by Herbert Lin
The news today often contains reports about cybersecurity breaches that steal our data or threaten our national security. The nation spends billions of dollars on cybersecurity measures, and yet we seem unable to get ahead of this problem. Why are our computers so hard to protect?
Recent experience with a house cat provided insights into the nature of this problem. I am allergic to cats. My daughter came home, cat in hand, for an extended stay, and I had to find a way of confining Pounce to a limited area. However, as many cat parents would have known — though I did not — this was doomed to be a losing battle.
Everything that I tried to confine Pounce worked for a little while but eventually failed as he found a way past my newest security barrier — just as hackers eventually find their way through the cybersecurity barriers erected to stop them.
I have the advantage of unlimited material resources compared to those available to the cat — I am presumably smarter than a cat, I have greater manual dexterity and I’m a higher mammal who knows how to use tools. So why did I lose this battle so decisively?
Here are some of the cybersecurity lessons that became clear from my ordeal.
○ To succeed against a determined attacker (Pounce was very determined), I have to be willing to go all in sooner rather than later. Even then, my victory may not be entirely decisive. But what certainly won’t work is to deploy security measures that will minimally do the job because I am too lazy to do the full monty at the beginning.
○ Pounce has the advantage of unlimited time, and he tries until he succeeds. It may take a few days, but eventually he does. Moreover, Pounce only needs to succeed once to get out. Every one of my confinement measures needs to work to keep him confined.
○ Greater material resources and more intelligence do not necessarily overcome the huge advantage of Pounce’s ability to make an unlimited number of attempts to circumvent my barriers. If he fails on any given attempt, he incurs no penalty (my daughter would be quite distressed if it did).
○ Pounce has a powerful protector (my daughter) whose wrath I am unwilling to confront for diplomatic reasons. Hackers operating out of foreign states often have the backing of those governments, even if they are nominally operating as free agents, and we may not have adequate leverage to persuade their protectors to take action.
○ My defensive measures succeeded completely until they didn’t. That is, it looked like I was winning the battle to confine Pounce right up until the moment I saw Pounce outside the confinement area. And this happened repeatedly. So, I was often lulled into a false sense of security.
○ Being able to take Pounce’s perspective would have helped me immensely in crafting appropriate defenses. But viewing the world from eyes at a 6-inch height from the floor would have been very difficult for me, and so I didn’t do it. He thus saw ways of circumventing or destroying my defensive measures that I did not see.
○ Manipulating people can be more powerful than any technical defenses — what in the cybersecurity world is called social engineering. When Pounce mews plaintively and looks into my daughter’s eyes, my daughter just opens the door to the confinement area and he walks out. My daughter may have agreed to help me keep Pounce confined, but he was often successful in turning her loyalties. In cybersecurity lingo, my daughter was a “trusted insider” that went rogue.
In the end, I “won” the battle when my daughter moved out, taking Pounce with her. There, too, is an important cybersecurity lesson: Without a computer to be compromised, cyberattacks are not feasible, so don’t use computers when they are not necessary. My toothbrush and refrigerator work just fine without high-tech communications capabilities, thank you, and I would really prefer not to incur any more cybersecurity risks.
Herbert Lin is a senior research scholar and the Hank J. Holland Fellow for cyber policy and security at Stanford University.