COMMENTARY

The human element complicates cybersecurity

The human factor remains one of the great impediments to improving cybersecurity

Cyberspace is an untamed frontier. Data networks everywhere remain vulnerable to cyber threats. As Rep. Michael McCaul (R-Texas) recently pointed out, virtually every sector of cyberspace faces danger, including the U.S. military.

Congressional hearings on cybersecurity have revealed that most federal networks have been hacked, McCaul said. Many attacks are classified as espionage, with foreign countries stealing government information. One data dump was equivalent in size to the Library of Congress.

“I hope as with 9/11, we don’t turn a blind eye and have a denial-of-service attack before we address this issue,” McCaul said.

Legislation passed in early February by the House could go a long way toward addressing the issue. McCaul and Rep. Daniel Lipinski (D-Ill.) are the primary sponsors of the Cybersecurity Enhancement Act of 2009, which would dedicate federal funds toward beefing up cybersecurity in the public and private sectors. The Senate is considering similar legislation.

Yet despite the congressional focus on cybersecurity, all the money, software and hardware in the world can’t entirely ward off cybersecurity threats. One nontechnology factor greatly impedes cybersecurity: the human factor.

We are the weak link in the chain. Too many people think they can just throw technology at the problem, but that alone is not the answer.

If people don’t follow consistent, well-defined security policies and procedures — and undergo regular cybersecurity training and exercises — then an organization’s networks and data won’t be safe.

Being human is our greatest strength and our greatest weakness. We are capable of developing the most innovative technical solutions for protecting a network, but if those solutions are not installed, configured and maintained properly, they will not be effective. Worse yet, they will give a false sense of protection.

In a recent report, the International Institute for Strategic Studies, a British think tank, warned of the peril of cyber warfare.

“Despite evidence of cyberattacks in recent political conflicts, there is little appreciation internationally of how properly to assess cyber conflict,” said John Chipman, director-general of the institute. “We are now, in relation to the problem of cyber warfare, at the same stage of intellectual development as we were in the 1950s in relation to possible nuclear war.”

The recently released Quadrennial Defense Review and proposed Defense Department budget for fiscal 2011 emphasize cyber defense. For instance, the budget request supports establishment of the U.S. Cyber Command, which will organize and standardize DOD cyber defense practices.

Military outfits are fully aware of human shortfalls when it comes to cybersecurity, so they regularly conduct training in realistic settings. However, those military organizations can’t undertake so-called live fire exercises without risking an actual network meltdown.

In recent times, simulators — made by a number of companies, including ours — have been employed to train defenders of military and government data networks. The best example of this is an exercise known as Bulwark Defender. Each year, the military services and government agencies practice their tactics, techniques and procedures against unknown cyber enemies intent on stealing critical information and creating havoc on our networks. This is all accomplished within the safety of a nonoperational global network used to regularly train, certify and exercise network operators.

The network is known as the Joint Cyberspace Operations Range. The range, which has been used since 2002, is run by the Air Force Network Integration Center at Scott Air Force Base, Ill. It has trained thousands of network operators and defenders; during the past three years, it’s been the underlying structure for Bulwark Defender.

We must develop and build new and smarter security technology and architectures in addition to defining and documenting security policies and processes. We must remain vigilant against cyber terrorism, cyber crime and cyber mischief.

However, until we take humans out of the loop, we will have to deal with our human inadequacies.

Reader Comments

Mon, Mar 29, 2010 ci_tech

Admittedly, the human factor is the key, but in all the discussion there is only talk about DoD. I would offer that DoD has trust relationships with other .gov's which provide an open window for attack. While the newly created "Cyber Command" may be successful in mitigating threats from within, how is it going to address the threat from outside its collective doors?

Mon, Mar 8, 2010 Amused

Skynet would approve of this title: "The human element complicates cybersecurity" Pesky humans. (http://en.wikipedia.org/wiki/Skynet_(Terminator)#Origin_and_nature) But seriously, what is cybersecurity? It's security, and it's by, of, and for humans. As ALWAYS, it's not about the technology, it's about the people.

Thu, Mar 4, 2010

Good thing we're getting prepared. The next Great War will be fought electronically, not with tanks and guns.

Thu, Mar 4, 2010 ers

wouldn't it make more sense to start educating people earlier in life? Computer safety and privacy classes could be a very useful addition to elementary and middle school curricula to help develop good cybersecurity practices before they are really needed.

Thu, Mar 4, 2010 Dave1

Good to see the military has in place plans to train and condition its human element, but what about cooperation with the private sector? True, the smaller tech operators out there maybe can't train on the same scale as the government, but I would guarantee there's expertise in the private sector that the military to benefit and learn from. Where are the joint operations or joint training sessions here that get the public and private sectors on the same page?

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above