Looking back at 2018, we saw another banner year for cybersecurity SNAFUs. Pick your incident and you’re looking at millions of people affected each time. We’ve also officially reached new territory, as we are now able to measure cybercrime as a percentage of GDP. And each time we have a breach, regardless of how it began, there is always a call for a technological fix: encryption, AI, blockchain, you name it, that will help save the day.
That begs the question: with all the technical innovation going on (and there is plenty of it) why are these solutions not working? Or more accurately: why are the breaches still occurring? That nuance matters.
You see, the technologies in many cases worked exactly as they were supposed to. They were not at fault. They did their job. Instead, the fault almost always lies with human error, whether it is some ill-advised policy decision, misconfiguration of software or hardware, clicking the wrong link or being suckered into giving up your information all because something, like a URL, was spelled incorrectly and that error was not picked up on [intentional misspelling for those not keeping up].
That certainly suggests that most of our problems are a result of behavioral, not technical, mishaps, leaving us with two choices: go full SkyNet (artificial intelligence with no human at the helm) or smarten up. I personally opt for the latter and it’s not because I’m anti-tech. Some of the tech is absolutely awesome and I employ it regularly. Rather, I opt for the latter because full SkyNet comes with a series of unknown risks that may put us an even worse place than we are right now. Ones, that once unleashed, can’t be put back in the bottle. Always keep in mind: we want to reduce our risk profile, macro, and micro, not increase it.
You see, the “why is this all still happening?” is because the bad guy’s sole purpose for existence is to beat you. How is irrelevant. The bad guy doesn’t care how.
Remember all the talk about two-/multi-factor authentication as something we need to do? Well, we’re beginning to see vulnerabilities in that technique too. How? Passes through to legitimate websites are actually being run through a hacker’s server and user information is being siphoned. As this example states, “it’s a security flaw with the human.” You see, the “why is this all still happening?” is because the bad guy’s sole purpose for existence is to beat you. How is irrelevant. The bad guy doesn’t care how. And if the easiest way is just to make a sucker of people, that’s what the bad guy will do each and every time, especially when there is no fear of consequence. Therefore, the way you beat the bad guy is to make sure you don’t get suckered (a behavioral change on your end) and find something that dissuades the bad guy from making you a target (a behavioral change on their end).
Let’s get a bit more basic here through analogy: if you can make sure your opponent doesn’t put up any points on the board, you’re not that hard-pressed to put up many of your own. You’ll get the win at 1-0, even if it’s a tough grind. But if you’re letting in 10, you need to have the tools and talent (fancy tech) to put up 11. And that gets expensive – and risky – real fast. So expensive you may not be able to afford it, even if you have the ability to pay the luxury tax. This is why you see so many successful sports teams taking care of the defensive basics. You can’t be trying to outscore the bad guys because you are not the 1984 Edmonton Oilers, whose defense consisted of goalie Grant Fuhr, Grant Fuhr, and Grant Fuhr while everybody else was busy scoring (and even Grant Fuhr was able to put up an eye-popping 14 points, the only NHL goalie to ever post double-digit points). That 1984 team had offensive firepower that has never been replicated again.
What makes you think unleashing all your toys will make a difference when your goalie (you) is asleep? The bad guy will outscore you, even scoring from their own end on some flimsy goal (also known as phishing).
So if you can’t outscore the bad guys, what do you do?
Well, start here: assume the bad guys will always find a way to outfox your best talent (tech toys). That’s their business model. Run and gun and the ability to work out of the box. They don’t care about offside calls or penalties. They don’t even care to steal your equipment and use it against you. They play outside the rules and that’s why they hold the advantage. They only care about the score and not getting caught.
That’s what you have to go to the basics. Cybersecurity summits and indictments of Chinese and Russian nationals make for great television, but in practice, they do little for two reasons: 1) you’re dealing with extraterritorial judicial issues with non-extradition countries, making any indictment impractical at best, impossible at worst, and 2) leverage has not been properly employed to change behavior. Therefore, I present two things that can help improve cybersecurity, one macro, and one micro.
Macro: use your economic leverage. This issue applies almost exclusively to the United States. Where past cybersecurity summits and discussions have failed is that previous US administrations never used the full force of the country’s economic clout as a weapon. Instead, they focused almost exclusively on cybersecurity issues, employing “no economic squeeze.” If you can’t extradite, you say to the host country: “Dear President, kindly, please stop this behavior and round up your bad guys before I ban your imports.” At some point, the other side is going to think maybe it’s just not worth it to allow bad behavior to originate from within my jurisdiction, whether I am responsible for it or not. Translation: I’d rather make money by selling you stuff instead of going poor because you shut me out of your market. #FearOfConsequence
Micro: up your personal cybersecurity game by relying on nothing but yourself. Seriously. The less “tools” you use, the better off you may be. Why do I say this? It’s because “the tools” have become crutches. And that becomes dangerous because you have the expectation the crutch will save you. It won’t. Tools do and only when you know how to use them. The better you can become at realizing if you’re about to be suckered, the better off you will be. Plain and simple.
As you’ll note, neither of these tips are technical in nature. They’re just pure and simple behavioral actions. And that’s how we fix the security flaw with the human: by changing our behavior.