If you have followed our work for any amount of time, you will note that we are fans of certain information security technologies such as encryption, AI and machine learning as well as blockchain. But you will also note we are very specific, cautious and surgical about their use. Encryption is a must-have but does little for you if your underlying systems or habits are vulnerable. Think keyloggers, poor handling of encryption keys and using encryption to transmit but not for storage. AI and machine learning are wonderful for sifting through mountains of data to find those data packets that just seem out of place but not so great when used to filter and even block content or to fully remove human decision-making from the process. Blockchain is a revolutionary technology that can really change how we do business, but unfettered faith in it – much like any other technological wizardry – will not lead us to the peaceful and serene abode of cybersecurity, network security, information security, data security or whatever you would prefer to call it. You see, here is the problem with all of these technologies: they do not cure the problems caused by the operator, otherwise known as “you.” At best, they only treat the problems the operator is responsible for. Pick your study over the last few years, and you will find that human error is responsible for 85%-95% of cybersecurity and privacy breaches. Based on those findings, we are going to go out on a limb here and say this: you (okay we, to be fair) are the problem. Always have been, always are, always will be. Everything else is just fog, playful squirrels distracting us, and cute cat videos. This two-by-four-smack-to-the-forehead fact should be enough evidence to make us pause and invoke the “insanity is doing the same thing over and over again and expecting different results”quote. (Argue amongst yourselves whether this quote is rightly or wrongly attributed to Albert Einstein.) Yet despite this painfully blunt fact, we are still doing business the same way. And that’s a problem. A big one. We are pumping millions – billions, in some cases – into these technologies that tease us with the illusion of a Fort Knox: Information Edition, but the truth is we are not getting the expected return on investment. How do we know that? Simple: breaches are still common place. And why is that? It is because many of the cybersecurity problems we face are directly related to operator usage. It doesn’t matter if it’s handling classified information or a business plan. It is the operator that is causing significant grief. That means unless we design a system that removes humans from all interaction with technology, or said another way, allow the machines to make all the decisions for us – not a particularly appealing choice – the operators need to step up their game. You see, technology is useful when used as intended. In fact, in many cases we absolutely need technology because let’s face it: most of us cannot do without. But please also understand that using an encrypted messaging app does not turn you into James Bond and/or his trusty genius Q. Let’s get out of the dark and shed some light on the limits of technology: you don’t become a super spy, keeper of secrets, because you use technology; you become better at protecting information by how you use – and even not use – the technology. And who decides how to use technology? Ultimately, you do. That really is the core of our thesis here: whatever you want to call it – cybersecurity, infosec, data protection, privacy – it’s all about how we – the people – interact with technology, and that is the paradigm shift we have not seen in the cybersecurity domain or any domain really. We were quick adopters of anything and everything tech, but true to human habit, we have – and continue to be – slow to adapt. Or put another way, we have moved away from using technology as a tool and have become dependent on it as a crutch. And what happens when your crutch breaks or gets kicked out from under you? You fall, and it hurts. And if the fall is really bad, you may not recover from it. Tech is great, but tech without some operator brains means tech can be useless. In fact, too “tech heavy” leaves the door open for exploitation and waste. In some cases, it will even hurt us. And because the cost of information leaks and breaches are non-linear, it makes sense that we, the operators, do what we can to reduce the weak points. That is why you are the first, last and best defense and always will be.
Exhibit A: Wrong Turn at Albuquerque
We use the following example fairly often to demonstrate the follies of placing all (most of) our faith in technological solutions. Imagine yourself stuck in an airport lounge, a few hours into your latest delay. What to do? Well, may as well catch up on some work because finding your bed prior to 3am isn’t happening today. Out comes your trusty laptop, and off you go…and time for us to us show you how technology, designed to protect your information, easily falls apart with one or two missteps courtesy of Homo sapiens. Let’s take this example to a bit of an extreme to over-emphasize the point. Imagine you take extraordinary steps, above and beyond the average user. Your laptop has logon brute force protection. Good move! In everyday speak, input the wrong password x amount of times, and the device begins to encrypt or wipe itself. You also have no significant data on your computer and instead opt to use an external encrypted storage device (fancy USB key) that uses an approved and tested algorithm. Another good move, especially if you are ready to enter the realm of quasi-paranoia and walk around with FIPS 140-2 Level 3 USB keys. (Sorry folks, Level 4 storage devices are usually reserved for government workers – normally because they are incredibly expensive – and may be mounted to concrete.) Here comes the critical part: what value do all these fancy and flashy yet robust and really really good protective technologies have when you connect to a public Wi-Fi connection? Nada. Zilch. Donut (minus great flavor). That super-secure $200 USB key has about as much value as a $2 one you were given “for free” at your latest conference. (Note to reader: Throw away “free” USB keys.) You see, unless you have done a deep dive into the cybersecurity world, one does not normally think about the fact that the Wi-Fi router in an airport lounge – or anywhere really – may be misconfigured (information leaks) or worse, compromised (information theft). But if you have done that deep dive, you will know that an airport lounge is an adversary’s dream. If we were to take on the role of the bad guys and we want to do some wholesale theft of some intellectual property or corporate information, we’d be hard-pressed to find a better place than an airport lounge, a place usually populated with tired and stressed-out business travelers who may be three glasses in of their favorite libation. Heaven help you if you are logging on to a corporate network – or anything you want to keep private – over public Wi-Fi. Here is the result of plugging into a public Wi-Fi network: all that cryptography and fancy tech on your device designed to protect you goes “poof.” It’s all gone, into the ether just like that. No amount of AI in the galaxy is going to prevent the data theft if the public Wi-Fi router is compromised. Why? Because that “road” (network connection) you are using is, by design, vulnerable and hazardous for the sake of convenience. Convenience is all fine and dandy except that nobody tells you that while “on the information superhighway” (Haven’t heard that one for a while, have you?) one wrong turn could leave you feeling like an anvil fell on your head. It’s kind of like just-in-time supply chain management: works great until there is a break in the supply chain, except in our example, you may not be able to rebuild the supply chain. Ever! That is why, when you use technology, ask basic questions. Why is it public? Why is it free? Why am I plugging into a network that countless others have plugged into? We teach children not to take candy from strangers, so why are we taking Wi-Fi from…strangers?! We say (justify?) it is for convenience, except that convenience comes at a cost, and everyday users have never been told what the full costs are. For Pete’s sake, even the executives and leaders of organizations may not be aware what potential costs are. And here’s the real kicker: we normally do not know what the real costs are. And why is it that we do not know what the real costs are? It’s because the “value” of data – or more specifically, information – in many cases is intangible, and with intangibility comes non-linearity. Or put another way: if you can’t reasonably calculate the cost of the SNAFU prior to the boom, there is a greater-than-zero possibility the SNAFU could cost you a world of hurt specifically because you just don’t know what will happen after the collapse. Too many variables are playing a role, many of which are out of your control. So before anybody gets all uppity about the benefits of convenience and how much more “efficient” it has made us, understand that there are costs you may not always see or feel. As recently as 10 years ago, maybe even five, the worry of a leaked e-mail, corporate document or getting doxed didn’t really keep you up at night. Now it does. One text message can change the nature of something in galactic proportions. That’s asymmetry, and the costs are rising. You see, the cost of network downtime, or even theft of something tangible, is usually calculable. But the cost of a damaging email or unsavory picture/video, especially if mismanaged during the aftermath, is incalculable. Depending which way the news cycle is going that day, the wrath of Twitterverse could be limited to a few embarrassing memes to forced apologies, demands for resignation, changes in corporate policies, federal investigations and even closing shop. Again, you just don’t know because of all the variables at play which is why it’s best, where possible, that you don’t find yourself in that situation in the first place. All in all, our increasing reliance on technology (and somewhat misguided dependence on technological solutions that we hope will bail us out of the mess we walk into) build fragility into the system, whether it is from an IoT perspective – as we outlined in our safe, secure and intelligent (S2I) article – or from our ever-growing inability to accurately gauge how to respond to a PR crisis. The difference between “phoning it in” and overshoot is not as clear as it used to be. Stakeholder expectations are increasingly dynamic. It’s for these reasons why cybersecurity is absolutely not a niche issue, as some still try to cling to. Cybersecurity is at the core of virtually every single business operation today, and just as there is money to be saved, there is money to be lost by some players, hence the pearl clutching. And who are those who stand to lose the most if this “focus on the person” paradigm shift occurs? Those who seek to sell you stuff, like vendors and software consultants, because they are still pushing the “focus on the tech” paradigm. It is in their interest to do so. But is it in yours? Again, we’re absolutely not anti-tech here. One of us is a gizmo geek, and the other drools at anything AI. We just understand the limitations of tech. So just as you are limited to the “pick two” mantra of “cheap, fast, and good,” there is an additional “pick two” mantra you need to consider, courtesy of cybersecurity guru Dan Geer, CISO of In-Q-Tel and famous non-user of a cell phone: pick two of “freedom, security, and convenience.” In the past, that decision didn’t seem as important as it does today, but then again, in the past we didn’t feel like we had a hole in our data buckets like we do today. Stay tuned for part 2 of this two-part series. About the Authors: Paul Ferrillo
Paul Ferrillo is partner and shareholder in Greenberg Traurig’s (“GT”) Litigation department, where he focuses on complex securities, shareholder and business litigation, and internal investigations. He also is part of GT’s Cybersecurity group, where he focuses primarily on cybersecurity corporate governance issues, and assists clients and boards of directors with governance, disclosures (both regulatory and post-breach crisis management), and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them (e.g. SEC OCIE, FINRA, OCC, FFIEC and NY DFS).
George Platsis has worked in the United States, Canada, Asia, and Europe, as a consultant and an educator and is a current member of the SDI Cyber Team (www.sdicyber.com). For over 15 years, he has worked with the private, public, and non-profit sectors to address their strategic, operational, and training needs, in the fields of: business development, risk/crisis management, and cultural relations. His current professional efforts focus on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas. Both authors are members of The #CyberAvengers. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
