7.4 billion monkeys with enlarged craniums and a trillion devices….

Tags

If you’ve been follow artificial intelligence and the coming revolution like I have, you’ve probably picked up on a few common themes:

  1. Universal Basic Income
  2. People are freed of work
  3. Peoples’ lives are less meaningful without work

I’m on board with one and two, but point three is really sticking in my craw.

But let me back up. If you’re not following the general conversation on AI, here’s basically what’s going on. The development of machines eliminated some human jobs (routine manual labor), the development of computers eliminated other human jobs (routine cognitive labor). Up to now, the non-routine, cognitive, and to an extent manual workload has been the safe haven of humanity – machines weren’t able to make the mental shortcuts required for these tasks. Well that day is basically here.

53H

A few months ago, with the development of “deep learning”, an AI named AlphaGo was able to beat the world champion of Go (a strategy game, essentially chess on PCP). Only months before the thinking was that level of AI was a decade out – not so much. Let me put this in perspective – the game, Go, has more possible permutations than there are atoms in the universe, and by more I mean by a large factor. Traditional computing couldn’t go through all the permutations in a reasonable amount of time to take down the world champion. This AI basically played the game and developed concepts, allowing it to reach deity rank (for the game), something no human has done.

Basically the consensus now is the days of machines out performing humans in all tasks, that is routine manual, routine cognitive, non-routine manual, and non-routine cognitive, is effectively now. The commercialization and deployment of this technology will only be as slow or as fast as the economy mandates, but it’s already taking out call centers (millions of jobs globally), being added to your messaging services, how you buy things, etc.

dream_8757231eef

A nightmarish depiction of the author via Deep Dream

Even the arts are not free from AI – just last year you probably saw a few Google deep-dream art pieces on your friends’ feeds; well AI is moving into music and writing as well. Given the massive repository of data for AI to digest and learn from, everything is really a matter of time – and not much time at that.

If you’re saying, “So what?” or “sounds good!” we’re on the same page. A world in which machines do the labor while people rest on their laurels sounds like a place that might know no war, know no famine, and is free to pursue higher aspirations, whatever those might be.

The train of thought continues – if there’s no work, then we end up with a universal basic income for all. I think this, coupled with the idea of no “jobs”, is what really bothers a bunch of folks, particularly here in America where some consider hours spent at work to be a status symbol.

If you haven’t seen it, here’s a sample from a recent article on theguardian discussing Yuval Noah Harari’s thoughts on the matter:

“What might be far more difficult is to provide people with meaning, a reason to get up in the morning,” Harari says. For those who don’t cheer at the prospect of a post-work world, satisfaction will be a commodity to pay for: our moods and happiness controlled by drugs; our excitement and emotional attachments found not in the world outside, but in immersive VR.

I would counter the Western concept of a life well lived, that is going to work 60+ hours a week and dying of a heart attack immediately after retirement, is not actually in line with our innate biological drives or mechanisms, and at their core I imagine most folks would agree.

working-with-laptop-3-1545962-1280x960

I’m not sure who gets out of bed for this.

In America at least, if you’re not working in coal mines or tied to a desk, you’re usually perceived as a free-rider, a neer-do-well, a parasite. I recall one day in college calculus when a professor at random said to me, “idle hands, Mr. Whalen, are the devil’s workshop.” Strangely I had never heard the phrase before, but this seems to encapsulate the American attitude towards work – if you’re not actively engaged in a task, and by that we mean unpleasant effort, then your are evil. In other words, a life of pain is good, a life free of pain is bad.

I won’t bother delving into the roots of this cultural phenomenon, but it’s fair to say this mental framework is in exact opposition the the biological drives of all animals; avoid stressors, conserve energy. Yes, all animals are driven to eat and reproduce, but not to the extent they create a calorie debt; biologically we are no different.

123H

Praying mantis in its natural state.

In the cultural context I’m defining work as a non self-fulfilling task which one engages in to obtain either the means to purchase or directly obtain food, shelter, or other goods and services. In this respect an artist who enjoys their work is not engaged in the cultural context of work, even though they may obtain payment for their work. I’m not belittling the value of the artist’s work, simply stating that culturally speaking in the West, this is usually not considered “work” in the classical sense.

So does everyone sit in their apartment, play video games and smoke pot? Maybe, but what exactly is the problem with that? Those individuals are making risk benefit decisions about how they want to live their lives, which frankly if they won the lotto in a pre-UBI world, would not receive as much disdain. Perhaps it is the leveling of the field which bothers many of us so much – that it becomes harder to demonstrate being one up on our neighbors? Perhaps it’s jealousy, of being unable to allow oneself to relax the way one would like to.

When I left active duty in the military I had 75 days of leave saved up. Rather than “buy-back” some of that time, I took the full 75 days off from work. I was not able to play video games the whole time, technically I could have, but I just couldn’t sit around that much. And that’s not because I was an army guy – I didn’t really fit the stereotype (and few of us do). My body and brain needed me to get out and see the sun, to do something, to interact with the world. This is where I think a UBI would take us; to new concept of work.

With UBI, work could become a choice – a task we engage in for the enjoyment of the task or the fruit of the task. Farmers could farm, for the joy of it. Gamers could game, for the joy of it. Writers could write. Hikers could hike. Politicians could… stay at home?

And everyone would have the freedom to change their new work as they pleased. That’s what UBI gives us, a chance to be human beings in the the way our ancestors dreamed of – free to decide when to work, how to work, what work to do, and when not to work. Our ancestors didn’t dream of tethering our bodies to plows, desks, or war machines. That’s just how we got here. 

65H

This is not the master plan.

 

 

 

We’ve Identified the Enemy and it’s Us!

WHY YOUR ORGANIZATION COULD FALL VICTIM TO UNINTENTIONAL INSIDER THREAT AND FIVE WAYS TO LOWER YOUR RISK

The overwhelming majority of insider threat events are not the result of a malicious employee’s actions, rather they are caused by the unintentional insider – someone gets hit by a spear phishing email, data spillage occurs, documents are destroyed improperly, a data storage device is lost or stolen, people are the victims of social engineering and elicitation.

Research shows that while well-known events like the Ashley Madison compromise, which involved an insider, get a lot of attention, organizations may be too focused on the spectacular threat vectors. A 2013 CERT Software Engineering Institute (SEI) study on unintentional insider threat showed that 17% of cases were unintentional hacks, while 49% were unintentional disclosure. The SEI highlights that employees should be cognizant of the non-spectacular risks which are far more common than the over-exaggerated spectacular risks. In other words, it may be more often the case that organizations are the victims of 10,000 paper cuts rather than a single atomic event.

While a lot of time and energy has gone into examining the root elements of the malicious insider, the unintentional vector has received less focus. Available research on the topic points to the perception of risk, biases, the influence of environment, and everyday stressors, though we shouldn’t discount simple ignorance. So, how can organizations address the very real risk of unintentional insider threat?  Start by getting inside the mind of the average employee as you roll out your strategies.

Looks Legit..

Insider threat and cybersecurity training during onboarding or even annually may not be enough. The constantly evolving threat landscape requires ongoing training. For example, phishing emails used to be fairly obvious – spelling errors, an obviously incorrect sender email address, etc. Now, spear phishers commonly spoof legitimate sender email addresses, or have taken control of a legitimate user’s account through earlier attacks.

There may be little that employees can do other than call the sender to verify unusual requests for information or action, but that highlights another challenge to security.

Hoping for the Best!

Many of us don’t want to contact our superior on seemingly simple requests at the risk of looking insubordinate or challenging their authority. This deference to authority is exactly what attack authors are preying on. Of course, this could be addressed by management or even incorporated into organizational policy – such as using voice confirmation for certain types of requests – but it must be part of a larger cultural shift to have any lasting effect.

Ignorance is Bliss.

People in general have a deferential attitude towards what happens on their workstations – if there is no error screen or warning, then they must be ok, right? For most people who are not intimately familiar with the mechanics of computing and the internet, they trust their machine or an administrator to tell them when something is wrong. The message to employees and the public in general usually says something to the extent of having anti-virus software and not providing a social security number to anyone asking for it in an email.

I Know What I’m Supposed to Do, But….

Consider the feet-on-the-ground workplace culture – in this case I am referring to culture as a system of beliefs, practices, orientations, acceptable norms, demonized and praised attributes, that organically emerge – not the practices as written. Individuals may be trained to respond in a certain way when risk presents itself, but face a cost-benefit analysis in terms of culture compliance. When there is no obstacle between the individual and cultural practices, or when individual and cultural norms are aligned, there is no pressure on the individual to act in a contrary manner (e.g. not follow security protocol). When the individual’s behavior is not in line, or contrary to cultural norms, then the individual must make a cost-benefit decision, the result of which could depend on any number of factors.

Consider the recent Department of Justice “hack” in which 20,000 FBI employee names were released. According to media reports, the hacker said he or she was able to access systems by telling a help desk attendant he or she lacked a token code (dual-factor authentication) and the attendant provided one since he/she posed as a “new employee.”

It seems unbelievable at first, but consider it from the attendant’s point of view. The caller seemed to know what they were talking about in terms of access. The caller may be in a position of authority and could pose risk to the attendant’s job by not performing. The attendant’s primary duty is to resolve issues, not to analyze issues.

Going back to the authority statement, while most of us have been trained to know when to deny a privilege escalation – it’s another thing to get a request from a person who seems to be in charge – who might be able to affect our day to day stress level. So what do you do? What does a low level system administrator in today’s economy do?

But Mom Said it’s OK.

A dysfunctional work culture, or work culture incongruent with documented policies and procedures, tends to be the result of some incentivized behavior, either through perceived or actual punishment or reward. This isn’t too far a stretch from mixed messaging in parenting psychology – inconsistent rule application/messaging and unbalanced, sometimes opposing, responses to behaviors, result in confusion for the child and ability to function accordingly.

Why Should I Care?

As I pointed out in my blog post “Why Insider Threat Detection Fails”, humans are poor performers when it comes to detecting rule violations of anything other than social contract or personal safety rules. While we function in a super connected world of relationships, the human mind still functions in a hunter-gatherer world, designed to monitor maybe 50 relationships. Simply put, the human mind is really concerned with its own survival, and by extension its progeny; concepts like threat to the corporation from abstract concepts like supply chain are not natural to the human mind and do not present as an immediate threat to self.

As such, if training and communications about cybersecurity are only presented as a series of “if-then” concepts without tying those to the individual’s health and well being, they will fall on deaf ears. That message – that the health of the company is the health of the individual – needs to be articulated, repeated, demonstrated, and believable. Rote memorization of “if-then” rules will yield some measure of protection, but it does nothing to build a culture or to take real residence in the mind of the employee.

Your employees are your first responders, your first line of defense, and the most critical asset. There are certainly a variety of factors which might cause them to become the next unintentional insider threat, but nothing is worse than apathy.

5 Ways to Combat Insider Risk

  • Climate surveys by a third party industrial psychologist can clarify what the culture really is.
  • Messaging to the workforce – if in doubt, question. Build a culture of rewarding security posture and questioning suspect vectors.
  • Tie organizational risk to real life employee risk in training. Don’t just say it’s bad for the company to lose money from IP theft via insider threat. Tie it all to the employee’s bottom line.
  • Be consistent – what’s on paper needs to match what managers exude.
  • Encourage questions. It might save you a lot of money. Employees who think they might be facing a security issue, insider or cyber, should feel reporting/questioning is a duty rather than a burden. Make this a value and you could very well save a lot of pain in the end.

*Originally written for tscadvantage.com, reposted with permission.

Deus ex something something…

­­The past few months, I keep finding myself in this conversation about “cyber” and insider threat. Generally speaking, it seems quite a few people think insider threat is a “cyber” issue – and I can’t disagree more.

I think there are three reasons people equate insider threat with cyber:

  1. In the media a “cyber” event is often ascribed to an “insider”. This is about as much as people hear about insider threats, so the words are assumed to be interchangeable.
  2. At least in the U.S., there’s a tendency to focus on spectacle – by this I mean the never before seen technology or tactics, and the spectacular employment of them, while simultaneously ignoring the less spectacular or historical tactic or technology.
  3. From a mitigation standpoint, organizations are rightfully focused on protecting critical assets, which these days tend to be information on a network; in this vein network security is the “cyber” element – protecting assets from an insider, an outsider who finds an opening in the network, or an outsider who becomes an “insider” by obtaining existing insider credentials for access.

In that view, people are understandably confused. On the second point there’s a valid psychological underpinning to the bias toward the “unknown” and newly perceived threat. In the last point, a mitigation avenue for a particular critical asset begins to color views of insider threat.

So why isn’t insider threat a “cyber” thing?

An insider event is precipitated by a trusted person with access.

A “cyber” event could be precipitated by an outsider or an insider.

If an insider, then the individual already has access to the victim organization (employee, supplier, contractor, etc), and they leverage that access to sabotage computer resources (physical or non), leak data, steal data, or otherwise attack the confidentiality, integrity, or availability of said organization’s data

If an outsider, then they are not a trusted member of the victim organization, rather they pose as one.

The outsider may manipulate a person within the organization, wittingly or unwittingly – say through social engineering, to enable the outsider’s access into the victim network – but the outsider is only presenting as someone with legitimate access. In this case we might call the manipulated person in the organization as an insider – either unintentional or intentional depending on their malicious intent or lack thereof – and the external hacker the outsider.

That all said, the cyber insider event does not make up the majority of insider events – it might be as low as 22% in fact. Cyber insider events are the spectacular – they do a lot of harm in a seemingly short period, but they are not necessarily the most devastating.

Consider the following:

Edward Snowden managed to take a whole bunch of data from the US government, using his placement and access. Then he “sneaker-netted” that information overseas. Sure, he got the information from a virtual data source, but it wasn’t a “cyber” event.

Say what you will, insider threat is older than computers. It is as old as espionage and plain old vengeance, and that’s pretty old.

Cyber isn’t insider, much like a hammer isn’t the only way to open a lock.

 

 

 

Quick Post – Insiders and Religion

Just about 24 hours after my last post our second child was born, hence the lack of updates.

Real quick, I saw this study this morning which indicates children raised in religious households are less altruistic and tolerant. The article at Forbes goes into the evolutionary basis for morality versus the human development of religion, something Tooby and Cosmides have written quite a bit about (evolution and morality that is). As the article states, religion was an effective way to develop cohesive groups, to define the inside group versus the outsiders. The point being this is often at odds in our present day world, the foci of much conflict.

I’m wondering, if this is the case, are insiders more likely to have religious (or comparable organizational belief systems) convictions. Do secular societies have a lower rate of insider events? What are your thoughts?

Information supply chain

Tags

,

I was listening to a CERT talk on supply chain issues recently. At some point the commentators said something to the effect that supply chain issues are getting attention because businesses must interact with vendors and suppliers. I imagine the commentator was addressing the increased complexity of products, the increased complexity of these business relationships, and the ever shrinking world we live in (which is also increasingly complex) and the perception these risks are on the rise as a result of these elements.

As someone who looks at supply chain issues on a regular basis, I don’t see a light at the end of the tunnel. Information exchange is probably one of the earliest forms of supply chain dynamics/threats. The animal nature to exploit advantages to maximize survivability and reproduction (success) is not limited to interactions in the physical realm, but includes access to information otherwise limited to others. Eventually, the barriers involved in compartmentalization of information break down; the systems once put in place to restrict information flow to maintain survival advantages (within a family, tribe, company, or nation) become the victim of entropy or the death of a thousand leaks. The information becomes commonplace and the value of that information decreases.

From an evolutionary standpoint, it’s probably safe to say the benefits of social exchange outweigh the risks. Social exchange has an element of Locard’s principle; something of each party is left behind. Each party, to the extent they are capable, becomes aware of the other’s strengths and weaknesses, many of which will not even be primary to the issue being discussed. On the other hand, much of this information could be ascertained through observation absent social interaction. Social exchange  affords the chance to misrepresent oneself while still reaping the reward from the exchange. Either way, information is transmitted, and may be ‘lost’ to another entity which is not entirely beneficial. With this in mind, each of us goes into the social contract, or really any interaction, with a degree of acceptable risk.

The increasing interconnectivity of the modern world seems to have a negative correlation to the window of time on which individuals can effectively exploit emerging relationships. Information cannot be effectively managed simply because there is too much of it to process. Although some might claim efforts to analyze “big data” allows for such, the effectiveness is limited by inputs, for some of which there are simply not any collection mechanisms. The human mind simply has not evolved beyond its hunter-gatherer roots; our minds are essentially tied to a world in which you might only meet tens of persons in a lifetime. Automated crunching of big data is a boon to interpreting an increasingly complex world with a limited ability to process information, but we are generally kept in a reactive state.

So what is industry to do in the face of the lightning speed of supply chain issues? No longer is it just an issue of where materials or sub-components come from, rather it is the source code development, the development of universal standards, the academic thought train, the emerging political realities, all interwoven and changing.

Obviously industry must continue to monitor and react to the relationships which affect their overall survivability, as do all animals, but getting beyond a purely reactive stance means more than that now. NIST and CERT both address the defensive mechanisms all industries should establish, but beyond that we are faced with the supernova of information which needs to be process to completely get in front of supply chain. That’s where we all need to focus, on determining what level of risk is acceptable, what level is manageable. Once those domains are established, looking one level beyond the traditional supply chain vectors becomes more digestible. We can and still should watch where the widgets come from, but now perhaps we also pay attention to the human climate those widgets come from.