If We Don’t Secure People, Information Security Will Remain a Pipe Dream

By Bill Priestap, Holden Triplett
Friday, May 14, 2021, 2:16 PM

As we’ve written previously on Lawfare, businesses are on the frontline of an intense geopolitical competition. Their assets—like innovative technologies, complex research and development, and data—are being targeted by nation-states. Many businesses have tried to address this risk by implementing or beefing up their information security programs. But those programs, unfortunately, provide only a partial solution.

In the past few days, U.S. media have been in a frenzy about the Colonial Pipeline ransomware attack. It appears likely that many businesses will respond to the news in a purely technical manner. Chief information and security officers (CISOs) will be asked how secure their information technology systems are, and whether anything needs to be done to enhance cyber defenses. But if businesses seek to strengthen their defenses only through cybersecurity improvements, they will remain vulnerable to similar and different threats.

This is because at the heart of every business’s information security efforts is a flaw that few have addressed adequately: A business’s people present the ultimate vulnerability. By virtue of their employment, employees have access to a business’s most valuable assets. No sophisticated hack or stealing of credentials is necessary. Employees are already on the inside. And their access can easily be exploited by a sophisticated nation-state that is adept at surreptitiously manipulating people. Until employees are appropriately safeguarded, true information security is likely to remain just beyond reach.

Still, businesses tend to prioritize technical security at the expense of safeguarding their employees. There are three major misconceptions about information security that disincentivize putting resources into protecting people. First, information security has become synonymous with cybersecurity. Second, corporate insider threat programs are considered appropriate and sufficient. Third, it is believed that most cyber intrusions are purely technical operations, and so companies only need to worry about the technical risk an intrusion group presents, rather than understanding it as part of a larger operation.

First, there’s the confusion of information security with cybersecurity. Too often CISOs operate as if they are chief cybersecurity officers, not chief information security officers. That is likely not their fault. Many companies appear to prioritize only the security of information that is stored digitally. But information can reside outside of IT systems, either on “paper” or in the heads of employees, especially the ones who produced the valuable information in the first place. Information security is about more than cybersecurity, but this conflation of cybersecurity and information security has led to a singular focus on technical solutions to what can often be a human problem.

Last year, Forbes estimated that $173 billion was spent on cybersecurity worldwide. It predicted that by 2026 that amount will increase more than 50 percent to $270 billion. Many observers might assume that such a dramatic increase in spending on cybersecurity will result in fewer breaches, and less data loss and damage. In fact, the damage caused by cyber intrusions is expected to increase from $6 trillion in 2021 to $10.5 trillion in 2025, according to a recent report from Cybersecurity Ventures. Yet the recommendation from the cybersecurity industry, perhaps unsurprisingly, remains the same—you need to spend more money on cybersecurity. While cybersecurity is important, businesses, rightly, are asking whether it alone will mitigate the information security risk, or whether they have reached the point of diminishing returns. Perhaps, the problem should be approached in a different way.

The second, related misconception is that insider threat programs—the small piece of information security that focuses on employees—are appropriate and sufficient. For many businesses, having a program that designates its people as threats and often relies on surveillance of employees is anathema to their corporate values. Calling employees threats also might give way to the erroneous impression that these individuals have taken jobs with that specific business exclusively to target its assets. That is rarely the case.

As an example of real threats to businesses, it is useful to consider the ways that intelligence agencies recruit assets to gather information on an adversary or entity of interest. When intelligence agencies are determining whom they might recruit, two things they consider are suitability and access. While both can be developed by the intelligence agency (for example, an individual can be groomed and access can be created), it is substantially quicker and more cost effective to find someone who already has both. Thus, intelligence agencies are primarily looking for those most suitable to carry out their instructions and who already have access—that is, they already work for the business with the desired assets. This means a business’s employees usually aren’t threats when they’re hired, but (depending on their suitability) they may become valuable recruitment targets once they’re on the inside of a particular business. Employees then are vulnerable to being wittingly or unwittingly exploited by a nation-state that will use them to get what they want without regard for the long-term consequences to the employees.

Nation-states’ recruitment practices should inform businesses on how best to protect themselves. Individuals already under the control of an intelligence service need to be identified before they’re hired into a company. A strong employee screening program can offer some assurance that those “threats” rarely get inside a business, and if such people do get hired, they need to be found and addressed before they can erode the company’s value. But just because employees haven’t been recruited by an intelligence service prior to beginning employment doesn’t mean they won’t ever be. Once any employee has access to an important asset, that employee’s value as a recruitment target increases dramatically. Businesses need a persistent program to protect their employees from exploitation by nation-states and their intelligence services. This program can serve a dual purpose: provide employees with the information and tools to protect themselves (and the assets they handle), and help them recognize nation-state activity and guide their response. These programs would serve a more deliberate purpose than broadly mandated insider threat programs.

Government insider threat programs are usually designed to defend against the broadest array of threats possible, from active shooters to employees controlled by foreign spies. Trying to counter such a diverse set of threats is virtually impossible and often requires outsized resources. Even so, consultants often suggest businesses take a similar approach. But doing so does not account for staffing constraints and the very specific—and often different—risks and vulnerabilities each business faces. In short, government-like insider threat programs are often not the appropriate way for the private sector to manage the information security risk.

Although insider threat programs use the word “preventive,” they are often anything but. They are generally reactive and depend on catching employees after they’ve done something wrong. The program’s very name implies that employees are threats. Once a business starts treating its employees as such, it risks damaging trust—the key ingredient of the employer-employee relationship.

Many insider threat programs use data transfer as a precipitating event to identify employees of concern. For example, emailing data to a private email address or uploading it to a private server or file storage service can trigger the security protocols of an insider threat program. Under those practices, insider threat programs rarely do anything except identify problems such as data loss after they have already occurred.

This pattern is typical for government programs, which are often more concerned with catching individuals violating the law and bringing them to justice than with preventing the loss in the first place. A business may feel good that it has identified an employee who has stolen from it and that justice will be served, but the information—the valuable asset—has likely already been transferred to another company or nation-state, and the business will suffer as a result.

The third misconception about information security is that most cyber intrusions are purely technical in nature, and so companies need to worry only about the technical risk an intrusion group presents, rather than understanding it as part of a larger operation. The reality is very different. The vast majority of intrusions are not purely technical—they’re hybrid operations—meaning humans are manipulated to assist with providing technical access. This manipulation can take the form of social engineering, whereby employees may unwittingly provide their credentials or introduce an exploit so that an outsider can gain access. It may also take the form of full-on recruitment, whereby employees wittingly help an outsider gain access to a business’s network through various means.

If an intelligence service of a sophisticated nation-state is running the intrusion operation, it could work like this: They recruit a low-level employee with access and instruct the employee to create a ridiculously obvious password or click on an email with an infected link. This type of operation would provide a degree of anonymity to the intelligence service and protection for their recruitment (they have a believable explanation—employees make similar “mistakes” all the time). It also ensures that the intelligence service gets access, rather than having to wait and hope for an employee to make a real mistake and click on a malware-infected link in an email.

According to a 2020 IBM report conducted by the Ponemon Institute, insiders (often employees) account for 60 percent of all cyberattacks. In addition, the attacks they are facilitating, wittingly or unwittingly, are more costly than those caused by purely external attackers. These individuals, as a result of their employment, know where the most sensitive and valuable data is stored and have the access necessary to easily provide it.

Even more concerning, Verizon found in a recent study that 94 percent of all malware was delivered via email. Of that email-delivered malware, according to the cybersecurity company Proofpoint, 99 percent required some level of human interaction to be successful—a person needed to click on a link, open a file or fulfill some other action. Despite the numerous news stories about the increasingly sophisticated intrusions taking place or the new and frightening vulnerabilities identified recently, the success of almost all cyberattacks that rely on malware depends on a human in the targeted company.

The use of particular types of malware, including viruses, worms, trojan horses, spyware, adware and ransomware, is also increasing dramatically. Reported incidents of ransomware alone increased 715 percent last year. Despite all of this and the human factor that allows these attacks to occur, many in the information security industry are still advocating for more technical solutions.

It is critical for businesses to understand that their information vulnerabilities are not purely technical. Viewing the risk of intrusion as only a technical issue is focusing on the tools used rather than the bigger picture.

Cybersecurity companies focus on understanding the TTPs (tactics, techniques and procedures) of intrusion sets. In other words, they merely look at the “how” of an intrusion rather than the “why.” While necessary, focusing on the how is not comprehensive enough, as its efficacy is dependent on seeing all the different ways cyber actors are trying to access a network. It’s rare that any security firm can gain a complete picture of such technical operations. If someone is trying to steal something from you, protecting only some of the “doors” on your network might slow them down, but it certainly won’t stop them. Additionally, as noted above, focusing solely on the cyber piece of an attack means businesses may be ignoring the other methods that nation-states or others may use to gain access, namely recruitment of employees and physical intrusions.

Furthermore, focusing on the how doesn’t tell you what they were after. Forensically piecing together a cyber actor’s actions in your network, and what they have taken is a painstaking process and ultimately has limited utility. You may see some or even most of the actor’s activities—data reviewed or exfiltrated—but the eventual beneficiaries of that information and their intentions are opaque.

Many cybersecurity companies have attempted to reduce the risks, vulnerabilities and solutions to only their technical manifestation. This is definitely easier from a product delivery and business development standpoint, but it doesn’t do enough to help businesses understand and address the underlying cause. 

The root cause of these issues is the many groups of humans who want to steal businesses’ most valuable assets. They may be conducting hybrid cyber operations, human recruitment operations, physical intrusions or more likely some combination of the three to get access to your business. Depending on your industry and the specifics of your organization, you may have sensitive intellectual property, specialized research, vital employees, lucrative customer data, cherished partners or critical suppliers that are of interest to a nation-state or a private company.

Understanding your business’s valuable assets and the role employees play in relation to those assets is essential to designing information security efforts. Otherwise, the limited security resources of each business may be allocated inappropriately. Your business could end up protecting the wrong things or protecting the right things in the wrong way.