The security singularity: When humans are the biggest problem
- By William Jackson
- Sep 23, 2011
Technological singularity, simply put, is the theoretical point in history at which artificial processing power allows technology to equal and merge with human intelligence. Futurist writer Ray Kurzweil believes that the singularity is near (and says so in his book of that title).
The security singularity could be defined as the point at which the ability of humans to interfere with information systems makes them a bigger cybersecurity threat than technology. And it might already be upon us.
In a recent cybersecurity study commissioned by Cisco, people problems dominated the concerns of 200 federal IT officials or managers.
Another major defense contractor hacked; RSA tokens likely involved
Seventy-one percent of the respondents in the study named the increased sophistication of cyberattacks as the greatest threat in the coming year, but coming in at a close second was the negligent use of information by insiders. Negligence far outpaced malice as a security concern, with the malicious insiders coming in at the bottom of the list, at 21 percent.
The increased use of social media was the third-place security concern, at 61 percent. Social media is seen as such a threat not because of vulnerabilities inherent in the technology (although there certainly are enough of those) but because it is an excellent medium for social engineering, which is the primary human threat.
This concern about the human element was reflected in the choice of tools needed to counter security challenges. Two-thirds of those questioned said education and training was the most important tool, ranking above such technological tools as intrusion detection, situational awareness and identity management.
Cisco senior cybersecurity adviser Tom Albert said that, despite its small sample, the survey probably is a “fair representation” of the concerns of federal IT professionals.
True, the results of any one corporate study should be taken with a grain of salt. But the concerns about the human element in cybersecurity expressed in the report certainly are not new.
This is partly because, against all odds, we really have gotten better at using technology to protect our systems. Recent online smash-and-grab attacks by groups such as Anonymous show that there still are plenty of inadequately protected systems that remain vulnerable to low-level attacks. But here again, this is primarily a human problem. The vulnerabilities being exploited mostly are well known. They usually are discovered and patches made available for them long before the bad guys exploit them. Systems remain vulnerable because of a lack of resources or attention, not because of technology.
Recent high-profile breaches of systems that should be well protected, such as those at RSA and at some of the Energy Department’s national laboratories, have used social engineering to bypass defenses. Even the sophisticated Stuxnet worm apparently was delivered to its target by a USB device that some person, wittingly or not, had to plug into a network.
In the end, we probably shouldn’t read too much into these trends. The bad guys will always seek out the weakest link in network defenses, be it human or technical. If user education gets good enough that people no longer are letting the bad guys in, attack tactics will switch again and we will see an increase in more technological assaults.
Getting adequate user training will be a challenge, however. Although training was cited in the Cisco study as the most effective security tool, it was a distant second (37 percent) in the priorities for cybersecurity investments, behind identification of system vulnerabilities.
Identifying vulnerabilities certainly is a crucial element of cybersecurity, but the rankings might also reflect budget realities. When money is tight, it probably will be easier to get funding for new technology than for training old employees. So people may remain the weak link for some time yet.
William Jackson is freelance writer and the author of the CyberEye blog.