Avoiding Collateral Damage: Protecting people, not just systems

28 May 2013   Armageddon in Cyberspace: Avoiding Collateral Damage: Protecting People, not just systems   Professor M. Angela Sasse     I am a Professor of Human-Centred Technology at University College London, and if you talk about the history of the Internet, something that most of you may not know is that UCL has been on the Internet since 1975. It was the sixteenth site on the Internet, the first outside Europe, and so, I come from a Department where we are very keen and very interested in protecting the heritage of what we have built. Now, I have not been there quite since 1975, but I joined in the early-1990s and, to some extent, I really can empathise with what Ben was saying because I still remember very well, when I joined in 1990, basically working on the kind of technologies, voice-over-package-switch networks, so we were already doing Skype, with video and things in the early-‘90s, and you know, this is now something that is pretty much at everyone’s fingertips, and it is very much becoming very much part of our lives and our fabrics, and we can not really separate what we are trying to get done on a day-to-day basis from these technologies anymore.    So, I think there is one curious aspect that is connected to this evening’s topic, where I actually see very little progress at all, and that worries me, and I think this is something that has to change.   Just to do a little test, could you put your hand up if you have no problem whatsoever with passwords and security measures that you need to use your technology?   Okay, I get like one, two, three, four, five. Any of you who have got their hand up at the moment, is it because you do not use any technology that requires passwords…?   Right. So we can say the vast majority of you struggle with this. Now, I have been working on this since the mid-‘90s, and I was working on that wonderful Internet technology. We collaborated with British Telecom, as it was at the time, and so they knew me as somebody who works and looks at the people side of it and tries to figure out if something is difficult to use – you know, why people struggle to understand how to use something correctly. They called me up and they said, “Could you look at this problem that we have got?” and I said, “What is the problem?” and they said, “Well, the problem is these stupid users ca not remember their passwords, and we would like you to do a study to work out why that is.”  So, I did the study, and the answer was very simple: because you are asking them to do something that is not humanly possible to do. You know, the employees that I was looking at, at the time, had between sixteen and 64 different passwords, six-digit pins, they had to change them every 30 days, and of course, you cannot use the name of your girlfriend or your dog or whatever – it has to be something that nobody could possibly attribute any meaning to.     If you go and speak to a psychologist, they will tell you that human memory is not constructed that way, that we can only remember things we use very regularly, and that we can deal with meaningful things much better than non-meaningful things, and that if you have lots of similar items in your head, they are competing with each other and you are just going to have an awful time.   That was what was happening to the employees in the company, at the time, and what you could observe as a consequence of this was that, of course, nobody was following the rules and they felt completely justified in doing so because they were being asked to do something that is impossible, right? If somebody asks you to comply with a set of rules that it is impossible to comply with, you do not do it – you create workarounds. So, the simplest one is you just write the passwords down on a post-it, and stick them on the screen…     And in fact, you know, you can still observe this one quite widely, and today, I mean, this has continued. It is continued now to the point where I have seen two examples where, at the AGM of major companies, the brochure basically had to be hastily withdrawn and pulped because they had asked a photographer to come in to take pictures of happy employees at work and they ended up printing pictures of whiteboards with the main server passwords written on them.   So, this is still going on. Everybody is still doing these workarounds which create what we in computer security call vulnerabilities that are of course a gift to anyone who is looking for ways of attacking it.   I think what also is true, part of the complexity problem that Ben alluded to is that most users do not actually understand exactly what the threats are that they are facing. They say, “I am not famous, I do not have millions of dollars – why would anyone bother to attack me?” and the answer is they are not necessarily interested in you, they are interested in hijacking your machine or they are interested in trying to attack the bank that you are a customer of or the company that you work for, and your machine will do as nicely as an entry point as anyone’s, so you do not need to be famous.   What was actually happening in the company at the time, there was this military vocabulary  that kept coming back at us in this space all the time, right? When Ann and I wrote this paper about it, we called it “Users are not the Enemy” because what was happening in this company at the time was that there was a state of war. The Security Department said “You have to do x,” the users said, “Not possible, so, you know, we will basically break the rules,” and then the Security Department would threaten more and more sanctions and more punishment for not following the rules, but as a result of this, the people working there, if you asked them what security was about, they would say, “It is just a pain in the neck – it is something they make us do to stop us from getting our work done.” Nobody actually there thought that security was valuable, that it was something that everybody should do and get on–board with, and what really worries me is that I think that really has not changed very much in the past fifteen years.    What I have learned over the last fifteen years, looking at this, is that this happens all the time and everywhere. At the end of the day, security is not what motivates us. You know, we do not get out of the bed in the morning thinking like “I want to be really secure today and what will make me happy at the end of the day is if I have felt really secure.” So, we are trying to get other things done, and if security is difficult, guess what, people will do these kind of workarounds, and my concern is that I think the technologists are not getting it. They still are not getting it and if you look at the cartoons they make, we have generated all these like encryptions, firewalls, anti-virus software, etc. etc. and in this corner, we have Dave, right and Dave very clearly is like a slob, fat, and stupid.   The technology industry is still portraying people as stupid because they are not complying with all the security measures they are being told, but I think that if anybody is being stupid here, it is those technologists and that industry because they have to realise that the kind of things you have to ask people to do for security is something that has to be manageable. So, you cannot create a huge amount of workload and complex systems and rules that people cannot understand, if you want them to follow it. To me, as far as I am concerned, yes, the Internet is very much entwined in our lives. It is a utility, and what I would want to see from computer security is something that is manageable, that is like water, I do not have to constantly do my own tests on the water that comes out of my tap, right? And the electricity I get supplied, as long as I do not tamper with it, is safe to use – I would have to do something really stupid, like stick a fork in the socket, you know, for it to endanger me! And that is what I think the internet should be.     Instead of telling millions of users, who frankly do not have a snowball’s chance in hell of distinguishing between a genuine anti-virus checker and a piece of malware, instead of telling them to download and install the virus checkers, I would like the Internet service providers to do this for us, or the mobile company. They should provide us with something that is safe at the point of use. They have economies of scale. They can get it at a much better price than we can. They have the expertise to check whether it really is an anti-virus checker or a piece of malware.   Finally, I also think we need processes that are less complicated. If people are encountering a problem, they need to know where to go – you know, where do I report this? I mean, we have, only after lots of struggle, gotten to the point that we have an eCrime Unit where people can report these kind of things. So, I think we need much simpler, clear rules that people can follow, and if something goes wrong, where they can go. In an age where the Government would like to save lots of money by everyone transacting with them online, you need to also accommodate all the people who have not grown up with the Internet in their pocket.   I think the final point is, also, we have a very poor understanding at the moment who is actually in charge here, and who is in charge of what, and we need to make much clearer who is the authority and who will tell us when there is a problem and when we should maybe stop doing certain things. Who would you believe, you know? One of the easiest things you can do if you are in a conflict is to erode the confidence of the population in a country and start them to tell that things are going really badly and that your government is not in control anymore.   I think this is coming to one of my final points, what is being overlooked. At the moment, we do not know whom to trust. You can look at a website and you think is this really Marks & Spencer’s or John Lewis or is this somebody who is trying to just steal my credit card details and pretending? It is really hard for the ordinary user to figure this out, but we need to be able to trust. One of the things we can learn from economics is that successful societies, economically successful societies, are the ones where there is trust, where we do not have heavy-handed security measures at every stop, that they are starting to cost us lots of money and that stifle things such as goodwill and creativity.   Who said “Trust is good, control is better”? Can anyone remember that?   It was Lenin actually who said that.     A lot of control also costs a lot of money. So, we need to have something that is trustworthy and where we can get on, where phishing and social engineering attacks are less likely to succeed.  Partly, this is due to deregulation. You know, when we only dealt with one entity, such as British Telecom for our telecommunications, and a water company for that was much easier than when you have got fifteen competitors in each space. Each of them have got their own ID coming to your door and claiming to be from one of those. You know, that complexity is what I think we have not learned to manage.   So, our current technology and processes are not currently sufficiently robust against impersonation and I think that has to change.   I just wanted to point out that, very ironically, one of the founding fathers of what we today call computer security, a guy called Kerckhoffs. He built the first system for encrypting transmissions between two, and he wrote six principles for having a properly secured system, and what I think is very ironic, if we see that how current IT security people are struggling to give us something that is manageable and useful, is that three out of his six principles were “You must make it work for the people that are involved, so it must be easy to communicate and remember the keys…”  You know, just put “passwords” instead. “The system must be portable and not require more than one person,” and, finally, regarding the circumstances in which such a system is applied, “It must be easy to use and neither require stress of mind nor the knowledge of a long series of rules.” I think that is what we need to get back to if we want to protect the Internet, cyberspace, effectively, with all the limitations that the human, the wet-ware as we often say, brings to it.     © Professor M. Angela Sasse 2013