Computer users seem to be their own worst enemies. Computer users are easily tricked by cyber attackers conducting phishing scams and rarely, rarely do the “right thing” regarding security of computer systems. They do not select strong passwords; they mishandle information; they give up information to others far too easily, and darn it, visit websites, click on hyperlinks, and download software they shouldn’t. The explosive growth in cyber crime (and cyber espionage) appears to attest to the fact that if only computers users were smarter; more informed; better educated, the situation might be significantly different. At least, this appears to be the preferred prescription of many cyber security experts.
Not only does the article quoted below seem to validate this position, but a recent data released by TrendMicro even appears to support it with hard data. There’s only one problem. The prescription is (mostly) ineffective. Let’s find out why.
Hackers leverage Obama win for massive malware campaign
To quote:
Hackers have seized on the results of the U.S. presidential election to launch a major malware campaign that tries to trick users into installing an update to Adobe Systems Inc.'s Flash, but actually plants a Trojan horse on unprotected PCs, security experts warned today.
The malware blitz stems from spam messages touting Sen. Barack Obama's victory...and offers up a link to what is supposedly a site sporting election results. When users click on the link, however, they're shunted to a fake site that demands the user install an update to Adobe's Flash Player before viewing a video. Rather than a Flash update, what's actually downloaded is a Trojan horse that compromises the PC then floods the machine with more malware…
"This is far from the last piece of malware we'll see abusing Obama," Cluley echoed. "Users need to remember not to click on links."
Indeed. Users need to remember not to click on links. Such sage advice would be easy to adhere to, if there were not a profusion of hyperlinks on the Internet. A statement like this makes one wonder: if some members of the cyber security community were in charge of other public safety concerns what other sage advice might also be proffered?
- To reduce traffic fatalities, remember not to drive .
- To avoid food poisoning, remember not to eat.
- To avoid electrocution, remember not to use electricity.
- To avoid being attacked, remember never leave your basement.
But cynicism is not entirely justified here. Trend Micro, an anti-virus company, has recently released data that appears to support the position that users contribute significantly to cyber insecurity.
Vulnerabilities play only a minor role in malware spread
To quote:
Computer users are their own worst enemies, a security company warned today as it released data that showed software bugs were the source of just 5% of the year's infections.
The majority of the attacks carried out by 2008's top 100 pieces of malware were caused by users surfing to malicious sites, then accepting some kind of download, Trend Micro Inc. researchers said today…
Just 5% of the infections were related to an exploit of a software vulnerability, said Trend's analysis.
So there you have it. Users are the problem, not software. The facts are pretty clear. The implied solution? Focus on correcting user behavior. Educate them. Mitigate “stupid” and the cyber security landscape changes for the better. In other words, if only users were smarter, more aware of the problem, they would not give attackers such an advantage over themselves as well as others. In some cases, it might even seem like a good idea to incentivize certain end-user/system-owner behaviors through compliance regimes (like SOX, HIPAA, or PCI).
Promising? You bet. But why won’t this promising approach work (at least not to the extent needed to forestall threats to national and economic security)?
The reason is simple: epidemiologists tend to have a professional bias in favor of interventions that do not primarily rely on altering human behavior. In other words, the greater the expectation to alter behavior of an increasingly greater number of humans, the less likely a given “solution” will be effective.
Of course, in the modern realm of Internet security, an education and awareness strategy (the behavior modification paradigm) is as tempting as it was in the realm of highway safety in the early automotive era. It was “the nut behind the wheel” that was the problem on the pre-1960s highways. Likewise, it is the “nut behind the keyboard” that is the problem on the Internet. Data supported, and appears to support, each finding respectively. But “the facts” were initially misinterpreted in regards to auto-safety, and as I argue here, are also misinterpreted for cyber security. So why did we pursue a mistaken etiology of auto-safety, and continue to pursue a mistaken etiology of cyber security?
The Inherently Safe Assumption
Such arguments for large-scale behavior modification are comforting both for its proponents as well as for the intended audience because it portrays a given product as inherently safe. In regards to highway safety, but for the “nut behind the wheel” autos would be safe. In the realm of Internet security, but for the “nut behind the keyboard” software would be "safe"(or at least more resilient).
In either case, when a “good” product produces “bad” results, the reason appears obvious – misuse. Automobiles were certainly not causing accidents by themselves on the highways, and computers do not get exploited without some level of user interaction (or non-action, such as failing to apply patches in a timely manner or failing to install and configure a firewall). So it's the actions of humans, not the products, that appear to be the root cause.
Under this paradigm, but for the actions of ignorant, unaware, and/or uneducated users, the products in question (whether cars or software) are perfectly fine. Certainly safety or security concerns are to be taken seriously, of course, but these concerns will eventually wither before the combined force of education and enforcement.
This idea that a “good” product gets misused and thus is not the root of the problem is truly comforting. It appears sane, even self-evident. It is also typically inaccurate.
Notice in the table below the similarities between the “Three E’s” of highway safety in the 1950s (which was a failure for reasons I will explain momentarily) and that of modern Internet security:
The Three E’s of automobile safety (Engineering, Education, Enforcement), so devoutly proselytized prior to the 1960s has reared its head once again in the Internet era. Just as the regulatory focus on the first E (Engineering) in the 1950s was on highway engineering, not vehicular design, so too is the current cyber security focus: on the network (in the form of network monitoring and security architecture) and not primarily on software design or manufacturing.
The 1950s focus on the second E (Education) and third E (Enforcement) sought to educate the “nut behind the wheel” and punish inappropriate or potentially unsafe driving behavior. The focus in the Internet era is to educate the “nut behind the keyboard” and incentivize end-users/system-owners towards “proper” behavior.
The mistake of the Three Es in the context of the early automotive era was that, as a policy, it failed to address one critical issue. In the absence of a concomitant delegation of, and accountability for, auto safety design to automobile manufacturers, the Three E’s alone would not sufficiently counteract the dangers or risks of driving. In other words, the etiology of car accidents was incorrect. It was not the driver alone that was the problem of highway safety. It was the car. The safety policy prior to the 1960s focused on everything except the responsibility of car manufacturers, to disastrous effect.
In the Internet era, a similar mistake is being made to disastrous effect: It is not end-users or system-owners that are the primary problem of Internet security; it is the software. Software simply is not crashworthy; it cannot withstand the relatively simple (some might say, "stupid") mistakes of users, let alone the malicious actions of cyber attackers. Software manufacturers do not even warranty that their products are fit for purpose. How then are software buyers to know exactly which behaviors improve or erode their security?
Without a concomitant delegation of, and accountability for, software assurance on software manufacturers, the current focus on “the nut behind the keyboard” will not sufficiently counteract the dangers and risks of the Internet. The current cyber security focus is on everything except the responsibility of software manufacturers. The primary problem is the software; not user behavior; not inattentive ISPs; not irresponsible network owners. The etiology of cyber security is mistaken. Software is not crashworthy. Period.
Seen from this perspective, Trend's data is not so much an indictment of user behavior, but evidence that software manufacturers are failing their customers, and have been failing them for a very long time. Users do not make products unsafe. Manufacturers do.
Learning From the Past
In real terms, which is easier, to convince 500 million end-users/system-owners to habitually refrain from clicking on hyperlinks or abide by tremendously detailed and sophisticated secure configuration mandates, or to influence the behavior of a significantly smaller population of software executives who run the software industry?
Among all the variables we must consider in cyber security, I argue that software design is the most easily manipulated because relatively few people are required to implement the solution: the software manufacturers themselves. Considered within the context and bias of epidemiologists, this is not only appropriate, it is also good (and effective) public policy.
In the end, an engineering solution focused on the security and quality of software is by far the least expensive approach and most promising for strengthening national and economic security for two reasons:
We should not abandon the equivalent of the Three E’s of cyber security nor absolve end-users/system-owners of all responsibility for improper behavior. Indeed, Engineering, Education, and Enforcement have an important place in addressing auto safety as well as cyber security. As such, a “solution” to cyber insecurity includes modifying user behavior to be sure, but there is no solution in the absence of software assurance and crashworthiness of software. Without a focus on software, and the executives responsible for its production, we will undoubtedly repeat some very painful lessons we should have already learned.
Comments