Human beings are creatures of habit, and digital systems have “humans in the loop” who inherently want to do things the way they always have. It’s a rate-limiting step for digital transformation, and a massive and under-appreciated barrier to improving cybersecurity.
It’s the simple human preference for doing tomorrow what you did yesterday that leads users to repeat passwords, delay installing patches, and stick with old software because they’re comfortable with it. Cyber-attackers know this behavioral inertia is often the weakest link, so they exploit it. Phishing attacks work because an email seems to come from a familiar friend or business, and fake web pages that host malware fool people because users recognize the look and feel and just click through or enter data without thinking.
It’s not just individual behavioral inertia that makes it easy for bad actors. Organizational inertia is equally a problem, and it’s often the largest organizations that are most stuck in their ways.
A recent report from Omdia and CCIA, a tech industry trade group, illustrates powerfully how procurement processes inside U.S. government agencies are falling prey to this trap. The report looks specifically at the government market for one of the more mundane and yet most important and widely used software packages — office productivity software. The market is stunningly concentrated, with Microsoft’s office suite at around 85 percent, and the rest split out between Google (12 percent) and a few mostly legacy providers.
Whether or not this is an issue for competition policy is a different question, and I believe no company should be faulted for overwhelming success, as long as markets are functioning fairly and they win based on product quality. Innovation potential is another consideration, and there are legitimate arguments on both sides about whether market concentration is good or bad for innovation over time.
But from the perspective of someone who worries about cybersecurity, putting 85 percent of your eggs in a single basket is just a bad idea. What if all the eggs break at once? Software inevitably has bugs and vulnerabilities that make it susceptible to “cracking.” There is no such thing as a single cybersecurity gold standard — and even if there were a system that reached that pinnacle today, it wouldn’t be able to stay there tomorrow, unless it could anticipate and adapt at a faster rate than its well-resourced and unconstrained adversaries.
The U.S. government is a high-value target, and relying on one vendor for 85 percent of its communications and collaboration software shines a bright light on that fact. It highlights a large attack surface and makes it too easy for criminals and state actors looking for major vulnerabilities.
Consider what it looks like to those bad actors.
Would you rather go after a very large and uniform target, with a monoculture where everyone is working on the same platform and doing the same thing? Or a somewhat more irregular and diverse landscape where not everything looks the same, and you have to understand local variations in the attack surface, which are likely also to be changing in different directions and at different rates? It’s not only good actors who like and benefit from scale. It’s bad actors, too, and in an offense-dominant environment, certain kinds of scale are better for bad actors than good ones.
It’s easy to understand how we landed in this place, and it isn’t necessarily anyone’s fault. Procurement officers have standing relationships and know how to process the same decisions that they made last year through the system this year. Chief technology officers and support desk personnel become comfortable with the trouble tickets and questions they are used to receiving. And end users have it easy — they don’t need to adjust their habits or get familiar with a user interface that might look different for a couple of days and require a visit or two to the help menu. It’s the path of least resistance. But all of this is terrible for cybersecurity, because what makes all these parts of the system comfortable is exactly what makes it easy for attackers.
We need to make things a little less comfortable to break up the downsides of inertia.
Simple tricks like changing the color or the font of a security warning gets users to pay attention, rather than just click mindlessly through a dialogue box. Installing a new piece of software is a “teachable moment,” where users have to become conscious of the configuration decisions they make. And, in this case, experimenting with different office suites means extra work for the CTO and her team, but it’s a crucial opportunity to evaluate and address vulnerabilities.
It may sound strange to argue for introducing a little more friction into digital systems. But what we’re talking about here is a small up-front investment of time and energy, that can save significant resources down the road by making it harder for cyber-attackers to win big.
Monoculture is the enemy of resiliency.
We may not be able to reduce the size of the attack surface much, but we can certainly make it less uniform, more dynamic, and thus harder for attackers to dominate.
Steve Weber works at the intersection of technology markets, intellectual property regimes, and international politics, he has published numerous books, including “The End of Arrogance: America in the Global Competition of Ideas and The Success of Open Source,” and serves as the faculty director for the Berkeley Center for Long Term Cybersecurity. He works with and receives research funding from a number of technology firms, including Google and Microsoft.