America Must Shore Up Its Psychological Cyber Weaknesses
The successful cyberattack against major American interests, announced in December 2020, has sent a strong signal about American vulnerability. The attack is alleged to be by Russia, and it will take some time to analyze the extent of the damage. However, one thing is already clear. Owing to psychological weaknesses, the U.S. is cyber-vulnerable at the highest levels; and unless there is a concerted effort to face up to the psychological issues, things are likely to get worse down the line.
When it comes to psychology, cyberattacks are similar to professional pickpocketing when it comes to victims. I learned a lot about pickpocketing from entertainer Apollo Robbins, the performer who astonishes audiences by picking their pockets in plain sight.
Robbins operates as a solo pickpocket, although many professional pickpockets work in coordinated groups. Whether done one or many, the act of successfully picking pockets involves performing an orchestrated set of tasks. The tasks comprise identifying a target and pocket to be picked, maneuvering the target into position and holding him or her in place, distracting the target’s attention, blocking the target’s view of his or her pocket while it is being picked, and then whisking away the stolen items as quickly as possible.
In essence, the cyber assailants picked America’s pockets. U.S. interests in both the public sector and the private sector have long been targets for foreign adversaries. We know something about which pocket served as the entry point for the pick. The pocket involved back door entry points in the cybersecurity supply chain, originating in Orion software widely distributed by the firm SolarWinds SWI , which had been infected by the cyber assailant with embedded code. What will take some time to understand fully, according to current media reports, is how U.S. interests were maneuvered into position, distracted, had their vision blocked, and lost valuable assets.
Psychology is a major issue in cyberattacks. The scope and magnitude of the attack, and its success, came as a huge surprise to the country. Surprises are the hallmark of overconfidence, and overconfidence is a major psychological bias. The success of the attack was also a huge disappointment for the U.S., and disappointment is a hallmark of unrealistic optimism, another psychological bias.
MORE FOR YOU
Perhaps the most important psychological issue with the recent cyberattack is distraction. Targets who are distracted focus attention on something other than the threat. What were the major cyber distractions at play during the time period of the attack? Combatting election interference from foreign countries rates high on the list, as does President Trump’s continuous assault on U.S. intelligence agencies.
One of the most best known studies in psychology documenting the twin issues of distraction and attention is the “invisible gorilla” experiment conducted by cognitive psychologists Daniel Simons and Christopher Chabris. In that experiment, subjects became so distracted by a counting task that they failed to notice that a person in a gorilla suit walked in front of them, gesticulating energetically.
Apollo Robbins has mastered the skill of how to apply distraction to pick the pockets of his audience. By chance more than design, I had the pleasure of being present at an Apollo Robbins event, and to see him in action up close. Robbins was the after dinner speaker at a gala event. During dinner, he waited on tables, an activity he used as an opportunity to study his audience, looking for targets and looking for items to extract from pockets. Over the course of the evening, he guided his targets’ attention away from their pockets as he extracted their cell phones, wallets, keys, watches, and jewelry.
What has stayed with me since watching Apollo Robbins do his magic is the fact that many of his victims knew he was planning to pick their pockets, and yet seemed powerless to stop him from doing so. They did not have the skill to resist having their attention diverted away from protecting the openings to their pockets. And so it was with America, which had its attention diverted away from the openings to its digital pockets.
In recent years, the U.S. has experienced cybersecurity failures of immense importance. A key example is the loss by the CIA of its most powerful hacking tools, which were acquired by adversaries and turned on America. How did it happen? The short answer is lax protection of those digital assets, owing to major overconfidence.
Apollo Robbins is a master of removing valuable items from people’s pockets. He is also a master at inserting items into people’s pockets, items that do not belong there. The concern from the recent cyberattack is that adversaries of the U.S. both took valuable assets and inserted code into its systems, code that does not belong there.
The U.S. military believes that future major wars will be fought in cyberspace. If so, the recent cyberattack on the U.S. does not bode well for this country, which had been relying on systems of sensors built into global cyber networks.
For readers looking for another military analogy to understand the significance of the recent cyberattack, think about how the French failed to prevent the Germans from invading their country during World War II. The French strategy was to build the Maginot line, a system of physical barriers along the French-German border that would slow any German advance. However, the Germans did not invade France by penetrating the Maginot line. They entered France through the back door, through Belgium, while the French were focusing their attention on their border with Germany. In the recent cyberattack on the U.S., SolarWinds played the role of Belgium.
America needs programs to address the presence of psychological bias in the way it manages its most sensitive digital assets. The risks of not doing so are enormous.