The theft of 80 million customer records from health insurance company Anthem earlier this month would be more shocking if it were not part of a larger trend. In 2013, the Department of Defense and some US states were receiving 10–20 million cyberattacks per day. By 2014, there was a 27% increase in successful attacks, culminating with the infamous hack of Sony Pictures.
Much of the media focus is on the losses rather than the process by which such breaches take place. Consequently, instead of talking about how we could stop the next attack, people and policymakers are discussing punitive actions. But not enough attention is given to the actions of individual end users in these cyber attacks.
We are the unintentional insiders
Many of these hacking attacks employ simple phishing schemes, such as an e-card on Valentine’s Day or a notice from the IRS about your tax refund. They look innocuous but when clicked, they open virtual back doors into our organizations.
It is you and I who click on these links and become the “unintentional insiders” giving the hackers access and helping spread the infection. Such attacks are hard to detect using existing anti-virus programs that, like vaccines, are good at protecting systems from known external threats — not threats from within.
Clearly, this virtual battle cannot be won using software alone. In the same way personal hygiene stymies the spread of infectious disease, fixing this cyber quandary will require all of us to develop better cyberhygiene. We need to begin by considering the cyberbehaviors that lead to breaches.
My research on phishing points to three. Firstly, most of us pay limited attention to email content, focusing instead on quick clues that help expedite judgment. A picture of an inexpensive heart-shaped valentine gift gets attention, oftentimes at the cost of looking at the sender’s email address.
This is coupled by our ritualized media habits that our always-on and accessible smartphones and tablets enable. Many of us check emails throughout the day whenever an opportunity or notification arises, even when we know it is dangerous to do so, such as while driving. Such habitual usage significantly increases the likelihood of someone opening an email as matter of routine.
And finally, many of us just aren’t knowledgeable about online risks. We tend to hold what I call “cyber risk beliefs” about the security of an operating system, the safety of a program, or the vulnerability of an online action, most of which are flawed.
Cleaning up our cyberhygiene act
Developing cyberhygiene requires all of us — netizens, educators, local government, and federal policymakers — to actively engage in creating it.
To begin, we must focus on educating everyone about the risks of online actions. Most children don’t learn about cybersafety until they reach high school; many until college. More troublingly, some learn through risky trials or the reports of someone else’s errors.
In an age where online data remain on servers perpetually, the consequences of a privacy breach could haunt a victim forever. Expanding federal programs such as the National Initiative for Cybersecurity Education, which presently aims to inspire students to pursue cybersecurity careers, could help achieve universal cybersecurity education.
Second, we must train people to become better at detecting online fraud. At the very least, all of us must be made aware of online security protocols, safe browsing practices, secure password creation and storage, and on procedures for sequestering or reporting suspicious activity. Flawed cyber-risk beliefs must be replaced with objective knowledge through training.
Although some training programs address these issues, most target businesses that can pay for training. Left out are households and other vulnerable groups, which, given the recent “bring your own device to work” (BYOD) trend, increases the chances that a compromised personal device brings a virus into the workplace. Initiatives such as the Federal Cybersecurity Training Events that presently offer free workshops to IT professionals are steps in this direction, but the emphasis must move beyond training specialists to training the average netizen.
Finally, we must centralize the reporting of cyber breaches. The President’s proposed Personal Data Notification and Protection Act would make it mandatory for companies to report data breaches within 30 days. But it still doesn’t address who within the vast network of enforcement agencies is responsible for resolution. Having a single clearing house that centralizes and tracks breaches, just like the Centers for Disease Control and Prevention tracks disease outbreaks across the nation, would make remediation and resource allocation easier.
Across the Atlantic, the City of London Police created a system called Action Fraud, which serves as a single site for reporting all types of cyberattacks, along with a specialized team called FALCON to quickly respond to and even address impending cyberattacks. Our city and state police forces could do likewise by channeling some resource away from fighting offline crime. After all, real world crime is at a historically low rate while cybercrimes have grown exponentially.
(A version of this post appeared in The Conversation on Feb 26, 2015)
Hackers gain access to computers and networks by exploiting the weaknesses in our cyber behaviors. Many attacks use simple phishing schemes – the hacker sends an email that appears to come from a trusted source, encouraging the recipient to click a seemingly innocuous hyperlink or attachment. Clicking will launch malware and open backdoors that can be used for nefarious actions: accessing a company’s network or serving as a virtual zombie for launching attacks on other computers and servers.
No one is safe from such attacks. Not companies at the forefront of technology such as Apple and Yahoo whose security flaws were recently exploited. Not even sophisticated national networks are home free; for instance, Israel’s was compromised using a phishing attack where an email purportedly from Shin Bet, Israel’s internal security service, with a phony PDF attachment, gave hackers remote access to its defense network.
To figure out why we fall for hackers’ tricks, I use them myself to see which kinds of attacks are successful and with whom. In my research, I simulate real attacks by sending different types of suspicious emails, friend-requests on social media, and links to spoofed websites to research subjects. Then I use a variety of direct, cognitive and psychological measures as well as unobtrusive behavioral measures to understand why individuals fall victim to such attacks.
What is apparent over the many simulations is how seemingly simple attacks, crafted with minimal sophistication, achieve a staggering victimization rate. As a case in point, merely incorporating the university’s logo and some brand markers to a phishing email resulted in close to 70% of the research subjects falling prey to the attack. Ultimately, the goal of my research is to figure out how best to teach the public to ward off these kinds of cyberattacks when they come up in their everyday lives.
Clicking without thinking
Many of us fall for such deception because we misunderstand the risks of online actions. I call these our cyber-risk beliefs; and more often than not, I’ve found people’s risk beliefs are inaccurate. For instance, individuals mistakenly equate their inability to manipulate a PDF document with its inherent security, and quickly open such attachments. Similar flawed beliefs lead individuals to cavalierly open webpages and attachments on their mobile devices or on certain operating systems.
Compounding such beliefs are people’s email and social media habits. Habits are the brain’s way of automating repeatedly enacted, predictable behaviors. Over time, frequently checking email, social media feeds and messages becomes a routine. People grow unaware of when – and at times why – they perform these actions. Consequently, when in the groove, people click links or open attachments without much forethought. In fact, I’ve found certain Facebook habits – such as repeatedly checking newsfeeds, frequently posting status updates, along with maintaining a large Facebook friend network – to be the biggest predictor of whether they would accept a friend-request from a stranger and whether they would reveal personal information to that stranger.
Such habitual reactions are further catalyzed by the smartphones and tablets that most of us use. These devices foster quick and reactive responses to messages though widgets, apps and push notifications. Not only do smartphone screen sizes and compressed app layouts reduce the amount of detailed information visible, but many of us also use such devices while on the go, when our distraction further compromises our ability to detect deceptive emails.
These automated cyber routines and reactive responses are, in my opinion, the reasons why the current approach of training people to be vigilant about suspicious emails remains largely ineffective. Changing people’s media habits is the key to reducing the success of cyberattacks — and therein also lies an opportunity for all of us to help.
Harnessing habits to fight cybercrime
Emerging research suggests that the best way to correct a habit is to replace it with another, what writer Charles Duhigg calls a Keystone Habit. This is a simple positive action that could replace an existing pattern. For instance, people who wish to lose weight are instructed to exercise, reduce sugar intake, read food labels and count calories. Doing this many challenging things consistently is daunting and often people are too intimidated to even begin. Many people find greater success when they instead focus on one key attainable action, such as walking half a mile each day. Repeatedly accomplishing this simple goal feels good, builds confidence and encourages more cognitive assessments — processes that quickly snowball into massive change.
We could apply the same principle to improve cybersecurity by making it a keystone habit to report suspicious emails. After all, many people receive such emails. Some inadvertently fall for them, while many who are suspicious don’t. Clearly, if more of us were reporting our suspicions, many more breaches could be discovered and neutralized before they spread. We could transform the urge to click on something suspicious into a new habit: reporting the dubious email.
We need a centralized, national clearing house — perhaps an email address or phone number similar to the 911 emergency system — where anyone suspicious of a cyberthreat can quickly and effortlessly report it. This information could be collated regionally and tracked centrally, in the same way the Department of Health tracks public health and disease outbreaks.
Of course, we also need to make reporting suspicious cyber breaches gratifying, so people feel vested and receive something in return. Rather than simply collect emails, as is presently done by the many different institutions combating cyber threats, submissions could be vetted by a centralized cybersecurity team, who in addition to redressing the threat, would publicize how a person’s reporting helped thwart an attack. Reporting a cyber intrusion could become easy, fun, something we can all do. And more importantly, the mere act of habitually reporting our suspicions could in time lead to more cybersecurity consciousness among all of us.
(A version of this post appeared in World Economic Forum on Jan 29, 2015)
Major crimes usually shake us into action. A London fire that killed five women ultimately led to the creation of 999, a precursor to our own 911 emergency system. The rape and murder of Kitty Genovese, meanwhile, inspired the creation of the neighborhood crime watch system. Yet while the Sony Pictures Entertainment email breach is a different sort of crime, it is a crime nonetheless, and one that was perpetrated in a neighborhood where almost all of us are resident these days — the Internet.
So where is the anger? The letters to congressmen? Part of the reason is that the reporting has focused on celebrity feuds rather than the fact that what happened to Sony could happen to any of us — emails of a personal nature allegedly being held ransom or released as payback. In fact, if you add up the number of victims of the most notable known breaches this year, it’s clear that a troublingly high percentage of us will have had some sort of information hacked. The other reason is that few of us feel like we’re paying a price for cyberbreaches — companies that are hacked typically eat the costs, at times without even informing customers.
SONY hack an act of cyber-terrorism? Who’s behind the SONY hackings? Oprah: Don’t judge out-of-context emails
But lost in the reporting is another fact: We are, in a very real sense, responsible for such attacks. Not simply because we are the audience for the hacker’s seedy releases, but because we are the inadvertent moles that provide the hackers access to large computers networks.
Hackers often enter networks through simple phishing attacks, attacks that these days are actually simpler but more insidious than the infamous Nigerian phishing scams.
Now, instead of trying to persuade you to part with your money in exchange for a nonexistent financial windfall, emails from trusted sources ask you to check out a photograph, click on a hyperlink to an interesting story or enter your login on an official-looking webpage. Complying with any of these requests provides varying degrees of access to your devices and accounts, and it is these simple ruses that have been responsible for launching malware and “backdoors” that have ultimately compromised major networks.
The apparent simplicity of these attacks conceals a sophisticated understanding of people’s online behavior that is surprising even to the many academics who have spent years studying human behavior.
The reality is that many of us fall for these scams because of our email habits. Simple actions such as frequently checking email or Facebook status updates have become part of the daily rituals of Internet use. The human brain overtime automates such routines, which leads to people clicking on hyperlinks, opening attachments and providing credentials without really paying attention to what they are doing.
Smartphones and tablets have only exacerbated this. After all, smartphones, which the majority of us now use to access the Internet, are designed for media consumption, not deception detection. Their apps are programmed to optimize smaller screen sizes and restricted data-caps, often by reducing the prominence of elements such as a website’s URL or a sender’s email address that could highlight the deception. Throw into the mix the fact that many of us are accessing these devices while talking, texting or even driving, and it’s hardly surprising that we don’t notice something nefarious.
Making things worse, even some people who suspect a deception open such emails anyway because of flawed assumptions about the security of their devices and operating systems. Others might report the intrusion to their employer, but the reporting either comes too late or is lost in organizational silos.
This is not surprising — there are so many different arms of federal and state governments, along with organizations such as the Anti-Phishing Work Group, that collect complaints and disseminate information on cyberattacks that it is hard to keep track of where to send details of a complaint, much less go through the process of finding a contact address.
Besides, there is no incentive for reporting a suspicious email unless someone has actually become a victim of an attack, in which case, it is generally already too late.
So, what can be done?
A simpler fix would be to develop a single nationwide gateway — an email address or a phone number similar to the 911 system — where anyone suspicious of a cyberthreat can quickly report it. In addition, it would be a welcome development to see the proliferation of organizations akin to neighborhood watch groups — cyberwatch groups, if you will — where people can routinely report suspected attacks and receive immediate feedback.
From Aurora to Regin and the Nigerian scam, most cyberintrusions are named after the codes written into them or the hacker’s fake persona, which cedes power to the very people who perpetrate these crimes. Instead, wouldn’t it be better to highlight the names of the people who help detect an attack?
This would be just one way that we could encourage people to feel they are more invested in protecting our cyberinfrastructure.
Ultimately, the Internet is an online extension of our own neighborhoods. It’s time for us to take their protection just as seriously.
(A version of this post appeared in CNN on December 17, 2014)