Cyber-Security Can't Ignore Human Behavior

By Eric Bonabeau

In an earlier post, our beloved Jim Fallows wrote briefly about a DoD-funded cyber-security initiative named SENDS, for Science-Enhanced Networked Domains and Secure Social Spaces. The overall objective of SENDS is to promote and begin to demonstrate the concept of a science of cyberspace -- with an initial focus on security. The vision for SENDS, developed by Carl Hunt, Richard Raines and Craig Harm, is one that embraces the richness, diversity and messiness of cyberspace. Central to their vision is the idea that the social, economic and behavioral aspects of cyberspace, which are largely missing from the general discourse on cyber-security and are certainly under-funded and under-represented in government-sponsored programs, are at the core of what makes cyberspace the complex, adaptive system that it is. An inclusive, multi-disciplinary, holistic approach that combines the technical and the behavioral is needed.

Being a founding member of the SENDS initiative, I am definitely partial to its vision. The extent to which research and development in cyber-security has been skewed toward "technical solutions" is mind-boggling. As an illustration, it seems surreal that in an otherwise excellent document, the authors of a 2009 manifesto from Sandia National Laboratories entitled "Complexity Science Challenges in Cybersecurity" have not dedicated a single line to human behavior. For example, their main M&S thrust is entitled: "Modeling the behavior of programs, machines, and networks". No humans necessary -- although I concur with the authors that there is a need for a new "cyber-calculus" -- just the ability to frame concepts and issues in modern mathematical terms would be of enormous help. Or in a recent report by a DoD-funded group of physicists, you can read:  

On the positive side, the cyber-universe can be thought of as reduced to the 0s and 1s of binary data. Actions in this universe consist of sequences of changes to binary data, interleaved in time, and having some sort of locations in space. One can speculate as to why mathematics is so effective in explaining physics, but the cyber-world is inherently mathematical.

But cyberspace, although it is the result of tremendous technological progress, is not just a piece of technology: It is both an enabler and an amplifier of human nature, eliciting new manifestations of human nature. It feeds (and in many ways feeds on) one of the most fundamental needs of human beings: communication. That it has become such an integral part of our lives in such a short time shows how deeply it resonates with our need to communicate and be connected. It should come as no surprise, therefore, that the multifaceted dynamics of cyberspace be so strongly influenced, even defined, by the behavior of its participants.

According to Mark Graff of Lawrence Livermore National Laboratory, cyberspace gives individuals and small groups unprecedented reach to affect others; it makes physical distance much less of an insulating factor; confuses us about what is permanent, or public, or safe; and largely operates insensibly to us. We feel safer if important data is near us, or some place we know, or with someone we've met, but these comfort factors make no "Internet" sense and don't scale to Internet dimensions either. In matters of risk assessment, we feel pretty safe from attacks originating "far away;" we also tend to ignore "low and slow" -- or sporadic -- attacks; random, "pointless" attacks (like from Internet worms) mostly tend to be low on our worry list, too.

No wonder that the intuition we have gained from the physical world over thousands of years of evolution leaves us ill prepared to deal with the new geography of cyberspace. We can't hope to acquire this new kind of intuition overnight. The bad news is that we suffer from severe limitations in our understanding of a critical component of our lives. The good news is that we are all subject to the same limitations -- good news only if we can regain a competitive advantage in what has been a level playing field. Understanding our own behavior and that of our enemies becomes the most viable defense and the most potent weapon we can develop.

Obviously it is essential to continue to improve the technical aspects of cyber-security and significant investments need to be made to ensure continuous progress -- and to keep up with increasingly sophisticated enemies. But at the same time, human behavior is almost always the weakest link in security. The attacks on Google and other companies in China in 2009 were initiated through phishing -- the underlying technical exploit is often trivial but social engineering is always the entry strategy. In the September/October 2010 issue of Foreign Affairs, Deputy Defense Secretary Lynn described the spread of a malicious worm on both classified and unclassified U.S. Central Command systems, which started with the insertion of an infected USB key into a U.S. military laptop. Apparently it took the Pentagon 14 months to clean things up. The worm would never have been able to infect any network without the help of someone -- malicious insider or clueless insider. On the flip side, the recent Stuxnet worm that damaged the Iranian uranium enrichment infrastructure, seems to have used the same entry strategy of USB key insertion to get started; once in a system, it would use multiple exploits to spread itself. Example after example of intrusions and attacks point to the fact that human behavior is the enabling factor. In the case of the leaks of diplomatic cables to Wikileaks by Private Manning, human behavior is at the core. No technology solution would on its own prevent it.

A small but growing community of scientists from academia, industry, and government has emerged in the last few years. They need encouragement and support. 

Eric Bonabeau is the founder and chairman of Icosystem Corporation, based in Cambridge, Massachusetts. Follow him on Twitter here.