Our Biggest Cyber Vulnerability

Jon Darby

Former Director of the Operations Directorate, NSA/CSS

Network vulnerabilities come in many forms and as a result, there is a growing industry to discover those vulnerabilities and develop solutions to mitigate them. But there is one vulnerability that we are not addressing sufficiently - one that all networks have in common and affects how networks are designed, developed, implemented and used. That vulnerability is us.

Human behavior is at the heart of entire life cycle of networks. We must find a way to comprehensively mitigate this vulnerability and although we can’t devise a perfect solution since people are imperfect beings with different interests, when it comes to capabilities and behaviors, we can, and must, do better.

Let’s start at the beginning. The time is right for a national cybersecurity education campaign, not just in elementary schools, but also in high schools, colleges, tech schools and workplaces not only to grow cybersecurity literacy and awareness, but also to grow our nation’s cybersecurity capability and depth at all levels of society.

Basic cybersecurity awareness is rapidly becoming a necessary life skill for everyone who uses network connected devices which, let’s face it, is all of us. Aside from building awareness, a concentrated education campaign will also help accelerate the growth of cybersecurity skills and capacity.

Hardening, managing and monitoring networks is absolutely critical, and government, industry and academia are investing millions of dollars, if not more, to do just that. It’s essential investment and risk management for any network owner. Much of this is out of the hands or even the view of network users, which is a good thing. Leave the complicated “technical stuff” to the pros and make the network user experience as friendly and simple as possible. But cybersecurity capabilities being user friendly does not mean they are not susceptible to flawed human behavior that could render moot the technical solutions.

Organizations are investing in cybersecurity awareness training for employees. Many are also putting in place accountability measures if an employee is found to not be following appropriate cybersecurity procedures. But despite this, how many times have we heard that a particular cyberattack could have been avoided if someone had resisted the urge to click on that phishing link?

We need our entire population to understand cybersecurity risk and awareness.

Given the increasing interconnectedness of our world, we need our entire population to understand cybersecurity risk and awareness. It needs to be foundational to how we operate on a daily basis, not that “technical stuff” that is left to the “technical folks,”, but something that is fully integrated into operational, risk management and investment decision making. It needs to be “baked into” the thought processes of every individual at every level of an organization.

Unfortunately, this mindset is not widespread across our nation and will not occur overnight. This is why we need to take the long-term view. Investment in today’s elementary school students is investment in tomorrow’s CEOs, government and academia leaders who will be making decisions affecting our way of life.

Cybersecurity is not a government, industry or academia problem, but a whole-of-society problem. While significant progress has been made over the last several years, we must do more. Let’s get serious about addressing the enduring cybersecurity vulnerability posed by humans so we can be better postured throughout our society and protect our way of life. Let’s understand our biggest cyber vulnerability and address it.

Read more insights from today's top cyber leaders in The Cyber Initiatives Magazine.

Mr. Darby is a CIG Expert and nearly 39-year veteran of the U.S. Intelligence Community, primarily in the National Security Agency (NSA)/Central Security Service (CSS), culminating in serving over four years as the NSA/CSS Director of Operations (DO). Prior to assuming the DO position, which oversees all of NSA’s collection, code-breaking, analysis and production of signals intelligence (SIGINT), he led some of NSA’s most difficult missions. He managed a budget in the billions, drove development and use of advanced technologies, and in multiple positions led thousands of globally distributed civilian and military personnel providing intelligence support.