by Marc Goodman
The majority of data stored on both personal and company hard drives is in plain text, readable by anybody who gains access to these devices. The same is true for the lion’s share of traffic crisscrossing the Internet, save for major Web sites using HTTPS when sending your password or credit card information. But we can do so much better, particularly in the wake of Edward Snowden’s revelations. On the plus side, Google is increasingly encrypting its traffic, including all Gmail messages, between your computer and its servers (not just your password). Doing so makes it vastly more difficult for somebody to intercept and read your e-mail in transit; otherwise, any message you send is as if it were written on a postcard freely accessible to anybody who sees the traffic as it flows around the Internet, such as the local Starbucks Wi-Fi connection you use. The Electronic Frontier Foundation, a nonprofit digital rights and privacy advocacy group, has also launched a program known as HTTPS Everywhere to promote the use of encryption in all our Internet browser traffic. In short, it’s high time to encrypt the Internet to help protect the privacy and security of our digital communications and computer data.
Though modern computer operating systems, including those from both Microsoft and Apple, come with free hard disk encryption tools built in, they are not turned on by default, and only a small minority of companies and a tiny percentage of consumers encrypt the data on their laptops or desktops. In fact, most consumers have no idea these security protocols even exist. In the wake of the celebrity iCloud hacking fiasco of 2014, Apple’s chief executive, Tim Cook, acknowledged the company had to do more to ratchet up customers’ awareness of cyber-security matters. I thoroughly agree. In September 2014, Apple announced that its latest iPhone would encrypt all data on the device when a password was set, a move Google vowed to match with its forthcoming Android mobile phone operating system. These are important steps forward in minimizing smartphone security risks, but given that 40 percent of users don’t even use a password on their mobile phones at all, Tim Cook was right: much more education and awareness are needed.
Taking a Byte out of Cyber Crime: Education Is Essential
Civilization is in a race between education and catastrophe.
H. G. WELLS
We have a literacy problem in the United States and around the world, and it’s not the one most think of. It is the problem of technical literacy. In a world replete with gadgets, algorithms, computers, wearables, RFID chips, and smart phones, only a minute portion of the general population has any idea how these objects actually work. Whether it’s Crime, Inc. or the NSA, those who know how to code will hold power over those who don’t in the same way that those who could not read and write in the last centuries found their opportunities limited. We need to build up the technical literacy of the general public.
The goal is not for every single person to become a computer coder (though building our nation’s science, technology, engineering, and math skills would do much for our economy). The goal is for citizens to have a basic understanding of how the technologies around them operate, not just so that they can use these tools to their full advantage, but also so that others cannot take advantage of their technological ignorance and harm them. Had Cassidy Wolf, Miss Teen USA, been taught in school the simple trick of covering up the Webcam on her laptop with a yellow Post-it note, a hacker would never have been able to secretly capture photographs of her naked in her own bedroom. Of course that is just one example, but in case after case of cyber attack, had the victim been armed with the right knowledge to protect herself, the pain of the hack could have been entirely avoided. Education is key, and the state of our cyber-security education is abysmal.
In our public schools, we provide children everything from sex education to driver’s training. But your children will likely be spending much more time online and interacting with technology than they will be engaged in sex or driving. Yet most schools provide little or no formal education on how to stay safe online. For years, the National Crime Prevention Council’s McGruff the Crime Dog was a fixture on television and in schools warning children and adults alike to “take a bite out of crime.” Today we need McGruff more than ever teaching our children how to “take a byte out of crime.” Fortunately, there are some useful efforts under way. The National Crime Prevention Council has launched programs to inform parents and children on cyber bullying and Internet safety, and the National Cyber Security Alliance has created an excellent Web site (StaySafeOnline.org) and other public programming to help educate our digital society to use the Internet securely whether at home, work, or school. But these efforts need to be greatly expanded if we are to meet the level of threat heading our way across a wide array of technological developments, such as the Internet of Things. As previously noted, a great many of these technological threats need to be handled at a systemic level, but individuals also have to understand the risks and take responsibility to protect themselves and their families to the fullest extent possible. The need for education is just as great in the private sector among businesses. Companies are under attack, not just by Crime, Inc., but also by sophisticated nation-state espionage services going after their intellectual property and corporate data. Security measures that were commonly only necessary in top secret organizations are urgently needed across the entire business world. Here too the educational resources are profoundly limited, a state of affairs that must be addressed if we are to make any progress against the technological threats looming before us.
The Human Factor: The Forgotten Weak Link
If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.
BRUCE SCHNEIER
Cyber security is a people problem, not just a technical one. No matter how strong your computer password is, if you write it down on a yellow sticky and attach it to the front of your computer screen so that you can remember it, all walking by will have access to your digital life. For the tens of thousands of people losing money to Nigerian prince scams every year, their problem is not a technical one but the ever-present human characteristics of hope and avarice. When you post your vacation plans on social media and burglars pay a visit, it was your decision to share that helped facilitate their criminal activity. And for each and every person who clicks on that link from his bank telling him his password has expired and he needs to change it, the challenge isn’t that his computer has been hacked per se but rather that he fell victim to a socially engineered phishing attack. No matter how many firewalls, encryption technologies, and antivirus scanners a company uses, if the human being behind the keyboard falls for a con, the company is toast. According to a 2014 in-depth study by IBM Security Services, up to 95 percent of security incidents involved human error. The human factor can trump all other technological security measures, and thus the need for both workforce and personal education is key.
As mentioned in the prologue, of course technology can help make us more secure. Multifactor authentication, biometrics, encryption, and geo-location can cut down on crime and reduce other security risks. But as we have seen repeatedly, these technological tools can be undermined. The NSA surely had some top-notch cyber-security tools at its disposal, yet it was a human being, Edward Snowden, who subverted them before fleeing with extensive classified data on his thumb drive. The same was true of the “peaceful” Iranian nuclear power plant at Natanz, which had good security measures in place and had no physical connection between its industrial control systems and the Internet at large. But these measures were readily defeated when an unknown party carelessly plugged an infected USB thumb drive into a desktop computer at the facility. The ill-informed decision allowed the Stuxnet worm to propagate across the internal network responsible for controlling the uranium centrifuges at the facility. It is convenient to always turn to an easy technological fix when there is a problem, but business owners, policy makers, Internet firms, computer coders, and engineers must consider the human dimension of security if w
e are to make any progress against the technological risks of both today and tomorrow.
The good news is there is much we can do by adjusting our own human behavior to significantly improve our personal technological security. To help frame this issue, it is useful to think of automobile theft for comparison. If a BMW owner parked his car in a crime-ridden neighborhood, the decisions he personally made about the automobile’s security would strongly affect the likelihood of its theft. If a driver were to park in a welllit area, lock all the doors and windows, and set an alarm, he would have taken all reasonable measures to prevent thieves from stealing his car. Most of us have learned over time that that is exactly how we should secure our vehicles, but the majority of the public has no idea of what similar behavior would look like in cyberspace. Thus we go online and virtually park our cars on dark isolated streets, keep the doors and windows open, never use an alarm, forget the keys in the ignition, and leave $100 bills on the front seat. Then we wonder why our cars have been stolen.
The goal here is not some elusive unicorn known as “perfect security” but a significant improvement in our current state of affairs. Again the BMW example is instructive. Even for the driver who took all the right steps and precautions to protect himself and his car, the vehicle’s theft would still be entirely possible. A criminal could come by with a flatbed or a tow truck, let alone hack the doors and engine, to abscond with the vehicle. With enough time, energy, attention, and resources, any system can be hacked. Your goal is not perfect security; your goal is understanding how to lock the doors and windows to your car in cyberspace, and about that there is much you can control. Still, many of the risky online decisions you make today are not at all your fault but rather that of incredibly poorly designed computer systems—software, hardware, Web sites, and smart phones. It’s time we fix that.
Bringing Human-Centered Design to Security
New opportunities for innovation open up when you start the creative problem-solving process with empathy toward your target audience.
TOM KELLEY, IDEO
Why don’t these idiot customers update their passwords? If only those fools used VPNs and firewalls. Well, are you using WEP or WPA2?
As anybody who has phoned tech support to resolve a computer problem knows, most system administrators and help desk personnel don’t hold their “customers” in particularly high regard. The common diagnosis among these technical support personnel is PICNIC: problem in chair, not in computer. For those who have studied computer science, taken classes in cryptography, and dreamed in PHP and C++ code, talking to the average computer user can be a frustrating process. We quite literally speak two different languages. For security engineers, the answers seem so clear: “If only those damn users would stop doing x or y stupid thing, everything would be okay.” Users on the other end of the line have a simple, often unspoken request: “Why won’t you give me simple instructions and allow me to get back to work?” Our security tools today are too complex and burdensome to use, and, simply stated, complexity is the enemy of security.
Information security architects speak in jargon about viruses, malware, zero days, exploits, Trojans, RATs, and AES, and for the most part the general public has no idea what they are talking about. Security software and hardware products today are almost uniformly designed by geeks for geeks. There is nary a fleeting thought or a modicum of empathy toward how these tools might be used by you, let alone your grandmother. Instead, the products that are meant to secure and protect us give us helpful warnings such as “Alert: Host Process for Windows Service Using Protocol UDP Outbound, IPv6NAT Traversal-No, is attempting to access the Internet. Do you wish to proceed?” What the hell does that mean? Nobody knows, except for the original authors of this “helpful” warning. It’s time to bring human-centered design thinking to the world of cyber security.
Think of the design of an iPhone 6, an Eames lounge chair, a Ferrari 458 Italia, or a Leica T camera—products that are meant to delight. Not only are these tools functional, but they are beautiful, created by people who had a close and deep understanding of their customers and their needs. When one watched Steve Jobs onstage describe his latest products, there was no doubt that each and every one was imbued with the love of its creators. So where’s the Steve Jobs of security? What might Apple’s chief designer, Jony Ive, bring to the problem of our growing cyber insecurity? What would his firewall or antivirus program look like? Thus far, we have no idea, and that is a huge problem.
It is a problem because when security features are not designed well, people simply don’t use them. Moreover, poor design can lead the human users down pathways that actually make them less secure. Why would people write down their passwords on Post-it notes and stick them on their computers? Because making people change them every two weeks and requiring that they be at least twenty characters long, with an uppercase letter, a number, a symbol, a haiku, and in iambic pentameter, is just too much for the average user to handle. So people subvert the security systems in place so that they can get their work done. There are also certain types of security products, such as software firewalls, that give so many false alerts that the person running the tools has to turn them off just to avoid constant pop-ups with incomprehensible warning messages. In these instances when security breaches occur, the IT staff invariably blames the user. It may be time to look in the mirror first. Of course the designers of security products and systems are not uncaring or ignorant people; they are just woefully out of touch with the needs of their customers. To borrow a phrase, it’s time to “think different.”
Human-centered product design is fundamental to drive the behavioral changes we require in the world of techno-security and to help minimize the growing number of threats we face. The designers of these products need a gut-level understanding of how people interact with computers and smart phones, and they must not expect people to conform to strange behaviors or understand arcane screen prompts. Until security gurus start making products the wider public can understand and implement, people will lack both the tools and the information they require to protect themselves. While expanded education programs and human-centered design can undoubtedly make a substantial improvement in the overall state of our technical security today, some threats go beyond the capacity of a single individual to respond to. In those cases, a host of systemic changes will be required, and both nature and medicine can provide useful inspiration on the best path forward.
Mother (Nature) Knows Best: Building an Immune System for the Internet
Today’s cyber threats are evolving faster than our defensive barriers can keep them out. Not only are the proverbial barbarians at the gate, but they’ve kicked it down and are crawling all over the castle. We need more robust, responsive, and flexible defense methods—much like the body’s immune system. In the more than three billion years that life has existed on this planet, millions of different species, including human beings, have learned to deal with an innumerable array of threats. In animals, it is an adaptive immune system that provides the protection we need against a variety of foreign pathogens, including viruses, parasites, bacteria, and even environmental toxins. The designs we see all around us in nature can serve as a great source of inspiration as we attempt to solve complex human problems, and there is a field of study dedicated to just this challenge; it’s called biomimicry. For example, scientists are now studying how leaves process the sun’s energy in order to invent better solar panels. So why not look to innovation inspired by nature to help us create self-healing computer networks?
Until now, our general approach to cyber security has been to wall ourselves off from all possible technological threats, but not going online or using technology is not an option. A much better approach would be to acknowledge and rapidly adapt to risks as they present themselves, just as our immune systems do. The human immune system doesn’t just work against one strain of flu, but rapidly adapts and learns to deal with a full spectrum of flu strains. This is possible because
the body has a keen sense of understanding of what constitutes the healthy “self” as distinguished from the dangerous “nonself.” But such approaches are rudimentary at best in our present-day techno-defense systems. Both DARPA and Pacific Northwest National Laboratory have launched projects on the subject, and one of the most interesting approaches is under way at Wake Forest University. There the computer science professor Errin Fulp is using the natural swarming intelligence of insect colonies to ward off cyber predators by deploying thousands of “digital ants” software programs across a computer network, each looking for evidence of a threat. Should such a threat be discovered, the digital ant will mark the problem with the equivalent of a virtual scent, attracting other ants. Stronger scent trails bring more digital ants, which ultimately swarm any potential computer infection before it grows out of hand. The propagation rates of the cyber threat are so great that there is no way human beings can manually keep up. Likewise, our goal should be to create a variety of sensors across our global networks to not only detect intruders and how they gained entry but, more important, automatically make the necessary repairs—a self-healing network that does not require human intervention to repair itself. An immune system for the planet. Until such a system is in place, we continue to focus our efforts on much more human-capital-intensive approaches to the problem, such as using law enforcement to arrest perpetrators.
