Fascinating how this vulnerability grabbed headlines. Understandable, given that it is about the SSL connection for e-commerce, that it caught attention. Intriguing because it caused users to change passwords. It is notable that the net loss of personally identifiable information was, in fact, only fractional. Very few, if any, users are likely to have fraud committed as a result of this vulnerability. It hardly rates when compared to full-blown breaches that almost surely have each and every one of our social security numbers for sale on the black market.
Still, all the attention is worthwhile. It creates educational opportunities. Analysts can teach the public more about how technical security operates. Moreover, because the software was open-source, this incident sheds some light on what that means as people read about it.
That said, I am puzzled by how much attention this vulnerability has received. Not only is it in all the major and minor mainstream publications, but also my colleagues at various schools tell me that it has sucked the oxygen out of all their other work. All this brouhaha while an undeclared global cyber war, with direct consequences for higher education, goes unheeded?
Nowadays, it is easy for people to understand identify theft. People are concerned about their credit score. And there is still something magical about the internet … magical and scary, if for no other reason than most people are not sure how it works. And so something as relatively simple as a message to “change your passwords” ranks high in today’s media.
How do we get smarter? Higher education must take the lead. That message jumps out of the MIT Report on Aaron Swartz. It is what sites such as SafeGov.org speaks to parents and teachers and policy makers in K-12. And what so many professors and teachers try to convey in colleges and universities. To that list, we need journalists and cable and video media not to sensationalize internet phenomena but to educate the public about its capabilities, its challenges and opportunities. More fully than a single soundbite.
Here is an example from my own experience. In the aftermath of the New York Times report last summer on cyber attacks on higher education, a local media news outlet asked if they could interview me. I raced back from some meeting or another, parked nearby my office at 3:59pm to make the 4:00 appointment, got a parking ticket and worked with the reporter for over an hour. I was late for my next appointment. Still, I was still okay with it – even the ticket – because I thought it was in the name of a broader message that would serve a public good.
I should have known better. The 30-second outcome was a huge disappointment. The videographer caught my unpolished nails tap-tap-tapping on the keyboard. Non sequitur quotes. And the final message by the newscaster: make sure you do updates on your computer software. We are talking about AN UNDECLARED CYBER WAR AMONG AND BETWEEN THE NATION-STATES OF THE WORLD!!!
It matters because ungoverned activity such as this cyber war is a harbinger of the deeper problems that lurk behind the absence of international internet governance. It matters because this undeclared cyber war has a serious, deleterious impact on our economy, innovation and the missions of higher education, not least of which is the integrity of research data. It matters because the reputation of higher education remains stained with the notion that we are “unsecure” because of our “open networks,” only to find out that no matter how many hundreds of millions, maybe billions, of dollars we spend on network security, there is no way we can compete with nation-state sponsored cyber warfare.
If the principal policy issue for colleges and universities is its price, which translates into access and completion rates and the dreams of upward mobility for millions of Americans, then we can kiss goodbye hopes to bring down our costs. As long as we are trying to compete with the military might of the world, we will never catch up and will be chasing an illusion from the outset.
Consequently, while I am glad for the attention that Heartbleed generated, upon reflection I am more dispirited by its ultimate effect. The message to the public is a sound bite: change your passwords. Opportunity lost. It could have been a jumping board to talk more about what internet security is all about and why issues such as this one are really important.