Last month, I was appointed an Honorary International Professor at the Universidad Autonoma del Estado de Hidalgo (UAEH), one of Mexico's older universities. As part of the investiture ceremony, I presented a formal talk on the need for interdisciplinarity in cybersecurity thinking and some ideas on fostering the 'hacker mindset' in the modern era, which i am reposting here to help further our ongoing discussions about cybersecurity at CIS and beyond.
FUTURE CYBERSECURITY: HYBRID THREATS REQUIRE BALANCED PREPARATION
DR. RICHARD F. FORNO (UMBC)
Honorary International Professor Investiture Ceremony
Main Lecture - August 2023
Ladies and Gentlemen -
My family fostered a strong love of reading at a very early age. Nearly fifty years later, I still have a great love of books and reading. So the opportunity to be involved at this Book Fair - and one with the theme of cybersecurity - is particularly meaningful to me.
Books represent stored culture, facts, fantasy, adventure, and perspectives on the human condition and the world itself. They inform, enlighten, and educate. They open our minds to new ideas and new possibilities. They make us both comfortable and uncomfortable. Books challenge us to create, explore, think, and become more capable human beings. And books are nothing to be afraid of.
Books by Arthur C. Clarke in the 1960s explored issues about technology that we’re facing today with questions surrounding artificial intelligence and smart devices. Books by William Gibson in the 1980s introduced the term 'cyberspace' and predicted the technology-dependent reality in which we now live. And it was a book in the early 1990s by astronomer Cliff Stoll describing how a tiny 75-cent accounting error discovered on a research computer led to the first major international cyber-espionage incident that opened my eyes to cybersecurity’s future influence on national security.
One does not need to read to know that cyber threats have proliferated over the past few decades. Most of us here probably have been a victim of a cyber incident. Attacks on our information resources have become more complex, harder to counter, and even harder to prosecute. Enemies incorporate capabilities like artificial intelligence and distributed computing to cause more digital damage and chaos around the world through direct cyber attacks and cyber-enabled disinformation campaigns. Such capabilities were once limited to national governments. Not anymore.
But the cyber attacks continue - and along the way, I’ve noticed a recurring, almost predictable pattern. Following most major cyber attacks, the typical response is to issue new political statements, white papers, task forces, and guidance documents that usually reiterate the same best security recommendations we in the cybersecurity profession have promoted for over three decades. In other words – the world has been told repeatedly what’s needed to improve cybersecurity …. but bad things continue to happen anyway.
After 30 years in this profession, I can’t simply blame technology - which is easy to do. Rather, I think these problems continue because of the human condition. Because of people. Because of us.
Technology evolves. Improve a device and productivity can increases a hundred times. But the human condition itself never changes. We are creatures of habit. Hackers, criminals, and national adversaries know this, which is why their cyber attacks continue to be successful. They analyze people – and how they interact with both their information and each other.
Think about it: people design, develop, and deploy technology. They use and abuse it. They attack and defend it. They grant or withhold funding for IT and cybersecurity projects. They write laws, policies, and procedures regarding technology. They teach others about good security practices. They speak and respond. These are all actions designed and conducted by people, and as such, they are inherently flawed, vulnerable, and exploitable – because we ourselves are.
No matter how talented or intelligent we think we are, everyone makes mistakes. We get complacent, lazy, greedy, narrow-minded, or are fooled into clicking on strange links in email or SMS. Worse, from Facebook, Twitter, TikTok, GMail, smart devices, autonomous vehicles, and more … we often rush to embrace new technologies in our lives and organizations without considering the potential risks to us and our data – and then wonder “how did this happen?” when bad things inevitably occur. Yet, like magpies attracted to shiny objects, we continue using such technologies because of the convenience, cost-savings, or fun they provide.
And people, complex systems that we are, are part of an even more complex system called government, business, and society.
Making the global cybersecurity problem more interesting: false claims and disinformation, often driven by global media and amplified by cyber capabilities, target people and society with potentially severe consequences. Information is weaponized to disrupt underlying cyber-physical systems, stock prices, economic productivity, elections, and human lives. And while influence operations aren’t often considered a cybersecurity concern, deception and false claims attacks that directly target the integrity of information and how we perceive the world indeed relates to one of the fundamental tents of cybersecurity – specifically, ensuring the integrity of information. So it’s not surprising to see cybersecurity professionals, including me, becoming involved in these broader issues, too.
Cybersecurity, generally speaking, enables national and economic competitiveness.
This means that in examining the cybersecurity as a contemporary problem, we must also understand and address the role of people in the problem – and how we might improve the human condition to in turn improve our cybersecurity situation. Let’s consider some ideas.
First, there is always education and training. These are important activities in personal development and growth. But we must not confuse industry ‘training’ with university 'education' -- my belief is that the former prepares people for a series of jobs to meet employer demands in critical areas, often based on economic or political necessities; the latter prepares people for careers with increasing levels of responsibility, awareness, and of course compensation. Both are needed - especially in the technology and cybersecurity profession.
But we don't 'log on' anymore, we're always-logged-in. Activities in 'cyberspace' directly impact the physical world. In other words, cyberspace is part of, if not reflects, the human condition. It’s not something exclusive to the digital domain – and not something only for ‘geeks’ and technologists alone to handle anymore.
Nevertheless, since cybersecurity originated in the computing discipline, it’s often still treated as a science dealing with binary absolutes. Firewalls allow or deny connections. Passwords allow or deny logins. Algorithms return a 0 or 1. There are attackers and defenders. Servers are up or servers are down.
Science creates new and amazing technologies that can move us into the future or make life easier. It helps identify and fix technical vulnerabilities in our systems, too. But science doesn't easily allow for nuance, context, or ambiguity – and that's exactly where people and the human condition exist within the cybersecurity domain.
I'm reminded of the artist Leonardo da Vinci who despite being known also for his engineering ingenuity reportedly told us to "Study the science of art. Study the art of Science. Develop your senses - especially learn how to see. Realize that everything connects to everything else." Were da Vinci alive today, he'd say that understanding both cyberspace and cybersecurity requires an awareness of things beyond computing and technology. He would emphasize the study of both the arts AND science.
This is where the humanities, liberal arts, and this Book Fair become relevant.
The humanities teach things like critical thinking, nuance, context, media literacy, social science, and ethics that develop foundational skills for life. One learns about the human condition through sociology, psychology, law, and management – in other words, how the world works and why. Since people often are the cause of most cybersecurity incidents, knowing about such things is useful for cybersecurity, don’t you think? As I said, our enemies already know 'how people work' and routinely exploit this knowledge when planning attacks.
Lessons from the humanities help us understand the past so that we can avoid making the same mistakes in the future - be it in cybersecurity or any discipline. Case studies in business management are just as important to a cybersecurity professional as a course on firewall configurations. Papers on unconventional warfare can provide insight into how cyber adversaries operate successfully in the shadows. Political science theory can inform our possible response to an international cyber conflict. Courses on psychology, rhetoric, and media studies can help illustrate how modern influence campaigns spread so quickly and provide guidance on communicating cybersecurity issues to others more effectively. Courses on philosophy and ethics ask us to pause and consider whether just because we CAN do something with technology, does it mean we MUST actually do it. And so on.
Besides – when cyber incidents occur, how do we quantify the costs of such incidents? What organizational processes are needed to make sure they don’t happen again? Cybersecurity, business management, economics, accounting, organizational psychology, and even political science may be involved. These are all distinct, often non-technical, disciplines with separate academic homes, yet each can have real-world impacts on cybersecurity operations. The best cybersecurity practitioners appreciate these items and their potential effects on the various cybersecurity issues they’re dealing with. They understand that cybersecurity concerns - and solutions - reach across industry and academic disciplines.
Lessons from the humanities also enable cybersecurity professionals to understand history and how the world works while also knowing how to function better in practice through enhanced communication skills. I’ve seen firsthand how engineers and executives talk in different terms and with different perspectives, priorities, and expertise. How can we, as technology experts, inform corporate or national leaders and the public on cybersecurity matters if they can’t understand what we’re saying – and more important, why it matters? And .. closer to home … how can we discuss cybersecurity with our parents and grandparents in ways they can easily understand and learn from, too?
The humanities offer context, breadth, and practicality; computing offers process, technology, and technique. Again, both are needed in cybersecurity. But for better or worse, today’s world emphasizes the creation of specialists, not generalists. That is somewhat understandable since focused specialists are where the popular jobs are and where the money is at.
Of course, being a good cybersecurity professional absolutely requires having a solid understanding of the basics of computing, networks, and the various cybersecurity principles. In fact, if you think about it, many of the best practices we recommend for cybersecurity really are a function performed by any good systems administrator or product developer. Yet this still relies on people being knowledgeable with common sense doing the right things at the right times from product design through deployment - which is much more than simply knowing how the technology works or which settings to change. Just being a technology specialist is not good enough anymore.
But as DaVinci said, "everything connects to everything else." Today, that means there are any number of possible points of failure or attack. And I don't just mean networks, servers, and mobile devices. As I said earlier, people are systems, too. Society is the global system we’re all part of.
This presents an interesting question: how do we create cybersecurity expertise in a system where its components, by our very human nature, are inherently flawed?
One way is to develop cybersecurity professionals able to demonstrate adversarial curiosity and personal adaptability....or what we can consider the 'hacker mindset' – namely, the ability to see an obstacle or prohibition, become curious (or greedy), and find ways around them. Asking "why?" or "why not?" or "how" instead of blindly accepting the standard configuration as the only viable option for use are examples of this in action. Hackers, activists, cybersecurity professionals, teenagers, and other innovative minds throughout history - including criminals - have possessed these characteristics and used them to great advantage.
Unfortunately these perspectives … these skills … this inner passion and initiative … can't be learned or taught easily in a classroom or computer lab. It emerges organically in each person, often by parents and teachers encouraging intellectual, creative, artistic - and yes, even technical - pursuits at an early age. Years ago, youthful teenage hackers would tear apart electronics to see how they worked, explored software to discover ways of sharing programs with friends, or tinkered with telephone hardware to make free phone calls. They would, and still do, examine systems of all types both out of curiosity and to find ways of making them work better for both them and the world at-large – while perhaps also uncovering hidden security vulnerabilities along the way. We don’t simply accept technology, systems, policies, or processes at face-value - we want to know more, and so we ask difficult questions.
This is important in a world where constantly distributing and passively consuming trivial information is practiced more than inquiry and discovery. As a result, people increasingly are unable or unwilling to figure things out on their own beyond a simple internet search - and then accepting that search result as absolute fact and the only possible answer. But that's what the truly successful hackers and cybersecurity professionals do every day. They have an inner hunger to think unconventionally, critically question things, and the initiative to seek out solutions to technical and social challenges because they know the computer may not always be right. That gives us a huge advantage as employees in the workplace and members of society. We should nurture this development wherever possible.
In terms of developing future cybersecurity experts, the humanities provide agility and curiosity. The sciences provide specificity and capability. Used together in the right circumstances, with the right motivations, and enhanced with the ‘hacker mindset’, this is a very powerful recipe for success in life, work, and perhaps even to improve the human condition.
It’s likely that we will never totally fix the people problem because by our very nature we are flawed, vulnerable systems. But incorporating both the technical and the non-technical, the art and the science, can better inform our perspectives and practices when it comes to addressing cybersecurity matters effectively so that at the very least, we don’t keep making the same mistakes. From an educational perspective, better balancing this relationship will enhance the capabilities of the future cybersecurity workforce while also creating more agile and adaptable workers - and capable adult citizens.
And so … to the academic leaders here today: our collective responsibility is to develop the next generation of cybersecurity practitioners in global society. But in addition to technical competencies, let's be innovative in fostering the 'hacker mindset' both inside and outside the classroom while also embracing relevant lessons for cybersecurity that come from outside the technical domain. Context, nuance, and wisdom are just as important as hardware, software, and coding. Don’t sacrifice one for the other - both are equally important.
To the students here today, regardless of your major – you can be part of this exciting profession. Establish your practical and theoretical knowledge in the classroom. Join student groups to develop technical and collaborative skills. Get industry certifications and internships if you want. All of that will look good on your resume when applying for jobs after graduation. But don't stop there. Starting today, I challenge you to think broadly about the world and how you approach technology and its many risks. Ask questions. Build and (responsibly) break things. Never settle for the default configuration. Take calculated risks, acknowledge uncertainty and the possibility of failure – and learn from those experiences. Above all, don't be afraid of pursuing lessons relevant to cybersecurity from outside the computing domain. They will enhance your ability to succeed as a cybersecurity and technology professional, even if you don’t think so right now.
Ladies and gentlemen ... cybersecurity is both an art and a science. Addressing the people problem in cybersecurity and developing the next generation of the cybersecurity workforce requires us to think differently about the relationship between people and technology. Between individuals and society. Between systems within society. And between preparing for a job and educating for a lifetime.
As DaVinci said, "Study the science of art. Study the art of Science. Realize that everything connects to everything else.”
Today more than ever, DaVinci’s words provide important guidance, wisdom, and insight on both cybersecurity and the human condition. They’re worth listening to – and even acting upon.