Cyber warfare and the human aspects of security policy

Muhammad Akbar
Jun 1, 2012

While Steven Bellovin’s latest blog post raises some important points about the implications of the cyber warfare, especially the lack of any rules, and the need for national and international debate thereof; what I find interesting is the fact that the human actions seem to be responsible for breaking down the assumptions made by security practitioners (both attackers and defenders).

For example, the NYT article suggests that the initial infiltration was through thumb drives. Quoting NYT:

“That was our holy grail,” one of the architects of the plan said. “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand."

The assumption was that lack of traditional networking will stop any infiltration of malicious software.

Similarly, Stuxnet was (presumably) supposed to stay in one location (the target). It was supposed to go in through human action, but not come out. This assumption by the malware writers cost them the secrecy of the attack. The spread of Stuxnet to the Internet was attributed to a programming error by the NYT article. But the human component is still very visible. Quoting NYT again:

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world.

It just goes to show that assumptions are more susceptible to break down where humans are involved. To summarize, I would say that: perhaps, the weakest point in security defenses in the present world is the creation, validation and implementation of the security policy (especially concerning human behavior).

Cyber warfare and the human aspects of security policy

References