FUTURE CYBERSECURITY: HYBRID THREATS REQUIRE BALANCED
PREPARATION
DR. RICHARD F.
FORNO (UMBC)
Honorary
International Professor Investiture Ceremony @ UAEH
Main Lecture – 29
August 2023
”Senor presidente, dignitarios
estimados, y miembros de la comunidad de la UAEH. Es un gran honor para mí
estar aquí con ustedes para recibir este nombramiento. La calidez y la energía de su universidad me
han conmovido mucho. Siempre tendré la memoria de ustedes y de este honor.
Muchísimas aprecio y gracias. Ahora, con su permiso, continuaré en
inglés…"
Ladies
and Gentlemen -
My
family fostered a strong love of reading at a very early age. Nearly fifty
years later, I still have a great love of books and reading. So the opportunity
to be involved at this Book Fair - and one with the theme of cybersecurity - is
particularly meaningful to me.
Books
represent stored culture, facts, fantasy, adventure, and perspectives on the
human condition and the world itself. They inform, enlighten, and educate. They
open our minds to new ideas and new possibilities. They make us both
comfortable and uncomfortable. Books challenge us to create, explore, think,
and become more capable human beings. And books are nothing to be afraid of.
Books
by Arthur C. Clarke in the 1960s explored issues about technology that we’re
facing today with questions surrounding artificial intelligence and smart
devices. Books by William Gibson in the 1980s introduced the term 'cyberspace'
and predicted the technology-dependent reality in which we now live. And it was
a book in the early 1990s by astronomer Cliff Stoll describing how a tiny
75-cent accounting error discovered on a research computer led to the first
major international cyber-espionage incident that opened my eyes to
cybersecurity’s future influence on national security.
One
does not need to read to know that cyber threats have proliferated over the
past few decades. Most of us here probably have been a victim of a cyber
incident. Attacks on our information resources have become more complex, harder
to counter, and even harder to prosecute. Enemies incorporate capabilities like
artificial intelligence and distributed computing to cause more digital damage
and chaos around the world through direct cyber attacks and cyber-enabled
disinformation campaigns. Such capabilities were once limited to national
governments. Not anymore.
But
the cyber attacks continue - and along the way, I’ve noticed a recurring,
almost predictable pattern. Following most major cyber attacks, the typical
response is to issue new political statements, white papers, task forces, and
guidance documents that usually reiterate the same best security
recommendations we in the cybersecurity profession have promoted for over three
decades. In other words – the world has been told repeatedly what’s needed to
improve cybersecurity …. but bad things continue to happen anyway.
Why?
After
30 years in this profession, I can’t simply blame technology - which is easy to
do. Rather, I think these problems continue because of the human condition.
Because of people. Because of us.
Technology
evolves. Improve a device and productivity can increases a hundred times. But
the human condition itself never changes. We are creatures of habit. Hackers,
criminals, and national adversaries know this, which is why their cyber attacks
continue to be successful. They analyze people – and how they interact with
both their information and each other.
Think
about it: people design, develop, and deploy technology. They use and abuse it.
They attack and defend it. They grant or withhold funding for IT and
cybersecurity projects. They write laws, policies, and procedures regarding
technology. They teach others about good security practices. They speak and
respond. These are all actions designed and conducted by people, and as such, they are inherently flawed, vulnerable, and
exploitable – because we ourselves are.
No
matter how talented or intelligent we think
we are, everyone makes mistakes. We get complacent, lazy, greedy,
narrow-minded, or are fooled into clicking on strange links in email or SMS.
Worse, from Facebook, Twitter, TikTok, GMail, smart devices, autonomous
vehicles, and more … we often rush to
embrace new technologies in our lives and organizations without considering the
potential risks to us and our data – and then wonder “how did this happen?”
when bad things inevitably occur. Yet, like magpies attracted to shiny objects,
we continue using such technologies because of the convenience, cost-savings,
or fun they provide.
And
people, complex systems that we are, are part of an even more complex system
called government, business, and society.
Making
the global cybersecurity problem more interesting: false claims and
disinformation, often driven by global media and amplified by cyber
capabilities, target people and society with potentially severe consequences.
Information is weaponized to disrupt underlying cyber-physical systems, stock
prices, economic productivity, elections, and human lives. And while influence
operations aren’t often considered a cybersecurity concern, deception and false
claims attacks that directly target the integrity of information and how we
perceive the world indeed relates to one of the fundamental tents of
cybersecurity – specifically, ensuring the integrity of information. So it’s
not surprising to see cybersecurity professionals, including me, becoming
involved in these broader issues, too.
Cybersecurity,
generally speaking, enables national and economic competitiveness.
This
means that in examining the cybersecurity problem, we must also understand and
address the role of people in the problem – and how we might improve the human
condition to in turn improve our cybersecurity situation. Let’s consider some
ideas.
First,
there is always education and training. These are important activities in
personal development and growth. But we must not confuse industry ‘training’
with university 'education' -- my belief is that the former prepares people for
a series of jobs to meet employer demands in critical areas, often based on
economic or political necessities; the latter prepares people for careers with
increasing levels of responsibility, awareness, and of course compensation.
Both are needed - especially in the technology and cybersecurity profession.
But
we don't 'log on' anymore, we're always-logged-in. Activities in 'cyberspace'
directly impact the physical world. In other words, cyberspace is part of, if
not reflects, the human condition. It’s not something exclusive to the digital
domain – and not something only for ‘geeks’ and technologists alone to handle
anymore.
Nevertheless,
since cybersecurity originated in the computing discipline, it’s often still
treated as a science dealing with binary absolutes. Firewalls allow or deny
connections. Passwords allow or deny logins. Algorithms return a 0 or 1. There
are attackers and defenders. Servers are up or servers are down.
Science
creates new and amazing technologies that can move us into the future or make
life easier. It helps identify and fix technical vulnerabilities in our
systems, too. But science doesn't easily allow for nuance, context, or
ambiguity – and that's exactly where people and the human condition exist
within the cybersecurity domain.
I'm
reminded of the artist Leonardo da Vinci who despite being known also for his
engineering ingenuity reportedly told us to "Study the science of art.
Study the art of Science. Develop your senses - especially learn how to see.
Realize that everything connects to everything else." Were da Vinci alive
today, he'd say that understanding both cyberspace and cybersecurity requires
an awareness of things beyond computing and technology. He would emphasize the
study of both the arts AND science.
This
is where the humanities, liberal arts, and this Book Fair become relevant.
The
humanities teach things like critical thinking, nuance, context, media
literacy, social science, and ethics that develop foundational skills for
life. One learns about the human
condition through sociology, psychology, law, and management – in other words,
how the world works and why. Since people often are the cause of most
cybersecurity incidents, knowing about such things is useful for cybersecurity,
don’t you think? As I said, our enemies already know 'how people work' and
routinely exploit this knowledge when planning attacks.
Lessons
from the humanities help us understand the past so that we can avoid making the
same mistakes in the future - be it in cybersecurity or any discipline. Case
studies in business management are just as important to a cybersecurity
professional as a course on firewall configurations. Papers on unconventional
warfare can provide insight into how cyber adversaries operate successfully in
the shadows. Political science theory can inform our possible response to an
international cyber conflict. Courses on psychology, rhetoric, and media
studies can help illustrate how modern influence campaigns spread so quickly
and provide guidance on communicating cybersecurity issues to others more
effectively. Courses on philosophy and ethics ask us to pause and consider
whether just because we CAN do something with technology, does it mean we MUST
actually do it. And so on.
Besides
– when cyber incidents occur, how do we quantify the costs of such incidents?
What organizational processes are needed to make sure they don’t happen again?
Cybersecurity, business management, economics, accounting, organizational
psychology, and even political science may be involved. These are all distinct,
often non-technical, disciplines with separate academic homes, yet each can
have real-world impacts on cybersecurity operations. The best cybersecurity
practitioners appreciate these items and their potential effects on the various
cybersecurity issues they’re dealing with. They understand that cybersecurity
concerns - and solutions - reach across industry and academic disciplines.
Lessons
from the humanities also enable cybersecurity professionals to understand
history and how the world works while also knowing how to function better in
practice through enhanced communication skills. I’ve seen firsthand how
engineers and executives talk in different terms and with different
perspectives, priorities, and expertise. How can we, as technology experts,
inform corporate or national leaders and the public on cybersecurity matters if
they can’t understand what we’re saying – and more important, why it matters? And .. closer to home …
how can we discuss cybersecurity with
our parents and grandparents in ways they
can easily understand and learn from, too?
The
humanities offer context, breadth, and practicality; computing offers process,
technology, and technique. Again, both are needed in cybersecurity. But for
better or worse, today’s world emphasizes the creation of specialists, not
generalists. That is somewhat understandable since focused specialists are
where the popular jobs are and where the money is at.
Of
course, being a good cybersecurity professional absolutely requires having a
solid understanding of the basics of computing, networks, and the various
cybersecurity principles. In fact, if you think about it, many of the best
practices we recommend for cybersecurity really are a function performed by any
good systems administrator or product developer. Yet this still relies on people being knowledgeable with common sense doing
the right things at the right times from product design through deployment - which
is much more than simply knowing how the technology works or which settings to
change. Just being a technology specialist is not good enough anymore.
But
as DaVinci said, "everything connects to everything else." Today,
that means there are any number of possible points of failure or attack. And I
don't just mean networks, servers, and mobile devices. As I said earlier,
people are systems, too. Society is the global system we’re all part of.
This
presents an interesting question: how do we create cybersecurity expertise in a
system where its components, by our very human nature, are inherently flawed?
One
way is to develop cybersecurity professionals able to demonstrate adversarial
curiosity and personal adaptability....or what we can consider the 'hacker
mindset' – namely, the ability to see an obstacle or prohibition, become
curious (or greedy), and find ways around them. Asking "why?" or
"why not?" or "how" instead of blindly accepting the
standard configuration as the only viable option for use are examples of this
in action. Hackers, activists, cybersecurity professionals, teenagers, and
other innovative minds throughout history - including criminals - have
possessed these characteristics and used them to great advantage.
Unfortunately
these perspectives … these skills … this inner passion and initiative … can't
be learned or taught easily in a classroom or computer lab. It emerges
organically in each person, often by parents and teachers encouraging
intellectual, creative, artistic - and yes, even technical - pursuits at an
early age. Years ago, youthful teenage hackers would tear apart electronics to
see how they worked, explored software to discover ways of sharing programs
with friends, or tinkered with telephone hardware to make free phone calls.
They would, and still do, examine systems of all types both out of curiosity
and to find ways of making them work better for both them and the world
at-large – while perhaps also uncovering hidden security vulnerabilities along
the way. We don’t simply accept technology, systems, policies, or processes at
face-value - we want to know more, and so we ask difficult questions.
This
is important in a world where constantly distributing and passively consuming
trivial information is practiced more than inquiry and discovery. As a result,
people increasingly are unable or unwilling to figure things out on their own
beyond a simple internet search - and then accepting that search result as
absolute fact and the only possible answer.
But that's what the truly successful hackers and cybersecurity
professionals do every day. They have an inner hunger to think
unconventionally, critically question things, and the initiative to seek out
solutions to technical and social challenges because they know the computer may not always be right. That gives us a
huge advantage as employees in the workplace and members of society. We should
nurture this development wherever possible.
In
terms of developing future cybersecurity experts, the humanities provide
agility and curiosity. The sciences provide specificity and capability. Used
together in the right circumstances, with the right motivations, and enhanced
with the ‘hacker mindset’, this is a very powerful recipe for success in life,
work, and perhaps even to improve the human condition.
It’s
likely that we will never totally fix the people problem because by our very
nature we are flawed, vulnerable systems. But incorporating both the technical
and the non-technical, the art and the science, can better inform our
perspectives and practices when it comes to addressing cybersecurity matters
effectively so that at the very least, we don’t keep making the same mistakes.
From an educational perspective, better balancing this relationship will
enhance the capabilities of the future cybersecurity workforce while also
creating more agile and adaptable workers - and capable adult citizens.
And
so … to the academic leaders here today: our collective responsibility is to
develop the next generation of cybersecurity practitioners in global society.
But in addition to technical competencies, let's be innovative in fostering the
'hacker mindset' both inside and outside the classroom while also embracing
relevant lessons for cybersecurity that come from outside the technical domain.
Context, nuance, and wisdom are just as important as hardware, software, and
coding. Don’t sacrifice one for the other - both are equally important.
To
the students here today, regardless of your major – you can be part of this exciting
profession. Establish your practical and theoretical knowledge in the
classroom. Join student groups to develop technical and collaborative skills.
Get industry certifications and internships if you want. All of that will look good on your resume
when applying for jobs after graduation. But don't stop there. Starting today,
I challenge you to think broadly about the world and how you approach
technology and its many risks. Ask
questions. Build and (responsibly) break things. Never settle for the default
configuration. Take calculated risks, acknowledge uncertainty and the
possibility of failure – and learn from those experiences. Above all, don't be
afraid of pursuing lessons relevant to cybersecurity from outside the computing
domain. They will enhance your ability to succeed as a cybersecurity and
technology professional, even if you don’t think so right now.
Ladies
and gentlemen ... cybersecurity is both an art and a science. Addressing the
people problem in cybersecurity and developing the next generation of the
cybersecurity workforce requires us to think differently about the relationship
between people and technology. Between
individuals and society. Between systems
within society. And between preparing
for a job and educating for a lifetime.
As
DaVinci said, "Study the science of art. Study the art of Science. Realize
that everything connects to
everything else.”
Today
more than ever, DaVinci’s words provide important guidance, wisdom, and insight
on both cybersecurity and the human condition. They’re worth listening to – and
even acting upon.
Thank
you.
©
2023 Richard Forno.