Ted G. Lewis, a professor at the Naval Postgraduate School, states in his book Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation, “trusted computing depends on human processes as much, if not more, than on technology.” This is a statement that many cybersecurity leaders could get behind.
Obviously, a technology is only as secure as are the people that work in it. In many ways, a cybersecurity failure can be likened to a counterintelligence (CI) failure in that both deal with sensitive material either from a technical or human intelligence discipline, yet are based upon human failings rather than an unsecured firewall or an unlocked fence. However, technical infrastructures are integral to the effective and proper functioning of a nation-state, specifically the United States. IT assets are responsible for how nations communicate; deal in stocks and the financial market; and operate governments. Because of cyberspace’s importance in public and private life, it is imperative that it be protected against threats.
In an abstract written by Carl Colwill, he describes how information technology systems are well-defended from most outside hacks and traditional technological threats, but emphasizes how insider threats from employees are a very real threat for which most companies are unprepared. Interestingly, this assessment was also written in 2009, before the increased usage of social media by both government and the public en masse. This abstract, though dated, recognizes the problems posed by humans in the IT field.
More recently, others have acknowledged this and described how the IT field is a human process problem. According to Vircom, a Canadian tech company, “Human error is the leading cause of data and security breaches, responsible for 52% of such incidents. It was a person, lured by spear phishing, who opened the gates to the Democratic National Committee attack last year, as well as major hacks against Snapchat and the health care industry — to name a few examples of that human factor,” with Vircom’s Technical Support Director commenting, “The weakest chain in cyber security is the human being. It’s the lowest hanging fruit. Most of the attacks we see in the field right now are targeting uninformed people.”
Other examples of this human factor in the IT field comes in the form of the Equifax data breach, in which, “the company’s failure to perform the simple fix of patching the vulnerability,” resulted in 150 million having their data compromised or with the 2017 WannaCry ransomware attacks where, after the program was stolen from U.S. government servers and Microsoft issued a patch protecting against the malware, many simply did not install the new patch which resulted in massive corporate and companywide infections.
As one can see, human fallibility poses some significant problems to the IT space. As to how to solve this, I would argue that the best practice is take a national security approach in the vein of a CI structure. The entire point of counterintelligence is to prevent adversaries from gaining the upper hand by identifying, deceiving, exploiting, disrupting and protecting important information sectors, physical locations and documents that would threaten the security of the United States.
Taking a counterintelligence approach, which requires supervisors and all personnel to be on guard, having a stringent background vetting process with an emphasis on details, knowing the threats that are out in the world (both in a technological and non-tech sense), listening to both history and important analyses, and training people correctly are some of the techniques that many academics, experts, and other CI specialists would recommend could be utilized in the IT space and have extreme benefits in protecting sensitive information.
In terms of resilience, there are a number of ways to make the information technology sector resilient against various forms of attack.
First, education should be made the primary factor in promoting resilience in the IT sector. Many IT professionals either have work experience or military service, as opposed to undergraduate education in computer science or information technology. Because of this, while many are fluent in the technical constructs of IT and computation, a decent amount are not as fluent in the dangers that face cyberspace from foreign actors or the larger geopolitical problems that involve cyberspace.
Furthermore, like with most jobs, professionals can become complacent in the standard day-to-day operations and become lax in their duties. This lack of awareness can result in systems becoming compromised and penetrated by enemy actors, resulting in sensitive data being corrupted; items being stolen or deleted; and huge national security risks. It is apparent with the 2016 U.S. Presidential Election that relaxed security measures and general lethargy were the keys allowing Russia into the DNC’s servers. It could easily be argued that, on a company and corporate level, there should be steps taken to ensure that all members of the IT department are aware and fluent of larger geopolitical threats that are relevant to the field of cyberspace.
As well, joining forces with the federal government to have special agents and counterintelligence professionals brief the members of IT departments of large internet companies on current threats and potential risks the company faces on their servers and platforms would significantly help in promoting a joint private-public task force to combat disinformation and cyberattacks, while also allowing IT professionals to become more fluent in new and emerging threats that face the tech industry and the U.S. as a whole. This type of organization would be of great benefit in an anti-disinformation campaign (akin to what was seen with the Active Measures Working Group during the 1980s).