Cyber-Security Can't Ignore Human Behavior

More

By Eric Bonabeau

In an earlier post, our beloved Jim Fallows wrote briefly about a DoD-funded cyber-security initiative named SENDS, for Science-Enhanced Networked Domains and Secure Social Spaces. The overall objective of SENDS is to promote and begin to demonstrate the concept of a science of cyberspace -- with an initial focus on security. The vision for SENDS, developed by Carl Hunt, Richard Raines and Craig Harm, is one that embraces the richness, diversity and messiness of cyberspace. Central to their vision is the idea that the social, economic and behavioral aspects of cyberspace, which are largely missing from the general discourse on cyber-security and are certainly under-funded and under-represented in government-sponsored programs, are at the core of what makes cyberspace the complex, adaptive system that it is. An inclusive, multi-disciplinary, holistic approach that combines the technical and the behavioral is needed.

Being a founding member of the SENDS initiative, I am definitely partial to its vision. The extent to which research and development in cyber-security has been skewed toward "technical solutions" is mind-boggling. As an illustration, it seems surreal that in an otherwise excellent document, the authors of a 2009 manifesto from Sandia National Laboratories entitled "Complexity Science Challenges in Cybersecurity" have not dedicated a single line to human behavior. For example, their main M&S thrust is entitled: "Modeling the behavior of programs, machines, and networks". No humans necessary -- although I concur with the authors that there is a need for a new "cyber-calculus" -- just the ability to frame concepts and issues in modern mathematical terms would be of enormous help. Or in a recent report by a DoD-funded group of physicists, you can read:  

On the positive side, the cyber-universe can be thought of as reduced to the 0s and 1s of binary data. Actions in this universe consist of sequences of changes to binary data, interleaved in time, and having some sort of locations in space. One can speculate as to why mathematics is so effective in explaining physics, but the cyber-world is inherently mathematical.

But cyberspace, although it is the result of tremendous technological progress, is not just a piece of technology: It is both an enabler and an amplifier of human nature, eliciting new manifestations of human nature. It feeds (and in many ways feeds on) one of the most fundamental needs of human beings: communication. That it has become such an integral part of our lives in such a short time shows how deeply it resonates with our need to communicate and be connected. It should come as no surprise, therefore, that the multifaceted dynamics of cyberspace be so strongly influenced, even defined, by the behavior of its participants.

According to Mark Graff of Lawrence Livermore National Laboratory, cyberspace gives individuals and small groups unprecedented reach to affect others; it makes physical distance much less of an insulating factor; confuses us about what is permanent, or public, or safe; and largely operates insensibly to us. We feel safer if important data is near us, or some place we know, or with someone we've met, but these comfort factors make no "Internet" sense and don't scale to Internet dimensions either. In matters of risk assessment, we feel pretty safe from attacks originating "far away;" we also tend to ignore "low and slow" -- or sporadic -- attacks; random, "pointless" attacks (like from Internet worms) mostly tend to be low on our worry list, too.

No wonder that the intuition we have gained from the physical world over thousands of years of evolution leaves us ill prepared to deal with the new geography of cyberspace. We can't hope to acquire this new kind of intuition overnight. The bad news is that we suffer from severe limitations in our understanding of a critical component of our lives. The good news is that we are all subject to the same limitations -- good news only if we can regain a competitive advantage in what has been a level playing field. Understanding our own behavior and that of our enemies becomes the most viable defense and the most potent weapon we can develop.

Obviously it is essential to continue to improve the technical aspects of cyber-security and significant investments need to be made to ensure continuous progress -- and to keep up with increasingly sophisticated enemies. But at the same time, human behavior is almost always the weakest link in security. The attacks on Google and other companies in China in 2009 were initiated through phishing -- the underlying technical exploit is often trivial but social engineering is always the entry strategy. In the September/October 2010 issue of Foreign Affairs, Deputy Defense Secretary Lynn described the spread of a malicious worm on both classified and unclassified U.S. Central Command systems, which started with the insertion of an infected USB key into a U.S. military laptop. Apparently it took the Pentagon 14 months to clean things up. The worm would never have been able to infect any network without the help of someone -- malicious insider or clueless insider. On the flip side, the recent Stuxnet worm that damaged the Iranian uranium enrichment infrastructure, seems to have used the same entry strategy of USB key insertion to get started; once in a system, it would use multiple exploits to spread itself. Example after example of intrusions and attacks point to the fact that human behavior is the enabling factor. In the case of the leaks of diplomatic cables to Wikileaks by Private Manning, human behavior is at the core. No technology solution would on its own prevent it.

A small but growing community of scientists from academia, industry, and government has emerged in the last few years. They need encouragement and support. 


Eric Bonabeau is the founder and chairman of Icosystem Corporation, based in Cambridge, Massachusetts. Follow him on Twitter here.

Presented by

James Fallows is a national correspondent for The Atlantic and has written for the magazine since the late 1970s. He has reported extensively from outside the United States and once worked as President Carter's chief speechwriter. His latest book is China Airborne. More

James Fallows is based in Washington as a national correspondent for The Atlantic. He has worked for the magazine for nearly 30 years and in that time has also lived in Seattle, Berkeley, Austin, Tokyo, Kuala Lumpur, Shanghai, and Beijing. He was raised in Redlands, California, received his undergraduate degree in American history and literature from Harvard, and received a graduate degree in economics from Oxford as a Rhodes scholar. In addition to working for The Atlantic, he has spent two years as chief White House speechwriter for Jimmy Carter, two years as the editor of US News & World Report, and six months as a program designer at Microsoft. He is an instrument-rated private pilot. He is also now the chair in U.S. media at the U.S. Studies Centre at the University of Sydney, in Australia.

Fallows has been a finalist for the National Magazine Award five times and has won once; he has also won the American Book Award for nonfiction and a N.Y. Emmy award for the documentary series Doing Business in China. He was the founding chairman of the New America Foundation. His recent books Blind Into Baghdad (2006) and Postcards From Tomorrow Square (2009) are based on his writings for The Atlantic. His latest book is China Airborne. He is married to Deborah Fallows, author of the recent book Dreaming in Chinese. They have two married sons.

Fallows welcomes and frequently quotes from reader mail sent via the "Email" button below. Unless you specify otherwise, we consider any incoming mail available for possible quotation -- but not with the sender's real name unless you explicitly state that it may be used. If you are wondering why Fallows does not use a "Comments" field below his posts, please see previous explanations here and here.
Get Today's Top Stories in Your Inbox (preview)

'Stop Telling Women to Smile'

An artist's campaign to end sexual harassment on the streets of NYC.


Elsewhere on the web

Video

Where Time Comes From

The clocks that coordinate your cellphone, GPS, and more

Video

Computer Vision Syndrome and You

Save your eyes. Take breaks.

Video

What Happens in 60 Seconds

Quantifying human activity around the world

Writers

Up
Down

More in Technology

From This Author

Just In