In Cybersecurity, Stronger Tech Is Only Half the Solution

The little pink slip of paper on the bulletin board changed my life. Affixed to a board in the hallway of the Stanford Physics Department, it announced a job opening for a Research Assistant at the Center for International Security and Arms Control.

At that moment, it seemed like my life was on hold. I was a sophomore in college with no idea of what I wanted to do, and felt depressed and lost. I knew that I wanted a career that combined hard sciences with social sciences but my attempt to double major in physics and philosophy left me with more questions than answers. When I saw that little notice on the bulletin board, a light bulb went off. The concept of a Center for International Security and Arms Control piqued my interest — I hadn’t considered the idea of getting involved in national security issues. Acting in proper Machiavellian fashion, I grabbed the announcement, ran back to my room and called the Center hoping for a job interview. I got the interview and then I got the job.

My first day at CISAC was when my life truly changed course. My boss, Dr. Ted Postol, was on the phone when I showed up and knocked on his door. He waved me into his office and I sat patiently in a chair and listened to his conversation. Dr. Postol, a physicist, was arguing about the policy implications of the Strategic Defense Initiative with another physicist named Dr. Ash Carter (a professor at Harvard at that time, he is now the Secretary of Defense). Listening to their discussion as it wove in and out of technical jargon and political terminology, I suddenly knew that this was what I wanted to do with my life. I wanted to understand both the technical and policy aspects of issues, to bridge the gap between two industries that often view the world in different ways. It was clear to me then, and is even more evident to me now, that the most pressing issues facing our world are best understood via multi-disciplinary approaches that cut across rigid frameworks and mindsets.

Soon after beginning my job at CISAC, I switched to a double major in physics and political science. I then pursued a doctorate in engineering and public policy at Carnegie Mellon University (a great program!). My trajectory was set. In the years since I have taken on a wide range of jobs, some more policy oriented and some less so, but I am happiest when I take on the same challenge that Dr.’s Postol and Carter modeled for me 30 years ago: applying a fundamental understanding of technology with an ability to dissect complex policy issues to provide insights that (hopefully) yield better decisions.

No issue exemplifies the need for this marriage of technology and policy more than cyber security — a topic that I’ve focused on for over 15 years. It is obvious that there is a technical dimension to this issue. The term “cyber” refers to information technology systems and networks. Hackers exploit software and hardware flaws in these systems and networks. The better a hacker understands the technical underpinnings of a target, the more easily he or she can infiltrate that system. Defenders use technical and analytical techniques to prevent and detect attacks. The more technically astute the defender, the greater the chance that he or she can prevent or detect an attack.

While the technical aspect of cyber security is clearly important, it only addresses part of the problem. At its heart, cyber security is a human problem. People are behind cyber attacks. People are victims. People make decisions about how to try and solve this problem. To address the human aspects of this issue, we have to understand the motivations behind behavior by applying concepts from psychology and economics. We also need to identify and evaluate options for changing behavior, which means looking at incentives, laws and policies — nationally and internationally. A great example is provided by U.S. efforts to reduce the level of cyber crime. One of the main enablers of cyber crime is user behavior. The general population routinely uses easy-to-guess passwords and clicks on suspicious email links and attachments. As a result, more than 90% of computer infections can be traced to human behaviors that can be changed via awareness and training programs. On the other hand, this problem cannot simply be addressed at the user level. Cyber crime needs to be deterred via laws and policies that apply consequences to those who engage in this behavior. There are also technical solutions that can be applied by software and hardware companies as well as Internet service providers who can see much of this traffic traversing their networks. 

Technical solutions alone do not work — we have decades of experience that make this abundantly clear. We also know that behavioral approaches, laws and policies are ineffective if they are not grounded in technical realities. If we are going to make progress in the field of cyber security, we need to understand both the technical aspects and the human dimensions of this issue.