Ying Han
Carnegie
Mellon University
Sep 28, 2011
Many
of us may have envisioned that future human warfare will be predominantly conducted
in cyber space. Cyber warfare (CBW) may still be an abstract concept to the general
population, but as information security professionals, we know that the battle
has already begun. CBW includes not only international espionage, but also domestic
intrusion into organizations’ information network systems, such as, corporate
and banking networks and government databases. Countries are spying on each
other and individual hackers are exploiting the vulnerability of information systems.
The most frightening part of CBW is that it only takes one hacker to create extensive
irreversible damages. Given the risk that we are facing, continuously revamping
security systems and creating new techniques are not enough to confront invaders
who are also upgrading and transforming and becoming more advanced. A more
proactive effort to approach the challenge from other angles is needed.
The
ancient Chinese military treaties, “The Art of War,” suggested a basic
principle that applied to any kind of warfare; if you know your enemy as you
know yourself, then you will always be in a win-win situation for every
battle. The underlying rationale of the
principle is that one can only gain absolute control over the subjects or
objects that they profoundly understand. In order to keep hackers on a tight
leash, cyber security professionals need to study who and what they are
against. This principle may sound exaggerated; yet its significance has been
authenticated by the victory of wars won in Chinese history.
For
this principle to work, a precondition has to be met. We need to be experts of every aspect about ourselves,
such as our goal for securing systems, our information management technology,
our competence to secure the information networks, our ability to respond immediately
to incidents, and our potential to improve and develop methodologies in the
field. This is what many information security professionals are focusing on.
However,
by accomplishing this precondition, we only have 1/3 of the probability to win
the war, as Sun Tzu, the author of “The Art of War,” would say. To gain the
other 1/3 of a chance to win, we need to study every aspect of the intruder’s
aspirations. For example, who in the population is capable of being an intruder?
What is the geographical information about this sub-population? Among them, do
they have the kind of personality and motive to commit an intrusion? Are there
any observable abnormal behaviors in their daily work? Where in the system would
they be likely to start to act out? What kind of technique will they be likely
to use?
Through
scientific studies, including both experimental and non-experimental, we can
have an objective understanding about the intruders. For instance, between 2002
and 2007, the inside threat study team at CERT collaborated with U.S. Secret Agents.
Together they collected data about 250 cases of incidents that caused different
levels of damage on the information system of affected organizations.1 The
data significantly showed the general trends of the characteristic of the
attackers. Seventy-seven percent of the
attackers were former or current full time employees.2 Eighty-six percent of the intruders held
technical positions, including 36% system administrators, 21% programmers, 14%
engineers and 14% IT Specialists.3 Although 96% of the 250 attackers
are male, there was not enough evidence to support the hypothesis that hacking
behavior is associated with gender. The
issues of random sampling and ratio of gender working in IT jobs can be two
confounded variables. The subjects are demographically varied in terms of age,
racial, gender, and marital status.
Researchers
also found that the main motive of their action was revenge.4 The
attackers, in 92% of the cases, were triggered by a unpleasant work-related
event.5 After subjects experienced cognitive dissonant from the negative
events, they were likely to develop a motivational drive to reduce their degree
of discomfort by means of what was accessible to them. Thus, to use their
specialty in technology and authentication to intrude into the network system is
a way to retaliate against their employers. In addition, revenge is not only justified
due to religious’ beliefs, but also it is due to concerns about social law
reinforcement, such as the death penalty. For details of this finding, please
refer to the original article.
After
the above simply analysis, we now have a better idea of who are more likely to
commit the violation of 18 USC §1030 and why they decide to do it. This
sub-population needs to be studied explicitly to obtain the second 1/3 of
winning probability.
For questions, you may contact me at yinghan@andrew.cmu.edu or make a common on www.theartofcyberwar.blogspot.com.
1. Insider Threat Study, CERT at Carnegie Mellon University, May, 2008 https://www.cert.org/insider_threat/study.html
2. Keeney M., et al., “Inside Threat
Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S.
Secret Service and CERT Coordination Center/SEI, May 2005
3. Keeney M., et al., “Inside Threat
Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S.
Secret Service and CERT Coordination Center/SEI, May 2005
4. Keeney M., et al., “Inside Threat
Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S.
Secret Service and CERT Coordination Center/SEI, May 2005
5. Keeney M., et al., “Inside Threat
Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S.
Secret Service and CERT Coordination Center/SEI, May 2005