Kitten cat. Getty Images/iStock/Voren1The news today often contains reports about cybersecurity breaches that steal our data or threaten our national security. The nation spends billions of dollars on cybersecurity measures, and yet we seem unable to get ahead of this problem. Why are our computers so hard to protect?
Recent experience with a house cat provided insights into the nature of this problem. I am allergic to cats. My daughter came home, cat in hand, for an extended stay, and I had to find a way of confining Pounce to a limited area. However, as many cat parents would have known (though I did not) - this was doomed to be a losing battle.
Everything that I tried to confine Pounce worked for a little while but eventually failed as he found a way past my newest security barrier - just as hackers eventually find their way through the cybersecurity barriers erected to stop them.
I have the advantage of unlimited material resources compared to those available to the cat - I am presumably smarter than a cat, I have greater manual dexterity, and I'm a higher mammal who knows how to use tools. So why did I lose this battle so decisively?
Here are some of the cybersecurity lessons that became clear from my ordeal.
- To succeed against a determined attacker (Pounce was very determined), I have to be willing to go all in sooner rather than later. Even then, my victory may not be entirely decisive. But what certainly won't work is to deploy security measures that will minimally do the job because I am too lazy to do the full monty at the beginning.
- Pounce has the advantage of unlimited time, and he tries until he succeeds. It may take a few days, but eventually he does. Moreover, Pounce only needs to succeed once to get out. Every one of my confinement measures needs to work to keep him confined.
- Greater material resources and more intelligence do not necessarily overcome the huge advantage of Pounce's ability to make an unlimited number of attempts to circumvent my barriers. If he fails on any given attempt, he incurs no penalty.
- My defensive measures succeeded completely until they didn't. That is, it looked like I was winning the battle to confine Pounce right up until the moment I saw Pounce outside the confinement area. And this happened repeatedly. So, I was often lulled into a false sense of security.
- Being able to take Pounce's perspective would have helped me immensely in crafting defenses. But viewing the world from eyes at a 6-inch height from the floor would have been very difficult for me, and so I didn't do it. He thus saw ways of circumventing or destroying my defensive measures that I did not see.
- Manipulating people can be more powerful than any technical defenses - what in the cybersecurity world is called social engineering. When Pounce mews and looks into my daughter's eyes, my daughter just opens the door to the confinement area and he walks out. He was often successful in turning her loyalties. In cybersecurity lingo, my daughter was a "trusted insider" who went rogue.
In the end, I "won" the battle when my daughter moved out, taking Pounce with her. There, too, is an important cybersecurity lesson: Without a computer to be compromised, cyberattacks are not feasible, so don't use computers when they are not necessary. My toothbrush and refrigerator work just fine without high-tech communications capabilities, thank you, and I would really prefer not to incur any more cybersecurity risks.
Herbert Lin, the Hank J. Holland Fellow for cyber policy and security at Stanford University, is the author of "Cyber Threats and Nuclear Weapons."
The Los Angeles Times