I was going to use this space today to tell you about a new cyberthreat called Starkiller, and perhaps next week in this space I will do that.

But as I started to develop the piece, a detail struck me that I thought deserved a step back so it could get its own focus. That is the mere fact that Starkiller, like so many other cyberthreats, is actually commercially sold.

As you consider your approach to cybersecurity, this is a stunning reality that should have your attention: The software market actually contains products – being legally produced and legally marketed – that exist for the express purpose of helping criminals attack your system, steal your data and engage in digital blackmail against you.

If this prompts you to demand to know, “How can this be legal?”, you are certainly asking the right question. But there’s a good answer: It’s legal because the nature of this realm evolves so quickly that lawmakers scarcely have time to keep up with it. Remember, in most state capitol buildings – and certainly in Washington D.C. – they can scarcely pass budgets to keep things operating. Understanding the nature of cybersecurity deeply enough to write laws that govern it – and then making adjustments when the threat evolves much more quickly than the legislative process moves – is a lot to expect of the legislative process we live with today.

I’m not saying it should be. But it is.

And besides, my point here is not to seek a political solution to this – although that would surely be welcome – but rather to help you understand how serious a matter cybersecurity is.

This is really just the latest example of an old phenomenon. I remember people questioning many years ago how radar detectors could be legal when their sole purpose is to assist you in breaking the law. It’s a fair question, but as long as the legislative world hadn’t come up with a solution, it was the reality.

So is this, because there’s a viable commercial market for it. And it should tell you something about the nature of the cybercriminal world. Far from the notion that these people are all evil geniuses – operating in the shadows concocting brilliant strategies for digitally taking you down – a lot of these people are just opportunists. They buy and sell the means by which to launch the attacks, and make use of the techniques offered to them to remain invisible in the process.

And don’t lose sight of this: Because they’re investing money in the means by which to attack you, they have a financial incentive to find the companies that aren’t ready to defend themselves. They are looking for you.

Should it be this way? No. Are their gains legitimate and deserved? No. Should you have to spend time and resources defending yourself against such threats?

Well that’s an interesting way of looking at it. Should you have to spend money on a lock for your door? In a perfect world, of course not. You shouldn’t need a security system, a password or a PIN for your debit card – because people should behave themselves.

But all throughout history we’ve had to account for these things because they exist.

The cybercriminals who are looking for ways to attack you are, in many cases, just mercenaries. They buy and sell the attack mechanism, and they target you because you’re available and vulnerable. They’re not cybergeniuses and they don’t hate you. They just want their money and they don’t care.

Legitimate businesses don’t deserve to have to concern themselves with this threat. But they won’t survive if they don’t.

Let’s have a conversation about how to keep you safe. Email dacarey@cybersynergies.io or call me at 616.600.4180.