It's the Behavior, Stupid

As part of Bill Clinton's 1992 run for the office of President of the United States, one of his advisors gave him a pithy piece of advice that became so famous it has its own Wikipedia page:

It's the economy, stupid.

The recent scandal over highly classified material being accidentally leaked to a journalist (pick a news source you like and this scandal was covered: CNN, AP, Fox, whatever you like) is a prime example of how risky behavior is...(drum roll please!) risky.

To sum up the situation as neutrally as I can:

1. A high US government official decided to go outside of secure channels to have a group chat
2. That same official accidentally included a journalist in the chat (confusion over contact name?)
3. Another official posted secrets to that group
4. The journalist revealed that this had happened
5. Many government officials denied that the material was sensitive
6. To prove a point, the journalist published the material, which was indeed sensitive
7. Many government officials denied that the material was sensitive (again)

From a Cyber Security perspective, the problem was 100% in step 1 above. It was a risky thing to do. Once you take step 1, you are implicitly assuming so many risks that it is utterly unsurprising that something bad happened. This is the nature of risk, after all: taking risks means raising the possibility that something goes wrong. Yes, sometimes (often?) you get away with it. Getting away with risky behavior does not mitigate the risk; in fact, repeating the risky behavior increased the odds that something will go wrong. The rest of the steps are less important, even step 2: once you establish a pattern of risk behavior you are in trouble and focusing on the specific issue that arose from the general issue is rarely as useful as addressing the general problem. In other words, if using an insecure phone is the general problem, fix that. Worrying about the myriad possible bad outcomes is ineffective. If one of them had lost their phone, or had it hacked, or had their phone used by their spouse or kid, what difference would that make? Fix the root problem. Avoid risky behavior and you avoid the specific bad event automatically.

Is the Signal app, if used properly, secure? Well, yes: for most of us, who are not high government officials, the Signal app is one of our best options. However these people, who are high government officials, have better options, But as we like to say at Pythia Cyber:

Security is inconvenient and people tend toward the convenient.

Even worse, the Signal app is pretty secure, but it is limited by its environment (in this case, unsecured personal smart phones). Want to read more? See this article.

Evaluating the Signal app as a communications method is beside the point: these guys had better options but those options were inconvenient. These high government officials are not committed to secure communication. That is the point. Once the people stop trying, then disaster awaits.

This news item illustrates a number of points we try to make to our clients:

1. Bad behavior defeats even good technology, hence our focus on behavior and technology
2. Compliance is good, but commitment is better, because security is inconvenient
3. Security needs to be a habit because security needs to be intact over time
4. In Cyber Security, familiarity breeds contempt, eroding compliance

Taking risks is a necessary part of life, but taking unnecessary risks is foolhardy and taking risks out of laziness is unacceptable in a professional context. Cyber Security is Risk Management and Risk Management is largely about behavior.