Cyber-Security Can't Ignore Human Behavior
By Eric Bonabeau
In an earlier post, our beloved Jim Fallows wrote briefly about a DoD-funded cyber-security initiative named SENDS, for Science-Enhanced Networked Domains and Secure Social Spaces. The overall objective of SENDS is to promote and begin to demonstrate the concept of a science of cyberspace -- with an initial focus on security. The vision for SENDS, developed by Carl Hunt, Richard Raines and Craig Harm, is one that embraces the richness, diversity and messiness of cyberspace. Central to their vision is the idea that the social, economic and behavioral aspects of cyberspace, which are largely missing from the general discourse on cyber-security and are certainly under-funded and under-represented in government-sponsored programs, are at the core of what makes cyberspace the complex, adaptive system that it is. An inclusive, multi-disciplinary, holistic approach that combines the technical and the behavioral is needed.
Being a founding member of the SENDS initiative, I am definitely partial to its vision. The extent to which research and development in cyber-security has been skewed toward "technical solutions" is mind-boggling. As an illustration, it seems surreal that in an otherwise excellent document, the authors of a 2009 manifesto from Sandia National Laboratories entitled "Complexity Science Challenges in Cybersecurity" have not dedicated a single line to human behavior. For example, their main M&S thrust is entitled: "Modeling the behavior of programs, machines, and networks". No humans necessary -- although I concur with the authors that there is a need for a new "cyber-calculus" -- just the ability to frame concepts and issues in modern mathematical terms would be of enormous help. Or in a recent report by a DoD-funded group of physicists, you can read:
On the positive side, the cyber-universe can be thought of as reduced to the 0s and 1s of binary data. Actions in this universe consist of sequences of changes to binary data, interleaved in time, and having some sort of locations in space. One can speculate as to why mathematics is so effective in explaining physics, but the cyber-world is inherently mathematical.
But cyberspace, although it is the result of tremendous technological progress, is not just a piece of technology: It is both an enabler and an amplifier of human nature, eliciting new manifestations of human nature. It feeds (and in many ways feeds on) one of the most fundamental needs of human beings: communication. That it has become such an integral part of our lives in such a short time shows how deeply it resonates with our need to communicate and be connected. It should come as no surprise, therefore, that the multifaceted dynamics of cyberspace be so strongly influenced, even defined, by the behavior of its participants.
According to Mark Graff of Lawrence Livermore National Laboratory, cyberspace gives individuals and small groups unprecedented reach to affect others; it makes physical distance much less of an insulating factor; confuses us about what is permanent, or public, or safe; and largely operates insensibly to us. We feel safer if important data is near us, or some place we know, or with someone we've met, but these comfort factors make no "Internet" sense and don't scale to Internet dimensions either. In matters of risk assessment, we feel pretty safe from attacks originating "far away;" we also tend to ignore "low and slow" -- or sporadic -- attacks; random, "pointless" attacks (like from Internet worms) mostly tend to be low on our worry list, too.
A small but growing community of scientists from academia, industry, and government has emerged in the last few years. They need encouragement and support.
Eric Bonabeau is the founder and chairman of Icosystem Corporation, based in Cambridge, Massachusetts. Follow him on Twitter here.