Humans are the Foundation of Democracy
Democracy is the Holy Grail and the freedom of each citizen determines its health. If one was to view the voting system and our freedom of speech from an unbiased perspective, we would agree they are two pillars of our society; operational mechanisms. These core elements of society require a solid foundation to consciously update themselves and assure democracy stands the test of time.
This foundation for these freedoms is provided by the government, laws and policies. The pillars underpin both equal protection and adequate forecasting to apply resources that protect citizens from disease, disaster, attack and tyranny. In the worst times, this approach to governing has provided the common person with a modicum of trust in the system. However, cyber exploitation threatens democracy as we know it. The threat from cyber exploits and the government’s inability to affect cultural change threatens the very foundation on which the nation stands.
In the current programming, the holistic approaches to cyber resilience and effective protections do not exist. It is a fact that on numerous occasions the U.S. Government has failed to protect its institutions from cybercriminals. The noteworthy thing about the election hacking, for example, is that not only computer systems were exploited, but also the feelings of potential voters. “Those pesky people.” Think about how powerful that is; that you can manipulate people and their feelings. This means, our cyber adversaries successfully moved digital manipulation into a manifestation of human agents who promoted distrust in the very systems that makes them “free.”
The U.S. Government is struggling as we move towards the 2020 elections because “WE,” the most important factor in planning, has been left out of resilience planning. As such, there is a human condition which is unaccounted for in the government’s cyber risk assessment. For example, kind people will perform acts of kindness regardless of the threat and risks associated with their act. Real resilience would account for these people. The U.S. Government is not alone, we see this same failure across both businesses and organizations.
The Fault of Being Human
It has been repeatedly reported that security failures for all businesses are typically tied to human fault or failure. Sometimes the issues relate to lazy analysis and at other times a failure to use best practice. Dr. Calvin Nobles, a human factors expert, reminds us human factors remain unexplored and underappreciated in information security. He believes a strong workforce and understanding of how those people may respond in specific situations is a requirement. Dr. Nobles is correct in his assessment. Most successful cyberattacks, data breaches, and ransomware attacks are a result of human-enabled errors. This is evidence that greater efforts to educate and analyze human response is a prudent approach to reducing the cyber assault.
The cyber “threat” is not real for most Americans. Statistics tell an interesting story of how a lack of cyber threat awareness makes Americans comfortable relinquishing the rights to personal information. In a late 2018 Center for Data Innovation study, 58% of U.S. residents surveyed said they did not mind third parties collecting sensitive information about them. In this study respondents were asked about “tradeoffs” to gain new convenience. The majority were willing to give data like location, biometrics, and daily activities if it improved potential services to them.
Not Hard to See
This signals a potential key indicator as to why most people are reluctant in taking actions that protect their identifying information. And, if they don’t protect their own data, how likely is it they will take extra steps to protect corporate or government data?
So, if we throw a malware filled thumb drive over the fence of a business it may sit on the ground for a while. However, eventually a kind person will stumble upon it and pick it up. That person may have taken a cyber awareness course that specifically warns against putting unknown drives into the computer. However, they will place the drive in their computer anyway.
Studies have shown that people insert the drive into the computer even when they have been trained no to do it because they want to return it to the rightful owner. It is in our nature to try and help others. This is sometimes done to our own detriment. Kind people are as great a threat to true cybersecurity as the hacker with malicious intent. Why? Because these kind people typically have trusted access to systems and their good nature can be social engineered.
There are several potential reasons for people choosing convenience over security. The most obvious is education about consequences. Those who do realize the extent of potential outcomes aren’t moved to act. Their lucid approach to a subject, in this case, cybersecurity, may lower their guard. The thought of using good cyber hygiene as a risk reducing approach may seem like a waste of time to them.
An effective cyber awareness program by the government and local businesses, in partnership, could help change these statistics and general cybersecurity apathy. However, even legitimate businesses benefit from the collection of personal data and the government receives a part of the profit in the form of taxes. So, there is a real societal conflict. The “quid-pro-quo” business – government agreement ensures true awareness and a strong regulatory push will not occur anytime soon. By exciting citizens to be weary of personal data collection, a successful campaign might just cause a privacy revolution. This act of self-sufficiency response may stifle many profitable business practices. However, it might save our Democracy.