Most Perplexing Cybersecurity Challenge: The Human Brain
My favorite 11 words in the nearly 200-page, 28,000-word Protecting Cyberspace as a National Asset Act of 2010, the cybersecurity legislation introduced last week in the Senate, are:
"Understand human behavioral factors that can affect cybersecurity technology and practices."
That sentence summarizes one of 10 research and development initiatives the legislation calls for the government to tackle. It addresses the most perplexing element of cybersecurity: the human mind.
The idea that Congress should back the study of human behavior vis-Ã -vis cybersecurity originated in the House of Representatives, championed by Rep. Daniel Lipinski, the Illinois Democrat who sponsored the House-passed Cybersecurity Enhancement Act of 2009.
I interviewed Lipinski last fall as he shepherded the Cybersecurity Enhancement Act through the lower chamber, and he said the human element is too often overlooked, and that could prove dangerous.
"Everyone wants to look at, and we need to look at technical issues, but everything is done by humans, and we have look at human factor in all of this."
What the research would look at aren't the motives behind individuals who purposely seek to wreck havoc, but the ways everyday computer users function that make cybersecurity such a challenge to accomplish. Said Lipinksi:
"People are the weakest link in many of our IT systems. We really need a cultural change in the way Americans practice computer hygiene. The idea of computer hygiene is something most people don't understand.
"If you want us to spread something malicious onto the computer system in a company, in a federal agency, one of the easiest ways to do it is to go to the parking lot and just drop a bunch of flash drives, USB memory drives. People are going to pick them up; they're probably going to take them into their office, stick into USB slot. It's an easy way to do it."
When Lipinski first proposed the idea, he wondered whether it could survive, saying he suspected that some of his colleagues might not think research into social behavior of computer activity would be a worthwhile expenditure of taxpayer money. But, as subsequent votes proved, those concerns were baseless. And, its inclusion in the latest cybersecurity legislation shows other lawmakers see the value of spending public monies to study human behavior as they would funding research on intrusion detection, attribution and identity management.