Cybersecurity: A People Problem?

National security trends change over time. During the 80s and 90s we had the War on Drugs. During the 00s and 10s we had the War on Terrorism. Now we have cybersecurity and protecting critical infrastructure. What could be more damaging to our way of life than disrupting our financial system, water supply, or power grid?

Many government programs that are only incidentally related to cybersecurity add the cyber tag to attract Congressional funding. Many intelligence and security experts with limited technical expertise brandish cybersecurity lingo. Cybersecurity is trending and going viral as the bureaucracy struggles to keep pace.

Developing a spy mindset means understanding that cybersecurity isn’t only a technology problem. It’s also a people problem. After all, hostile actors who run cyber operations against us receive their marching orders from people, and our own people are often the weakest link in the battle, wittingly or unwittingly.

Protecting sensitive information is a necessary condition for good security, but firewalls and encryption are getting stronger by the day. We can imagine a time in the not-so-distant future when cybersecurity will be a commodity, like hardware, until quantum computers render traditional encryption futile. In the meantime, there’s an effective way to protect our most sensitive information: create an air gap from the Internet to prevent access.

As advances in cybersecurity make it more difficult to hack into our systems, our competitors or enemies will resort to old school tactics to steal our sensitive information – that is, spying, the second oldest profession. Having a person in the right place can bypass even the most sophisticated technical barriers. As Cicero noted, “A nation can survive its fools, and even the ambitious. But it cannot survive treason from within.”

As I discuss in my book The Spy Mindset: The Business of Intelligence, this can happen in one of three ways.

First, seeding operations. In this case, your competitor or enemy hires outsiders and instructs them to seek employment with your company. Chinese graduate students come to mind. Your background checks will find no direct links to the competitor or enemy, but they will have direct access to your sensitive information after they start working.

Second, penetrations. In this case, your competitor or enemy attempts to “turn” your existing employees with access to sensitive information. Perhaps they are disgruntled or perhaps they want more money. Either way, unless you conduct regular background checks on existing employees, this opens a back door to your sensitive information.

Third, dangles. In this case, someone from a competitor or enemy offers to work for you, perhaps citing their own frustration or lack of money. At first glance, this might seem like a great way to gain new insights or a competitive advantage, but you should consider the possibility that you’re hiring a wolf to protect your sheep.

The best offense is a good defense.

Consider a case study. In 2020, a Tesla employee from the Gigafactory in Sparks, Nevada, met with a Russian national who offered him $500,000 to install malware to facilitate a ransomware attack. (Tesla’s cybersecurity measures prevented them from doing it on their own.) The loyal employee reported the activity to the FBI, refused a follow-on offer of $1,000,000, and the Russian national was arrested while fleeing the country.

No one would accuse Elon Musk or Tesla of being weak on cybersecurity, quite the contrary, but they were only one loyal employee away from potential disaster, which takes us to insider threats.

Having a spy in your ranks is one form of insider threat, which is a people problem, but you should also consider insider threats that don’t include outside hostile actors. First, some employees might intentionally leak information or sabotage your computers systems from within, for a variety of reasons, which is a people problem. Second, some employees might accidentally leak information or sabotage your computer systems from within, due to a variety of mistakes, which is also a people problem.

People, people, people.

Identifying and disrupting these problems is a function of counterintelligence and security awareness training, but this should show that when it comes to cybersecurity, we should never lose sight of the fact that it is also a people problem.

Developing a spy mindset means not getting caught up on the hype of the latest technology or looking at problems through one lens. The intelligence and security functions of your business should be treated as integral components of your cashflow. If someone says you can’t put a price on security, do an about face and focus your efforts on building a capable and motivated team based on trust and mutual respect.