By John Irvin
It seems a part of US culture to believe there are technological solutions to virtually all of our problems.
That belief has a long history dating back at least to the Nineteenth Century; and who could argue that our individual lives haven’t been extended and our quality of life improved by technology?
That belief was reinforced in the 1990s with seemingly limitless promises from Silicon Valley companies that this or that new development would drastically improve our lives. It was a new form of the very old concept of techno-utopianism.
The only thing that got in the way was the reality of people.
No technology exists in a vacuum and every new thing is influenced by the personal psychology of the people who bring it about and the people who use it. Perhaps the greatest danger of techno-utopianism is overreliance on technology, the belief that the technology can eliminate the “human factor.”
This is a recurrent theme in Dr. David L. Charney’s series of White Papers on insider espionage. In his third and most recent paper, Prevention: The Missing Link for Managing Insider Threat in the Intelligence Community, [i] he writes,
“Great hopes have accompanied the rise of artificial intelligence (AI), big data, algorithms, and machine learning (ML), the bright shiny objects of the moment. There is a shared assumption that these high-tech innovations will introduce all that is necessary to finally resolve the challenging problem of insider threat.”
A misplaced reliance on technological solutions to our security problems permeates government and business.
Of course, Dr. Charney isn’t the only one to point out this mental hurdle. Speaking at the 2017 Black Hat conference, then-Facebook CSO Alex Stamos commented,
“The things that we see, that we come across every day, that cause people to lose control of their information are not that advanced…Adversaries will do the simplest thing they need to do to make an attack work.”[ii]
In short, bad guys tend to take the easy route of exploiting human vulnerabilities, for which they are all-too-often richly rewarded.
Mr. Stamos also suggested that the lack of focus on more mundane human vulnerabilities came about because often security experts had little interest in or empathy for people. He often heard security professionals express the view that there would be fewer breaches and less data lost if people were perfect.[iii]
Steven Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists, commented that,
“No matter how detailed and rigorous the security procedures might be, the human factor can be counted on to mess them up…It is safe to assume that somebody somewhere is going to defeat security protocols through negligence, stupidity, or malice.”[iv]
Knowing that the “human factor” is vital to detecting and mitigating insider threats (and the most effective way of preventing them), why do we continue, year after year, project after project, to focus almost exclusively on technological solutions? After all, as Dr. Charney points out,
“Insider threat events originate within the minds of individuals. That is where it starts. Always.”
Setting aside the cynical answer that there’s simply a great deal of profit to be made in developing technology that government and industry will purchase in the hope of finding a “silver bullet” to solve all of their security problems, the likely answer is that insider espionage is viewed as too esoteric and complex an issue to be solved by anything but the most complex technology.
Since so much of the information we value is stored and transmitted by electronic means, we assume that the solution lies in the technology, not the people who use it. If the problem is technological, then the solutions can only come from technology experts, the same ones Mr. Stamos heard express the belief that there would be fewer breaches and less data lost if people were perfect.
On the other hand, if the problem is human behavior, that’s something just about all of us can relate to. We don’t have to be “experts” to see how the mindsets of individual people are expressed in behaviors that impact us every single day. While the average person may not understand artificial intelligence, “big data”, computer algorithms, or machine learning, he or she does understand that any technology is only apposite to the all-too-human person using it.
It would be misguided to say technological solutions are not the answer to the issue of the insider threat. It would be equally misguided to suggest they are the only answer, or the most important one.
To demonstrate to the lay person that an overemphasis on technological solutions is not unique to the arcane realm of espionage and cybersecurity, an analogy may be useful.
A study published in 2018 by the AAA Foundation for Traffic Safety demonstrated that, while “(m)ore and more, drivers are recognizing the value in having vehicles with advanced driver assistance systems (ADAS)” (i.e., blind spot monitoring systems, forward collision warning and automatic emergency braking, lane keeping assist), drivers’ “(l)ack of understanding or confusion about the proper function of ADAS technologies can lead to misuse and overreliance on the systems, which could result in a deadly crash.”[v]
Dr. David Yang, executive director of the AAA Foundation for Traffic Safety, is quoted in the article as stating,
“New vehicle safety technology is designed to make driving safer, but it does not replace the important role each of us plays behind the wheel.”
In the same way, newer, more complex cyber and monitoring technologies can certainly be of great value in making sensitive information more secure, but it doesn’t replace the important role of understanding individual human behavior.
Still worse, just as safety technology can result in drivers ignoring basic safe-driving measures, security technology can lead an organization to ignore often simple measures that can be taken to address the “human factor” in insider espionage.
Even the most advanced automotive safety technology will never be able to eliminate the risk posed by irresponsible drivers. Likewise, the best security technology will never be able to eliminate the risk posed by irresponsible or malicious insiders serving in positions of trust.
You don’t have to be a law enforcement or counterintelligence professional, a software developer working on a federal contract, or the CISO (Chief Information Security Officer) of a large corporation to understand that. You only have to be a human being whose been around long enough to understand that the weakest link in any plan – safety, security, or otherwise – is almost always your own fallible fellow human beings.
Dr. Charney writes, “Advocates for modern amped-up detection methods claim that new and advanced technologies on the horizon will be game changers that will overcome the historical shortcomings of detection.” He adds, “…detection ‘on steroids’ is not likely to move the needle that much.”
All three White Papers (available here at the NOIR for USA website) discuss how vital it is to address both technology and psychology in order to understand, mitigate, and ultimately to prevent insider espionage.
Focusing on techno “silver bullets” while ignoring psychology simply invites more egregious instances of insider espionage. Why? Because they “originate within the minds of individuals…always.”
–
[i] https://noir4usa.org/wp-content/uploads/2018/11/NOIR-White-Paper-THREE-281118208.pdf
[ii] https://securitytoday.com/articles/2017/07/28/facebook-cso-we-need-more-people-centric-security.aspx
[iii] https://www.bbc.com/news/technology-40671089
[iv] https://www.buzzfeednews.com/article/jasonleopold/the-cias-secret-2009-data-breach-revealed-for-the-first-time
[v] https://newsroom.aaa.com/2018/09/drivers-rely-heavily-new-vehicle-safety-technologies/