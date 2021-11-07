



Humans are habitual creatures, and digital systems are essentially looped by people who want to do things as usual. It is the rate-determining step of digital transformation and a large and undervalued barrier to improving cybersecurity.

The simple human preference of doing what yesterday tomorrow causes users to repeat passwords, delay patch installations, and become accustomed to older software and continue to use it. Cyber ​​attackers know that this behavior is often the weakest link and exploit it. Phishing attacks work because emails appear to come from familiar friends and businesses, and fake web pages hosting malware recognize the look and feel and don’t even think about it. Fool people to enter data into.

It’s not just the inertia of individual actions that facilitates malicious individuals. Tissue inertia is a problem as well, and often the largest organizations are the most deadlocked.

Recent reports from Omdia and CCIA, an industry association in the tech industry, strongly show that the procurement process within US government agencies is a prey to this trap. The report pays particular attention to the government market for office productivity software, one of the more mundane yet most important and widely used software packages. The market is surprisingly concentrated, with Microsoft’s office suites at around 85%, the rest being Google (12%) and some mostly legacy providers.

Whether this is a competition policy issue is another matter, and as long as the market functions fairly and wins based on product quality, overwhelmingly successful companies should not be held accountable. I believe. Innovation potential is another consideration, and there is legitimate debate on both sides as to whether market concentration is good or bad for innovation over time.

But from the perspective of those who are concerned about cybersecurity, putting 85% of their eggs in one basket is a bad idea. What if all the eggs break at once? Software inevitably has bugs and vulnerabilities that make it vulnerable to cracking. There is no such thing as a single cybersecurity gold standard. Even if you have a system that has reached its peak today, you will not be able to stay there tomorrow unless you can predict and adapt faster than those without sufficient resources and constraints. enemy.

The US government is a high-value target, and the reliance on one vendor for 85% of its communications and collaboration software sheds light on that fact. It’s too easy for criminals and state officials looking for major vulnerabilities, emphasizing large attack surfaces.

Think about what it looks like to those villains.

Want to chase a very large and uniform target in a monoculture where everyone is doing the same thing on the same platform? Or it’s a rather irregular and diverse landscape where not everything looks the same and you need to understand the local variation in the attack surface. Can this change in different directions and at different speeds? It’s not just the great actors who like scale and benefit from it. That bad actor, and in an attack-dominated environment, certain types of scales are better suited for bad actors than good ones.

It’s easy to understand how we landed in this place, and it’s not necessarily anyone’s fault. Procurement personnel have a lasting relationship and know how to handle the same decisions made last year through this year’s system. Chief technology officers and support desk personnel are accustomed to the trouble tickets and questions they are accustomed to receiving. It’s also easy to understand that end users don’t have to adjust their habits or get used to the user interface, which can look different for days and requires access to the help menu once or twice. increase. The path of its minimum resistance. But all of this is terrible for cybersecurity. It makes all these parts of the system comfortable because it facilitates attackers.

Things need to be a little uncomfortable to eliminate the shortcomings of inertia.

Simple tricks such as changing the color and font of security alerts allow the user to pay attention to the dialog box instead of clicking it unknowingly. Installing new software is a taught moment when users need to be aware of their own configuration decisions. Also, in this case, experimenting with different office suites, which represents extra work for the CTO and his team, is an important opportunity to assess and address vulnerabilities.

It may sound strange to insist on introducing a little more friction into digital systems. But what we’re talking about here is a small upfront investment in time and energy that can save a lot of resources in the future by making it difficult for cyber attackers to win big.

Monoculture is an enemy of resilience.

Although it may not be possible to significantly reduce the size of the attack surface, it can be made less uniform and dynamic to make it harder to control the attack surface.

Steve Weber works at the crossroads of technology markets, intellectual property systems, and international politics, and has published numerous books, including “The End of Arrogance: America in the Global Competition of Ideas” and “The Success of Open Source.” I am a faculty director. For Berkeley Center for Long Term Cyber ​​security. He works with many technology companies, including Google and Microsoft, to receive research funding.

