What is it that makes us human? Opposable thumbs? The size of our brains? The fact that we can pass the Turing test? Or something else?
Since the dawn of our species we have gathered around fires and told stories.
We are biologically wired for stories.
"Opposable thumbs let us hang on; stories tell us what to hang on to. " – Lisa Cron
Stories make us human. We created language and used it to capture information – first on cave walls, then books, and now computers. We were the first species to figure out how to pass facts and stories to the next generation outside of what was encoded in our genes. Facts help us understand the world as it is. But it is stories that help us imagine the world as it can be. It is this wanderlust for that future that ultimately changes the world.
Stories have a profound impact on the way we feel, think and act. They move us. “To Kill a Mockingbird” moved readers to view the world from a new perspective – that of a young person observing racism and social injustice – and catalyzed the civil rights movement.
In 1977, three brilliant minds -- Ron Rivest, Adi Shamir and Len Adelman -- humanized the narrative in their famous paper by giving names to the characters. They talked about Bob and Alice’s need to have a secret conversation, which ignited the imagination of cryptographers. This particular story created an iconic company, an industry and a conference. Meanwhile, Bob and Alice still hang out in cryptography papers.
Our conference theme this year is “The Human Element”, what better way to discuss this than to review the story of our industry paying particular attention to the humans in our story.
Do humans matter?
Yuval Noah Harari, author of Sapiens and a masterful storyteller of our era, has talked about how the advent of artificial intelligence will create a new class of humans – the “useless class”: those that are not just unemployed but unemployable.
In this data centric world with advanced AI will the humans of cybersecurity matter?
AI is now everywhere.
- Frito-lay is using AI to make better potato chips!
- We have already seen adversarial AI in action in the recently publicized story where an AI-based Deepfake audio mimicked the voice of an executive to dupe the CEO of an energy company into initiating a big wire transfer.
- We are leveraging advanced AI models to reduce fraud in billions of card-not-present transactions via EMV 3DS v2.2 protocol.
- We are leveraging machine learning to process data from the network, logs, endpoints and all facets of the attack surface to make the human analyst in the SOC more effective.
So, AI is definitely augmenting the attacker and the defender, but will not make either useless. AI itself is vulnerable to cyber attacks – data poisoning during the learning or the inference phase. While AI will be busy making some subset of homo sapiens useless, we will make ourselves useful defending AI and other useful humans. Humans are here to stay in the story of cybersecurity.
A story’s structure
A story has a backdrop, narrator, actors and observers. 2000 years ago, Aristotle identified the elements of a great story: pity, fear and catharsis. The narrator depicts a struggle in which the observer feels pity and gets emotionally entangled with the one struggling. The jeopardy escalates, instilling fear in the heart of the observer. The resolution drives emotional catharsis, which delivers dopamine to the observer’s brain and lands the story in their head.
Yuval Harari says the impact of the story is more correlated to how many heads it lives inside rather than how real it is.
To change our future, we must change and spread our story. First, we need to understand the story we have. Next, we need to contrast that with our reality. Finally, we need to agree on the story we want and land it in lots of heads. So, let’s get into the story we had.
The story we had: Cyber skirmishes in the data center
Our early story was simple. The backdrop was deep in the bowels of the data center. Attacker vs. Defender; technologist vs. technologist. Not many observers at this point and it was us, the defender, narrating the story.
The story we have: Global cyber war from the edge to the core
As technology became pervasive, our story became mainstream. The backdrop is a pervasive technology infrastructure – Core, Edge, Cloud. Technology not just in data centers and cloud, but with the power of 5G, pretty much everywhere – in televisions, cars, shower heads, on our bodies and in our bodies. The World Economic Forum’s Global Risk Report 2020 was released in Davos recently. It included the Global Risk Perceptions Survey to measure which global risks are likely to increase going forward. Cyberattacks were in the top five, along with economic confrontations between major powers, domestic political polarization, extreme heat waves and destruction of natural ecosystems. 76% of respondents believe cyber risk will increase in 2020.
Through our customers, we have the world’s largest risk database. We recently conducted a survey of risk officers in the most highly regulated verticals and published the RSA Digital Risk Report. The top three risk priorities:
- Cyber attack Risk
- Dynamic Workforce Risk
- Data Privacy Risk
Clearly our story has global mindshare. But we have lost control of the narrative with the mainstream media owning the story and depicting it as a technical conflict. The story now includes some other characters – the users and the business.
Here is how it is being told: Business leaders worldwide are concerned about cyber attacks as a strong and well-organized cyber force of hackers use their technical ingenuity to wreak havoc on understaffed and burnt out security teams. The users, who should be the first line of defense, are not technically savvy enough and are being manipulated with social engineering attacks making the job of security professionals even harder.
The story evokes pity for the security team, fear of the hackers and catharsis feels far away. While we focused on preventing hacks on infrastructure, the adversary has hacked our brains and cranked up the contrast in our story. The Zeitgeist has an overly simplified and incomplete view of the humans in our story:
- All hackers are technical sorcerers.
- All users are gullible old folks with technophobia.
- And we are hapless techies who solely focus on zero-day vulnerabilities and the most advanced threat vectors.
Let’s dissect the truth. Attackers have done a great job of technical collaboration to create an arsenal of cyber weapons that enables the technically less sophisticated to inflict significant harm. At this point, there are more script kiddies than there are technically savvy programmers and hackers. They have recruited exceptionally well and have assembled massive human and bot armies. 71% of the threat actors in breaches are financially motivated. Use of stolen credentials was more than 60% of the top hacking action varieties. As the Verizon breach report states: “Utilizing valid credentials to pop web applications is not exactly Avant Garde”. The highest increase in threat actions was social engineering and the human asset was the fastest growing target asset category from 2013 to 2018.
Their advantage is not they have the best tech or the best techies – their advantage is they are more organized.
We, the security professionals, are living this cognitive dissonance where we understand this but continue our technology arms race and keep looking for techies to staff up our teams creating a self-inflicted talent gap and burn out. We continue to spend an inordinate amount of time preparing for the most sophisticated threat vectors while most incidents occur due to very basic hygiene issues or unforced errors.
Preparing for the worst does not prepare you for the likely.
The burn-out issue is real. A recent report across France, Germany and the UK reveals cybersecurity professionals feel they are falling behind. Too much complexity, too many distractions, too much noise. Two in five reported concerns that they would be held personally liable for a data breach. Just over half feared dismissal if a breach happened on their watch. The vast majority of CISOs say they rarely disconnect from their job.
We also have a more inflated view of how organized we are. We are certainly collaborating better amongst security professionals. The cyber threat alliance and the NSA open sourcing the Ghidra tool are great examples. But we are not organized well to collaborate with the users, Business, Risk and IT teams.
On the user front the story does not match reality. According to Pew Research Center, Millennials may be cyber savvy but are not cybersecurity savvy and are more likely than Baby Boomers to get Phished.
We are also missing some key actors in the story. The great news is business leaders, directors on boards and risk officers are now keenly interested in the story, but they are on the sidelines asking questions and seeking to understand. IT does not figure in the narrative because they are focused on scripting and owning the story of digital transformation. IT, business and risk leaders are largely observers in our story and not actors.
The story we want: Cyber resilience in the digital world
The story we want is a business story of cyber resilience; not a technical story of cyber ping-pong. The backdrop is not cyberspace at all. The backdrop is physical space. It is our organic world viewed, not from the perspective of the digital technology instrumented into it, but from the lens of the human experiences that digital technology enables. The struggle that engenders pity and fear is not the struggle of the defender, but the struggle of the protected. The catharsis is not the eventual creation of an unhackable world, but the magical humanistic outcomes of digital transformation despite hacks.
To change our story, we need to do three things:
- Reclaim the narrative
- Reorganize our defense
- Rethink our culture.
Reclaim the narrative
The story we want to reclaim is not the one we tell each other, but the one that others not in our industry tell about us. We don’t have to get them to believe that we are successful. We have to get them to believe that we can be. Belief in winnability is important for winning.
"If you think you can do a thing or think you can’t do a thing, you’re right." – Henry Ford
In order to do this, we must engage the media and spread our voice through them. We also need to leverage social media platforms to amplify our winnability. I know we are the strong silent types, and this will be hard for us. But we must! The media has been telling our story based on what we have been telling them, or not telling them. No wonder we are depicted in the media as losers, because all we share is our losses. We don’t share any wins, not because we don’t have any, but because we fear it will divulge our security posture, or make us complacent, or paint a target on our back. We can certainly share our collective successes even if we don’t share our individual ones.
We need to share our wins and the losses of our adversary. The two are not synonymous. We don’t have to win for the attacker to lose. Take the example of the city of Atlanta.
When the city faced a Ransomware attack, it cost them millions of dollars to restore service. Not a win. However, the city made a courageous call to not pay ransom to the adversary. While this may not work every time, when we deny the attackers financial gain, they lose, since 70 plus percent of them are financially motivated.
The hackers are bound by the same laws of economics everyone else is. City of Atlanta did not win but the hackers lost. The city did a great job of highlighting this and in response to the attack built a robust business continuity plan as part of their integrated risk management program. An eventual win. They realized winning is not about avoiding cyber attacks but business resilience despite them.
Owning our story will have several benefits. It will help with burnout. We have ignored the psychology of the defender to focus on the technology of the defender. We have a hard time recruiting because no one wants to join a losing team. Owning our story also preserves trust in technology.
Reorganize our defense
We need to get better organized and resketch the roles of all the actors in our story.
Any defense that expects to work, needs strategy and context. Business stakeholders, the board and the risk office, need to be thought of not as keenly interested observers but actors in the story. They are the “zeroth” line of defense and need to set strategy and provide context so security operations can prioritize and focus on the risks that matter most.
Goldman Sachs recently said they will not manage IPOs for companies with no gender diversity on their board. I look forward to the day when boards mandate cyber competency as a core capability in addition to their focus on diversity. I also look forward to the day when every Chief Risk Officer can quantify and explain cyber risk and partner with the CISO to help manage it by providing business context to the security programs.
On to the first line of defense which functions to reduce the attack surface. The case of Typhoid Mary from 1906 can be instructive. In the summer of 1906, several members of a very wealthy Warren household fell ill with Typhoid, a disease atypical in wealthy households. Upon investigation, it was discovered that the cook at that household Mary Mallon was responsible. She had a tragic flaw – she was an excellent cook who did not wash her hands.
In this example, the accountability for hygiene rested not just with the Warren’s but with Mary. She came to be known as Typhoid Mary and was apprehended and quarantined.
In our world of cybersecurity, it is unreasonable to call our end users the first line of defense and hold them solely accountable for cyber hygiene. We need to consider the people who cook the food rather than those who consume it. For far too long we have failed to hold IT and software makers accountable for cyber hygiene and vulnerabilities. We keep getting embroiled in the quagmire of liability litigation and have believed that market forces will naturally punish the software makers who fail to reduce the attack surface. This has proven to be wishful thinking.
Yes, we need to continue to educate users, but it is time to invite IT to our story as primary characters acting as the first line of defense. This is especially true in the world of edge computing where the technology footprint is pervasive. And with the advent of DevOps, the speed of software – and therefore vulnerability creation – is exponential. IT is certainly cooking up delicious digital recipes, but they better wash their hands and be accountable for reducing cyber-exposure.
Rethink our Culture
Finally, we need to rethink our culture and shift from a culture of elitism to a culture of inclusion. Expanding the talent pool, filling the talent gap… however you look at it requires finding defenders outside of the tech community.
Let’s stop being STEM snobs.
One untapped resource is Neurodiversity – which is simply being wired or coded differently. They can bring new perspectives to a company’s efforts to create or recognize value. They problem solve in different ways. The neurodiverse population remains a largely untapped talent pool with unemployment running as high as 80%.
Generations experience the world, and each other, differently. The accelerating rate of change in society creates a “gap”. Right now, there are seven generations in the U.S. Five are currently in the workforce. Each with a unique set of characteristics and norms. We need to harness this entire spectrum and be open to considering potential and not just experience.
Diversity of all kinds should be celebrated and leveraged. We need to collaborate not just within security teams but with business, risk and IT teams.
Next, lets change our culture from a culture of perfection to a culture of pragmatism. Don't let perfect be the enemy of good. I am not saying we should lower our standards but prioritize based on risk. A best of breed strategy that puts three monitors with five windows each on the desk of a security analyst may make them feel like technical wizards but will never help us keep up with the velocity of threats.
Changing our story will change the world
If we successfully change our story, we have a shot at changing our world to the one we want: a trust enabled world.
In this world, we will certainly use technology to protect technology and recruit machines to fight the good fight. But intrinsically this will remain a story about us. Humans will remain at the center of the story.
In this world, the defenders will be better organized than the attackers and the spirit of the defender will be strong. We will not go into battle believing that we are going to lose.
In this world, we will restore and preserve trust in digital technologies by successfully managing digital and cyber risk. It will not be a world without intrusions and breaches, but it will be one where the impact of these breaches does not get in the way of human progress.
Whatever fire it is that you gather around; whichever way it is that you tell our story, make sure it is the right one.
You are the humans of cyber security ... the keepers of our story.
When the fire is long gone, as are we, it is our story that will live on and if it is the right one, it will guide those after us on the right path.
It will tell them what to hang on to.
We are only as great as the story we leave behind.
Author: Rohit Ghai, President
Category: RSA Point of View, Blog Post
Keywords: RSAC, Cybersecurity, Digital Risk, Digital Risk Management, Digital Risk Report