Secure Internet - No Easy Fixes
No Easy Fixes for Cybersecurity: 5 Common Myths and What We Can Actually Do About Them
By Ron Gula
In cybersecurity, there are no silver bullets. As both a technologist and an investor, I’ve had hundreds of conversations with policymakers, business leaders, and cyber practitioners over the years. One theme always comes up: why can’t we just fix this stuff? People want quick wins and simple policies, but the truth is, cybersecurity is deeply complex—because the internet itself is complex.
In this post, I’ll walk through five common ideas people often propose as “easy fixes” for cybersecurity—ideas that, while appealing on the surface, don’t work as neatly as people hope. Along the way, I’ll share practical alternatives and recommendations that I believe can move us forward.
1. "Let’s just deploy the best security tools everywhere."
The Myth:
Wouldn’t it be great if we simply pushed out world-class cybersecurity tools—malware detection, EDR, intrusion prevention—to every business, school, and government agency?
The Reality:
Security tools are a double-edged sword. The better a product becomes, the more hackers focus on bypassing it. Just look at today’s top vendors like Proofpoint or CrowdStrike—there are entire presentations at red team conferences focused on how to sidestep their controls. No tool is unbreakable.
Plus, even the best tech often gets absorbed into larger platforms via acquisitions. A brilliant niche solution can get buried in bureaucracy or diluted in favor of broader platform goals. What once was a cutting-edge startup may end up stagnating inside a conglomerate's product line.
Finally, when governments try to “help” by funding cybersecurity adoption—especially for small businesses—the dollars often end up reinforcing existing monopolies. In practice, this looks like paying people to use more Microsoft licenses. Maybe that’s not bad, but it’s certainly not the radical reinvention of cybersecurity people envision.
2. "What if everyone had a digital ID?"
The Myth:
If we could authenticate every user on the internet with a verified digital ID, wouldn’t that solve phishing, fraud, and identity theft?
The Reality:
Digital identity is promising—but politically and technically thorny. Right now, Google and Microsoft are our de facto national authentication providers. That’s fine for logging into Gmail or Zoom. But would we trust them to manage our e-voting credentials? Or our Social Security accounts?
Digital ID at national scale runs headfirst into partisan debates about voter ID laws, data privacy, and surveillance. The technology exists—but the political will does not. There’s too much distrust and disagreement over how identity should be managed, by whom, and for what purposes.
Even within the private sector, federated identity is tricky. Enterprise-to-enterprise access is difficult to implement, much less enterprise-to-government or citizen-to-citizen. Without a clear authority and consensus, this “easy fix” becomes a complicated mess.
3. "Why don’t we just patch everything?"
The Myth:
If vulnerabilities are the root cause of most cyberattacks, why not mandate timely patching across all systems?
The Reality:
Patching is one of the hardest things to do in cybersecurity. Even in highly mature environments, people delay updates. Ever been on a Zoom call and seen “update browser now” in the top corner of someone’s screen? Yeah—me too.
In enterprises, patching means outages, coordination, testing, and potential business disruption. And there are three major classes of systems that complicate things further:
Legacy systems with no vendor support.
IoT devices or embedded systems with no update paths.
Air-gapped or hardened environments where patching introduces more risk than it removes.
Even with modern virtual patching solutions (like Trinity Cyber, which we’ve invested in), the patch-everything mentality is not a panacea. Controls and compensating mechanisms matter. Risk-based prioritization matters. But “just patch everything”? That’s a myth.
4. "Can’t we regulate our way to security?"
The Myth:
Maybe the government should just mandate secure software or require companies to follow strict cybersecurity frameworks.
The Reality:
Regulation has a place—but it's not a cure-all. Every organization has different definitions of "secure" depending on their assets, threat models, and resources. Creating universal rules can quickly backfire.
Examples like the Software Bill of Materials (SBOM) are promising, but even they come with limits—especially in AI, where source code is irrelevant and the model weights are often petabytes of opaque data.
We’ve seen self-attestation frameworks, secure-by-design initiatives, and safe coding guidelines (like using memory-safe languages). These help—but none offer guaranteed protection. We're still not at the "airline safety" level of predictable and consistent security outcomes.
What about regulating industries instead of products? That’s no easier. Look at the pushback from industrial operators after the Colonial Pipeline breach. The Department of Defense's CMMC framework has made strides, but even that has faced resistance due to cost, complexity, and impact on small contractors.
5. "Just go on offense—hack the hackers!"
The Myth:
Why doesn’t the U.S. government just strike back? Find the ransomware gangs. Shut them down. Make them hurt.
The Reality:
It’s not that simple. Many of these actors are tolerated but not sanctioned by hostile regimes—particularly Russia. And while U.S. agencies can (and do) disrupt infrastructure, they can’t just take out threat actors without geopolitical consequences.
Think about ransomware: When the FBI or DOJ announces a takedown, it usually means they’ve dismantled servers or access networks—not jailed every attacker. Many hackers remain untouched.
Meanwhile, state-sponsored Chinese APTs conduct long-term espionage using stealthy backdoors and covert channels. There’s a broad counterintelligence effort underway—FBI, DOJ, DOD, and the intelligence community are all involved. But cyber retaliation is far from straightforward.
The internet is not a battlefield where we can flip a switch and isolate adversaries. Commerce, research, diplomacy—all depend on global networks. Offense has a role, but it won’t solve everything.
So What Can We Do?
Despite these myths, there are concrete steps we can take to make progress. Here are three recommendations that actually work:
✅ 1. Grow the Cyber Workforce—and Rebrand It as “Data Care”
We need more people in this field—and we need to make it approachable. “Cybersecurity” is too abstract and intimidating for many. Calling it Data Care emphasizes:
Personal responsibility.
Caring for others’ information.
Welcoming diverse entrants, especially from underrepresented groups.
✅ 2. Encourage MSSPs for SMBs and Nonprofits
Small organizations need managed service providers (MSSPs) to handle cybersecurity the way they hire:
Lawyers for legal work.
CPAs for taxes.
Stop telling people “turn on two-factor” or “install logging tools.” That’s ambulance-chaser advice. Instead, guide them to find professionals they can trust—just like any other essential business function.
✅ 3. Make Cyber Part of Every Policy Conversation
Cybersecurity isn’t just a tech issue. It’s part of:
Food security.
Energy policy.
Economic resilience.
National defense.
Politicians don’t need to campaign on cyber alone. They just need to include it in their broader vision. That’s how we keep cyber relevant and build public support for smart policy.
Final Thoughts
There are no easy fixes in cybersecurity. But that doesn’t mean we’re stuck. It just means we need to shift our mindset—from searching for silver bullets to investing in systems, people, and policy approaches that adapt to evolving threats.