Donna Dodson wants computer scientists and engineers to approach cybersecurity the same way car designers approach a vehicle’s steering wheel.
Dodson, who heads the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence, used the metaphor during a cybersecurity summit Wednesday to emphasize the need for change in how people think about cybersecurity.
“All sorts of people are thinking about usability and how people and systems interact,” she said. “It’s time for us to be thinking about that too in cybersecurity.”
While NIST employs some of the brightest technical minds in this space, Dodson said she’s drawing in experts from other fields, such as social science and psychology, trying to refine cybersecurity’s usability to the point where it’s as familiar as driving a car.
The expired security certificate warnings that she often sees her family blowing through during their everyday Internet use inspired Dodson to change how people think about cybersecurity.
“Every time I see a note come across my screen at home that says ‘certificate not valid’ or ‘certificate has expired,’ what do you want to do? Click right through it,” she said. ” I don’t believe that any of us ever felt that a message like that would be on a home computer when somebody is shopping for a birthday gift. When we have that, we are inducing bad behavior.”
Dodson said a new approach is crucial to the world we are moving toward, where the Internet of Things will connect us to everything from doctors to cars to the electrical grid. She points to work NIST is doing to help people secure their current systems, such as their continued deployment of the agency’s cybersecurity framework, as well as looking decades into the future, as the agency studies quantum-resistant cryptography.
“We see a world coming up where there are quantum computers and we see the deployment of sensors everywhere,” she said. “How are we going to build in the fundamental technology that is needed for a cybersecurity standpoint to support that kind of world?”
Dodson points to the framework as a model for how things can evolve, now that enterprises can assess cybersecurity the same way they assess any other risk to their business.
“We recognized that people did not have a language to come outside of rooms like this and talk with people about cybersecurity, that meant from executives all the way down to the bits-and-bytes folks,” she said.
She wants NIST’s work to continue to facilitate those conversations, ranging from security automation to information sharing. Once those conversations become more frequent, Dodson sees a world where security is talked about in very simple terms.
“I strongly believe that we have a responsibility to people that are using technology today to give them tools, capabilities and interfaces so that it’s easy to do the right thing, hard to do the wrong thing and easy to back up if you do the wrong thing,” she said.