alt Hacker NewsI think a big part of it is that failures in aviation safety cost lives, often dozens or hundreds per incident, in quite immediate, public and visceral fashion. There also isn't much gradation - an issues either causes massive loss of life, or could cause it if not caught early, or... it's not relevant to safety. On top of that, any incident is hugely impactful on the entire industry - most people are fully aware how likely they'd be to survive a drop from airliner altitude, so it doesn't take many accidents to scare people away of flying in general.
Contrast that to cybersecurity, where vast majority of failures have zero impact on life or health of people, directly or otherwise. Even data breaches - millions of passwords leak every other week, yet the impact of this on anyone affected is... nil. Yes, theoretically cyberattacks could collapse countries and cause millions to die if they affected critical infrastructure, but so far this never happened, and it's not what your regular cybersecurity specialist deals with. In reality, approximately all impact of all cyberattacks is purely monetary - as long as isn't loss of life or limb, it can be papered over with enough dollars, which makes everyone focus primarily on ensuring they're not the ones paying for it.
I think it's also interesting to compare both to road safety - it sits kind of in between on the "safety vs. theater" spectrum, and has the blend of both approaches, and both outcomes.
Replies
I do think you're broadly right -- the lack of immediate and obvious impact creates a perception that there is no impact. But even your first example -- data breaches -- does have an impact. It might not have happened to you, it might not have happened to me, but people do get their identities stolen, and recovering from that is a nightmare. And nobody is going to 'paper over' John Doe's missing retirement fund or ruined credit score, that harm is permanent.
> this never happened
This is also wrong. Russia has employed cyberwarfare against Ukraine multiple times -- e.g. in 2016 when they took large chunks of the grid for an hour, or more pointedly in 2022 when it was used to disrupt infrastructure and digital operations across the country as part of an invasion. Stuxnet and Triton were also pretty serious -- unlikely to kill millions, but they did have a real effect. If you're bringing this up to explain why people don't care as much as they should, then I agree -- but I would think that it's misguided to suggest that "this has never happened" actually implies that it never will. It took 20 years after the advent of commercial airlines for someone to bomb one, but clearly that is now a major and continuing concern.
> I think a big part of it is that failures in aviation safety cost lives
This is an interesting point, and it certainly affects the incentives involved and the amount of resources allocated to mitigating the problems.
I do think cyber security incidents with real consequences are likely to become more common going forward (infrastructure etc). We haven't experienced large state actors being malicious in a war time footing (yet).
Will we able to better mitigate attacks given better incentives? I think that is an open question. We will certainly throw more resources at the problem, and we will weight outcomes more heavily when designing processes, but whether we know how to prevent cybersecurity incidents even if we really want to... that I wonder about.