Staring into the Chasm

As part of my contribution to Cyber Awareness Month (October 2024), I will attempt to explain the reasoning behind the shift of focus that I have given to this blog, and to lay the foundations for the argument that cyber security for the individual, the family and the community, needs to be about more than just awareness. This is informed by several resources, including my own experiences in IT, looking at scam emails, and recent years inside cyber security.

Introduction to the Chasm

Awareness of the cyber divide is an important first step to addressing it. The individual user does have some degree of agency to improve their knowledge and cyber security practices if they are not disadvantaged by the digital divide. Awareness of cyber security risks is only a small part of this, and does not facilitate embedding good practices. As individuals have different preferred learning styles, some people will require more than information and practice to be able to protect themselves.

There are often gaps in services provided by governments or major corporations, where the people who are disadvantaged do not have effective agency to influence or know how they can close that gap. There are similar gaps in society around the use of information and communication technology. Some end users may have a greater opportunity to influence and address part of the gap themselves, but many will need some level of assistance.

Divided: Who, What, and Why?

Within society across Australia, and around the world, there exist a number of gaps in society. These gaps exist in a multitude of aspects of modern life. Life is not fair nor equitable, and it is challenging for governments or other institutions to deliver equity across a broad and diverse community. You may hear about many of these gaps frequently in the media: Gaps in education, gaps in health care, gaps in services like mobile phone reception and internet speeds. The cyber divide is a specific gap in society between those who have an increased awareness and opportunity to develop appropriate practices to combat cyber risks and threats to the security of their personal information, and those who do not.

Since the late 1990's the Australian Government has been aware of a digital divide in Australian society; not all citizens have an equal opportunity to participate in the digital economy. I recall in the early 2000's delivering a very small project to a local migrant resource centre as part of the Federal Government's Digital Divide program. At the time it was identified within Australian society, the elderly, those with English as a second language, and single parents attempting to re-enter the workforce, were groups disadvantaged in the adoption of computers and modern technology, and hence could not fully participate in the digital economy. Government programs were aimed at improving the equity of access to education and the opportunity to apply the learning. This digital divide still exists today with 9.4% of the Australian populace significantly excluded from participating in the digital economy⁴, as identified in the Federal Government's “Australian Digital Inclusion Index (ADII) report for 2023”. The report identifies that a critical issue contributing to this division is the lack of access to resources for First Nations people, and non-First nations people living in remote and very remote areas of Australia. Similar circumstances exist across the globe, with a 2016 World Bank report highlighting the global lack of digital equity.⁶

From my observations, there is another layer to this division in society. It affects many of the same people as the digital divide does. It also impacts many people who are conversant with technological devices but who do not fully understand and appreciate the value and flow of information in large systems that expose users of digital technologies to privacy and cyber security risks. Therefore I feel that there is a cyber divide in Australian society. Whilst this cyber divide shares some characteristics with the digital divide, it is unique from and exists at a different level to the digital divide. With corporate and government business models increasingly moving online, legislation and education are not keeping pace with the risks and protection that all citizens need. Community awareness and capability to take independent responsibility for privacy and personal information security is lacking.

Is the Cyber Divide here to stay?

Good Things Australia, a community organisation, have made the following assessment of the ADII 2023 report on their website: “The Australian Digital Inclusion Index (ADII) shows that while digital inclusion is slowly increasing across Australia, there remains a substantial digital divide in Australia.”⁵ This supports the argument that the cyber divide will continue to exist into the future, and has the potential to become worse. “1 in 4 people in Australia are still digitally excluded (ADII, 2023). People with low levels of income, education and employment, those living in some regional areas, people aged over 65 and people with a disability are at particular risk of being left behind.” This digital exclusion impacts both the awareness of cyber security risks, and the opportunity for individuals to train themselves and develop persistent and effective digital hygiene habits. To use industry jargon, the digital divide prevents some citizens from developing adequate operational security (OpSec). The one small potential benefit for people disadvantaged by the digital divide is that perhaps their limited digital footprint may reduce their exposure to cyber security risks. But this is by no means any form of positive agency for those individuals as it is not something that they can control.

Similarly the pace of change in the information age is outside the influence and control of many people. Governments and organisations alike, seek to cut expensive face-to-face service delivery models in favour of adopting technological solutions. This includes adoption of data science, big data solutions and large-language models/AI, and the adoption of new data retention and management polices amid a dynamic threat environment^7,8,9. This in turn forces those individuals who have the basic requirements to be included in the digital economy to rush to participate at a level that they are not necessarily ready for. A large corporate entity may have a capacity to dedicate small specialist teams to each emerging area of technology. The humble citizen does not have the time nor capacity to devote themselves to such a broad spectrum of knowledge. Just because the individual citizen has the basic computer knowledge, and the basic Internet services to participate in the digital economy does not guarantee that they have the risk awareness and practiced OpSec skills necessary to protect themselves. This heightened pace at which digital technologies and solutions are advancing, is failing to reduce the occurrence and the potential for cyber security risks and threats, and at the same time contributing to an increasing distance between the two sides of the cyber divide.

As a professional in the cyber security sector, I would advocate that you do not need cyber security specific education, or even experience in information technology to be able to develop your own personal OpSec. I would argue however that you do need a level of information technology literacy, and an increased awareness of digital and information-age risks as they are occurring on the world stage. This implies some basic level of education and interest in science, technology, engineering and mathematics (STEM) subjects, combined with life experience [Note: STEM subject knowledge implied only - not mandatory]. Recent statistics (Dept. of Education, STEM Equity Monitor) regards STEM education outcomes at the post-secondary education levels indicates that whilst the number of students enrolling in such subjects continues to increase, the numbers of students completing their studies in STEM subjects through the vocational training sector is declining. When the statistics specific to Information Technology qualifications is considered, the enrolment and completion numbers across university and vocational training sectors has declined from 2015 to 2022^2,3. What this suggests is that the portion of Australia society with the underpinning knowledge and skills required to stay ahead of risks to their personal information may not be keeping pace with technological changes. I argue that this compounds a risk of a prolonged the existence of the cyber divide.

Can the Divide be Bridged?

Government and corporate efforts to address this divide have focused on raising awareness. Awareness about risks works in situations where the individual is already empowered to act upon that awareness. For example, awareness campaigns for the risks of speeding and drink driving work because the individual driver is already empowered to slow their speed and to not drink before they drive (or get a sober friend to drive). As a society we have been collectively driving for many years, and the practice of doing so does not significantly change from the day a person achieves their licence to the day they stop driving. There is still some effort required to develop/maintain good habits to remain safe, but it is relatively straight forward for most people.

Computers, information systems, and the Internet in general present a more complex set of challenges; an environment that can be wild and divergent, and has rapidly changed over the last four decades. If I continued to use a computer in the way that I did over three decades ago when I first accessed the Internet, I would be exposed to very high risk of falling for scams and inducing malware onto my computer on a very regular basis. Over the last three decades, I have continued to make myself aware of the technical changes and the risks and threats that exist on the Internet. Long before I professionally moved into the cyber security field, I maintained my new knowledge by doing my own investigations and adoptions of new/improved practices. Just like when I first got my full driver's licence, I spent time just going for a drive on occasions to help embed the knowledge and skills of driving through experience.

The cyber security industry is strongly aware of the need to take awareness, knowledge and base skills, and turn them into experience and mental reflexes. This is why large corporations, government departments and cyber security firms invest and engage in cyber security exercises and appropriate training facilities (cyber ranges). In fact this is a necessity for continually building knowledge and experience in your cyber security team. But what is being done to boost the basic inoculation effect of awareness within the broader society? Without the opportunity to take simple awareness information and to apply it to a realistic/real environment, can we ever expect the defences and resilience of the general community to improve at the rate that the threats and risks are developing?

Yes, there are many cyber range¹⁰ training options available across the Internet, with some well known names associated; HackTheBox, TryHackMe, and others. However these will always be more readily utilised by a portion of society that is on the advantaged side of the digital divide. Those on the disadvantaged side of the digital divide will not have the same access, and even if technical impediments are removed those users are unlike to immediately have the confidence to engage in such offerings because they do not have sufficient existing digital experience/confidence. But they will nonetheless be exposed to the same risks and threats. Then there are those who are on the advantaged side of the digital divide because of they live in an advantaged geography, or are part of an advantaged demographic, but their confidence and experience is limited to the applications on their devices. They understand email, browsing, and everyday office activities; perhaps even certified in Microsoft Word or Excel. But their knowledge of the systems underneath those applications may not support the full application of cyber security awareness.

An approach to addressing this gap, is to take the cyber-range concept and expand on it, furnishing it with physical and virtual devices. If done right, and targeted at the community level with shared resourcing, this could be used to address the digital divide at the same time as addressing the cyber divide. The concept of “doing this right” would need to include initiatives to address the opportunity for those in the community with limited Internet and digital resources to have regular access to such resources. It will not suffice to tell them about risks and scams and the need to protect themselves, if they do not have the opportunity to apply that temporary awareness and make it more permanent knowledge through experience. This is something that should be included in the mainstream curriculum at all schools, and not just for STEM students. In other sectors of the community, this could take the form of IT/cyber and education professionals delivering government supported programs in less remote areas. Facilitating access for those in the more remote areas of the country could be supported through a fully sponsored outreach program, where a traveling team takes a cyber-range environment to the remote locations to address both digital and cyber experience gaps.

Concluding Thoughts on the Cyber Divide

The cyber divide exists alongside the digital divide, but they do not affect the exact same sets within society. Whilst a user on the wrong side of the digital divide is more likely to be impacted adversely by the cyber divide, there are those in society who are digitally advantaged, and participating in the digital economy, who will fall on the wrong side of the cyber divide if messaging about cyber threats is only an awareness campaign. To understand how cyber threats target information in large systems through technological, process, data, and human elements, requires experience and practice. Without that experience, individual citizens will continue to become dis-empowered toward their own data security, and assuming they are included in the digital economy, many will be at risk of falling behind in their capability to participate securely and with confidence. Without addressing this cyber divide and the underpinning digital divide, the rapid pace of technological change, the race for governments and corporations to digitise services at the cost of slashing their human service elements, all these factors will lead to the cyber divide becoming a wider, deeper chasm in the Australia digital landscape.

I feel that there are further aspects to the cyber divide that warrant deeper attention. Issues of whether those who do not have the opportunity to participate in the digital economy find their privacy and personal data greater or lesser risk of compromise, and whether digital divide dis-empowers them from being in control of their data.

Resources:

1. STEM Equity Monitor - Department of Industry, Science, and Resources, 29 Sep 2024, https://www.industry.gov.au/publications/stem-equity-monitor
2. STEM Equity Monitor - University students in multiple STEM fields of education, 29 Sep 2024, https://www.industry.gov.au/publications/stem-equity-monitor/higher-education-data/university-enrolment-and-completion-stem-and-other-fields
3. STEM Equity Monitor - VET students in STEM fields of education, 29 Sep 2024, https://www.industry.gov.au/publications/stem-equity-monitor/higher-education-data/vocational-education-and-training-enrolment-and-completion-stem-and-other-fields
4. Australian Digital Inclusion Index, 29 Sep 2024, https://www.digitalinclusionindex.org.au/ & https://www.digitalinclusionindex.org.au/key-findings-and-next-steps/
5. Good Things Australia, 29 Sep 2024 https://goodthingsaustralia.org/the-digital-divide/ & https://goodthingsaustralia.org/the-digital-divide/what-is-the-digital-divide/
6. World Bank Group - World Development Report 2016: Digital Dividends, 29 Sep 2024, https://www.worldbank.org/en/publication/wdr2016
7. ABC News - Experts say scammers are getting a leg-up from the system that serves us personalised ads, Ange Lavoipierre, 07 Oct 2024, https://www.abc.net.au/news/2024-10-04/scammers-using-system-for-ads-to-con-australians/104426750
8. ABC News - Australians targeted for cryptocurrency scams by overseas call centres because the are ‘easy prey’, former worker says, Nadia Daily, 07 Oct 2024, https://www.abc.net.au/news/2024-10-07/scammers-are-targeting-australians-in-offshore-call-centres/104406170
9. ABC News - Australia companies are being used in scams and authorities are struggling to catch the culprits, Michael Atkin & Loretta Florence, 27 Mar 2024, https://www.abc.net.au/news/2024-03-27/australian-businesses-used-for-scams-asic-bank-finance/103272682
10. Wikipedia - Cyber range, 08 Oct 2024, https://en.wikipedia.org/wiki/Cyber_range
11. HackTheBox, 08 Oct 2024, https://hackthebox.com
12. TryHackMe, 08 Oct 2024, https://tryhackme.com