organized the BSides Atlanta Information Security conference, where one of the goals was to develop strategies for bringing average people into the cybersecurity discussion.
Meanwhile, he has begun incorporating the recent cybersecurity headlines into his online class discussion forums, and organized a role-play for students in the University's Offensive Security club. The exercise placed his students in the role of City of Atlanta employees on the day of the ransomware attack. They had to develop an action plan to an evolving situation while still completing their required day-to-day tasks.
Green hopes that his efforts will lead the next generation of cybersecurity professionals to be better than than the previous at communicating that data security is a process, not a final destination. It is important to be prepared, but as long as people value usability in their software, there will always be others trying to exploit that.
“You are not going to prevent everything,” he says, “but you can lessen the likelihood that it will happen. There’s no such thing as 100 percent security, and that’s a tough equation for people to wrap their heads around.”