Vagueness and The Beast of Gévaudan

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~  Ashton Engineer Emeritus

Over 12 years, 100 people were reportedly attacked by a beast in the French countryside. Victims included men, women, and children. Some were partially eaten. Speculation included there being possibly more than one beast. From this article:

Even children were celebrated for taking on the Beast. On January 12, 1765, the Beast attacked 10-year-old Jacques Portefaix and a group of seven friends ranging from ages eight to 12. However, Portefaix led a counterattack with sticks driving off the creature. The children were rewarded by Louis XV, and Portefaix was given an education paid by the crown.

In 1765 a large wolf was killed and assumed to be the beast. Money and titles were awarded. Three months later, attacks started again. The royal court tried to ignore these new attacks but in 1767 a new spate of attacks launched a search and destroy mission that finally netted an animal that had non-wolf characteristics as described by witnesses. When the attacks stopped, it was assumed that the beast had finally been bagged. What it actually was is up for debate with various theories that include a young lion, among other things. Due to a lack of evidence to examine, the actual identity of the beast will remain unknown.

Vagueness

On an entirely different note, have you ever heard the term “void for vagueness”? This is a part of constitutional law that states a law is unenforceable if it is so vague the average citizen cannot understand it. It may be unclear what conduct is prohibited, what punishment may be enforced, or to whom the law applies. This test can only be applied to criminal or penal laws, not laws governing private party issues.

Your Security Can’t Be Vague

So let’s tie the Beast of  Gévaudan and vagueness doctrine together in the realm of security. There is a beast loose on the internet. We see the victims every day in the form of identity theft, ransomware, cryptocurrency theft, scams of all sorts (some would include NFTs here), extortion, and data theft, just to list a few. Do we know what the beast is? Well, we do know it is a WHO, not a WHAT. People are behind this crime wave. People who, in some cases, are very smart and could contribute a lot to society, if they chose to do so. Others are interested in the thrill of the crime, as well as the reward. Others still view cybercrime as another business and a very profitable one at that. One thing they all have in common is that they want what you have. They also are willing to spend a lot of time to get what you have (data, money, network access).

Defending Against the Internet Beast

In the late 1700s, swords, bows, knives, and possibly guns were the weapons used to counter the attacks of the beast. To counteract the internet beast, we have anti-virus, firewalls, endpoint protection, AI-driven security software, and security professionals. Oh and don’t forget your employees. In France, the beast was dispatched by hunters commissioned to that specific task. However, the fact that they were out hunting did not in itself protect the population. They still needed to be warned about the danger, they still needed direction on self-protection and they might probably could have used some instruction on how to identify dangerous animals if they didn’t know already.

Now imagine yourself as one of the folks living in the French countryside where these attacks were happening. One of the designated hunters comes to your home and says “There is a beast loose in this area. It is a bad animal. Be careful”. They then leave. As the average country-dwelling farmer, what will you watch out for? Why is the animal bad? Is it ill-tempered? Will it bite? How big is it? Will it hurt me? Will it attack my cattle? What do I do if I see it? If it attacks, will I be able to kill it with a pitchfork? Lots of questions, no answers.

Create Definitive Policies

Part of the defense strategy for a company is policies. Policies can cover a wide range of things. They can cover maternity/paternity leaves, sick days, disciplinary issues, grievances, and the rest of the issues that are involved in running a business. Security policies can be very helpful if they are not vague. A policy that says ‘Unacceptable use of company computers is not allowed’ is not very helpful unless there is a more detailed discussion of what is unacceptable. What should an employee do if they suspect an email, phone call, etc. are malicious? What happens if the employee makes a mistake? Punishment is seldom productive. Do policies outline the consequences of a data breach? Why is it serious? Is it clear how to communicate if a policy causes an issue with doing business?

Educate Your Employees

In the 1760s in France, the mission was clear: Kill the beast. It was direct, easy to prove completion, and it had a specific goal. The beast of network compromise is not so straightforward. It is easy to tell when it has attacked you, as the blood will be everywhere. Defending against the beast can be spearheaded by specialists, but the potential victims (employees) need to be well equipped to participate. They need to understand what their stake is and how they can help protect the business and thus their jobs. This all takes education.

There are varying opinions on just how to accomplish that education but a one-hour session once a year, so management can tick a box, is woefully inadequate.  Unlike the beast whose attack strategy was not that complex, network attacks change direction and techniques regularly. What does not change is that employees will be targeted. Help them slay the beast. Educate! Educate! Educate!

To learn more about security awareness training for your entire company, call Ashton Solutions at 216 397-4080.