In the mid-1950s, psychologists Joseph Luft and Harrington Ingram created the "Johari window," which popularized the concept of "unknown unknowns" – things that both you and others are unaware of. It's hard enough to develop laws and policies to deal with threats we know about. But what about those we haven't experienced, or anticipated?
In mid-2016, elements of an electronic dark-arts toolkit stolen from the United States National Security Agency began showing up online. They were apparently put there by a hacker group with links to Russia.
Then late last month, a particularly noisome piece of malware struck around the world. The country hit hardest was Ukraine; the attack essentially shut down the government and all e-commerce. Banks and electrical utilities were paralyzed; radiation monitors at the Chernobyl nuclear site went off-line.
It was nominally a ransomware attack – pay up or your data goes bye-bye – but cybersecurity experts believe it was actually a "wiper" program, aimed at erasing targeted information. There's a strong suspicion it was the work of a state-sponsored entity.
It was an extreme event, but also a warning of what the future may hold. In fact, high-level breaches are already happening more often, and at higher cost, than most people realize.
A recent study by the Ponemon Institute on the costs of data leaks found the average breach in Canada, defined as the loss, theft or exposure of financial or medical information, cost $5.8-million to fix, investigate and mitigate. The institute looked at 27 major companies, which lost an average 21,000 records per occurrence.
The cost figure is actually down slightly from last year, but that's not the report's most interesting finding. Roughly half the breaches were due to software glitches or human error; the cyber equivalent of a business damaging its own merchandise. The other half were the result of criminal or malicious activity – the electronic equivalent of a break and enter.
Suffice it to say that cyberthreats are a large and growing problem. And they aren't occupying enough attention from governments, businesses or individuals. The situation is exacerbated by a labour shortage in the information security business. One study, commissioned by the International Information System Security Certification Consortium, estimates there will be 1.5 million unfilled cybersecurity jobs by 2020.
So what to do?
Allocating more public resources to the threat would be a start. That could include training and education incentives, and budget top-ups for the government agencies leading the fight.
Last year John Adams, a former head of Canadian Security Establishment, suggested it's time to stop playing defence and pursue a more active, offensive strategy. That's an idea worth exploring, provided there is adequate government oversight. The NSA's secret offensive playbook may be connected to the most recent mess, after all.
Also, thwarting criminals and warding off state-backed hackers ought not be invoked as licence to force companies and others to build "back doors" allowing law enforcement to snoop on citizens in the name of security.
Part of the answer surely lies in market forces. Tech firms and industry groups have resorted to paying "bug bounties" – find a flaw in our system; get a reward – and holding hacking contests with cash prizes.
Some have set up in-house bug hunting teams; Google's Project Zero is among the more aggressive in the cyber-world. Yet it has often identified vulnerabilities only to encounter reticence on the part of the affected companies to admit they exist.
Timely and full disclosure of security flaws is imperative, and if industry can't agree on common rules, government should nudge them. That may run against the prevailing tech industry ethos, but not everyone is following Google's famous "Don't be evil" dictum.
For every amateur bug bounty hunter who turns in her findings for rewards, there are others hacking for fun and profit, and selling information on the dark web.
Traditional policing skills are a poor fit with the new environment. For the cops, that means enlisting the help of intelligence agencies, developing closer links with the tech sector – and hiring people with new and different abilities. Some of the smartest and most with-it crooks have gone online.
The Trudeau government is studying the risk of a cyber-hacking of the democratic process. It's a real possibility, particularly when one considers the damage wrought by Kremlin-linked hackers in the U.S., including meddling with the electoral system.
Some of the dangers out there are unknown unknowns. But a lot of them are, in fact, quite well known. They are not unexpected. There's no reason for this country to be unready.