The Human Element is what connects sports and cybersecurity. The movie Moneyball introduced fans to sports analytics and the role statistics play in a coach’s decision. A basketball coach knows where on the court their player should be in order to have the highest probability of making a shot. The coach can run plays to get their shooting guard open on the wing but the coach can’t control the player’s nerves getting the better of his jump shot just like a coach can’t prevent a baseball player from making an error. Coaching for the Human Element is difficult and is the reason we still have coaches instead of computers on the sideline.
The Human Element is also what makes cybersecurity so complex. One great example is the recent data breach of the contact details of 20,000 FBI and 9,000 DHS agents. What on the surface seems like a hack pulled off by an extremely talented programmer turned out to be the Human Element at work. After obtaining a DOJ email the hacker attempted to access a secure department website. When explaining the attack to the website Motherboard the hacker wrote, “So I called up, told them I was new and I didn’t understand how to get [in]. … They asked if I had a token code, I said no, they said that’s fine—just use our one.” What? The Help Desk gave the hacker access to the secure website? What is the point of having the best dead bolt if you leave the key under the flower pot?
I do not know why the DOJ Help Desk chose to give the hacker a temporary token. Perhaps the process for obtaining new tokens took too long. Perhaps the process for adding a user to a list of approved parties was not automated. Maybe it was too burdensome to do things the right way and therefore the Help Desk went around protocol. The lesson is that if security is too difficult, users will go around it. We therefore need to start designing our cybersecurity systems with the Human Element in mind.
We also need to change our definition of cybersecurity. Cybersecurity is not just encryption, just like network security is not just a firewall. The attack on the DOJ was about certificates and authentication, not encryption. At a recent conference in San Francisco, NSA Hacker Chief Rob Joyce highlighted four ways to protect your network. The first two suggestions were based on improving authentication. We need to start putting authentication on equal footing with encryption and invest in it accordingly. Authentication is the next battleground of cyberwarfare but as opposed to encryption this one will include managing the Human Element.
Eric Sharret is Vice President of Business Development at TELEGRID.
Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc. TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.