CYBEREYE

The security singularity: When humans are the biggest problem

Technological singularity, simply put, is the theoretical point in history at which artificial processing power allows technology to equal and merge with human intelligence. Futurist writer Ray Kurzweil believes that the singularity is near (and says so in his book of that title).

The security singularity could be defined as the point at which the ability of humans to interfere with information systems makes them a bigger cybersecurity threat than technology. And it might already be upon us.

In a recent cybersecurity study commissioned by Cisco, people problems dominated the concerns of 200 federal IT officials or managers.


Related story:

Another major defense contractor hacked; RSA tokens likely involved


Seventy-one percent of the respondents in the study named the increased sophistication of cyberattacks as the greatest threat in the coming year, but coming in at a close second was the negligent use of information by insiders. Negligence far outpaced malice as a security concern, with the malicious insiders coming in at the bottom of the list, at 21 percent.

The increased use of social media was the third-place security concern, at 61 percent. Social media is seen as such a threat not because of vulnerabilities inherent in the technology (although there certainly are enough of those) but because it is an excellent medium for social engineering, which is the primary human threat.

This concern about the human element was reflected in the choice of tools needed to counter security challenges. Two-thirds of those questioned said education and training was the most important tool, ranking above such technological tools as intrusion detection, situational awareness and identity management.

Cisco senior cybersecurity adviser Tom Albert said that, despite its small sample, the survey probably is a “fair representation” of the concerns of federal IT professionals.

True, the results of any one corporate study should be taken with a grain of salt. But the concerns about the human element in cybersecurity expressed in the report certainly are not new.

This is partly because, against all odds, we really have gotten better at using technology to protect our systems. Recent online smash-and-grab attacks by groups such as Anonymous show that there still are plenty of inadequately protected systems that remain vulnerable to low-level attacks. But here again, this is primarily a human problem. The vulnerabilities being exploited mostly are well known. They usually are discovered and patches made available for them long before the bad guys exploit them. Systems remain vulnerable because of a lack of resources or attention, not because of technology.

Recent high-profile breaches of systems that should be well protected, such as those at RSA and at some of the Energy Department’s national laboratories, have used social engineering to bypass defenses. Even the sophisticated Stuxnet worm apparently was delivered to its target by a USB device that some person, wittingly or not, had to plug into a network.

In the end, we probably shouldn’t read too much into these trends. The bad guys will always seek out the weakest link in network defenses, be it human or technical. If user education gets good enough that people no longer are letting the bad guys in, attack tactics will switch again and we will see an increase in more technological assaults.

Getting adequate user training will be a challenge, however. Although training was cited in the Cisco study as the most effective security tool, it was a distant second (37 percent) in the priorities for cybersecurity investments, behind identification of system vulnerabilities.

Identifying vulnerabilities certainly is a crucial element of cybersecurity, but the rankings might also reflect budget realities. When money is tight, it probably will be easier to get funding for new technology than for training old employees. So people may remain the weak link for some time yet.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Tue, Oct 25, 2011

of course it is people. People, not technology attacks our networks, our data and our knowledge. But we do not help them much. 15 character passwords that change every 80 days, different passwords for every app or server, etc just begs the user to write them down on their desk blotter, use the name of their dog or zip code, etc. All of us are part of the problem in some way...

Tue, Sep 27, 2011 Paul Sherman

I'd like to offer up a radical idea - take a lesson from healthcare errors. Those mistakes often result in patient injury or death. What research has shown and implementation has proven is that relying on a human's 'perfection' to stop a problem is one of the least effective methods of preventing future failures. For almost every person that cuts in the wrong spot, misses the critical patient alerm, etc., there's a whole system behind that action that creates an environment where the mistake is almost inevitable. Punishing that person DOES NOT fix the problem. Investigating the whole process, looking for the contributinhg factors and fixing those go a long way to limiting the likelihood of a repeat failure. For reference, look up "Root Cause Analysis" and healthcare.

Tue, Sep 27, 2011 BBC MD

This reminds me of a quote from "The Losers": "It's like giving a handgun to a six-year-old, Wade - you don't know how it's gonna end, but you're pretty sure it's gonna make the papers."

Mon, Sep 26, 2011 Earth

Well, I am glad to hear it isn’t the aliens. Those interdimensional mice and their AI constructs are a real pain when they turn against you. OF Course it’s the humans, either as users or as designers, take your pick.

Mon, Sep 26, 2011 Patrick Dooley

You sound like the BORG!

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above