The human element complicates cybersecurity
Despite the congressional focus on cybersecurity, all the money, software and hardware in the world can’t entirely ward off cybersecurity threats. One nontechnology factor greatly impedes cybersecurity: the human factor.
Cyberspace is an untamed frontier. Data networks everywhere remain vulnerable to cyber threats. As Rep. Michael McCaul (R-Texas) recently pointed out, virtually every sector of cyberspace faces danger, including the U.S. military.
Congressional hearings on cybersecurity have revealed that most federal networks have been hacked, McCaul said. Many attacks are classified as espionage, with foreign countries stealing government information. One data dump was equivalent in size to the Library of Congress.
“I hope as with 9/11, we don’t turn a blind eye and have a denial-of-service attack before we address this issue,” McCaul said.
Legislation passed in early February by the House could go a long way toward addressing the issue. McCaul and Rep. Daniel Lipinski (D-Ill.) are the primary sponsors of the Cybersecurity Enhancement Act of 2009, which would dedicate federal funds toward beefing up cybersecurity in the public and private sectors. The Senate is considering similar legislation.
Yet despite the congressional focus on cybersecurity, all the money, software and hardware in the world can’t entirely ward off cybersecurity threats. One nontechnology factor greatly impedes cybersecurity: the human factor.
We are the weak link in the chain. Too many people think they can just throw technology at the problem, but that alone is not the answer.
If people don’t follow consistent, well-defined security policies and procedures — and undergo regular cybersecurity training and exercises — then an organization’s networks and data won’t be safe.
Being human is our greatest strength and our greatest weakness. We are capable of developing the most innovative technical solutions for protecting a network, but if those solutions are not installed, configured and maintained properly, they will not be effective. Worse yet, they will give a false sense of protection.
In a recent report, the International Institute for Strategic Studies, a British think tank, warned of the peril of cyber warfare.
“Despite evidence of cyberattacks in recent political conflicts, there is little appreciation internationally of how properly to assess cyber conflict,” said John Chipman, director-general of the institute. “We are now, in relation to the problem of cyber warfare, at the same stage of intellectual development as we were in the 1950s in relation to possible nuclear war.”
The recently released Quadrennial Defense Review and proposed Defense Department budget for fiscal 2011 emphasize cyber defense. For instance, the budget request supports establishment of the U.S. Cyber Command, which will organize and standardize DOD cyber defense practices.
Military outfits are fully aware of human shortfalls when it comes to cybersecurity, so they regularly conduct training in realistic settings. However, those military organizations can’t undertake so-called live fire exercises without risking an actual network meltdown.
In recent times, simulators — made by a number of companies, including ours — have been employed to train defenders of military and government data networks. The best example of this is an exercise known as Bulwark Defender. Each year, the military services and government agencies practice their tactics, techniques and procedures against unknown cyber enemies intent on stealing critical information and creating havoc on our networks. This is all accomplished within the safety of a nonoperational global network used to regularly train, certify and exercise network operators.
The network is known as the Joint Cyberspace Operations Range. The range, which has been used since 2002, is run by the Air Force Network Integration Center at Scott Air Force Base, Ill. It has trained thousands of network operators and defenders; during the past three years, it’s been the underlying structure for Bulwark Defender.
We must develop and build new and smarter security technology and architectures in addition to defining and documenting security policies and processes. We must remain vigilant against cyber terrorism, cyber crime and cyber mischief.
However, until we take humans out of the loop, we will have to deal with our human inadequacies.