Editor’s note: Wired for Safety is a column on cybersecurity and other tech issues. Duane Dunston is an assistant professor of cybersecurity and networking at Champlain College. He received his bachelor’s and master’s of science from Pfeiffer University. From 2001 to 2011 he worked in cybersecurity for NOAA. He is a doctoral student at Northeastern University with a concentration in Curriculum, Teaching, Learning, and Leadership. His other activities include “You Have A Voice,” a project to develop an electronic screening assessment to identify human trafficking victims.
[T]here is a topic that bothers me when it comes to discussing cybersecurity and people needing a use case, or example, to make a point. There is a tendency to use “China” or “the Chinese” or “the Russians” as examples of malicious computer actors. Cybersecurity is a global problem and no organization or person in any country are immune to identity theft, intellectual property theft, or experiencing a data or computer breach.
I am perturbed when I hear organizations that provide cybersecurity services often use “China” or “the Chinese” as examples of malicious actors. It only ingrains in people that people of Chinese or Asian descent can’t be trusted, or be trusted when they are seen using a computer or accessing public services. Just like biases and racist beliefs that become part of our everyday vernacular, people may not realize they are offending or objectifying an entire race of people, someone’s spouse or best friend.
The Snowden leaks show the NSA, a U.S.-based government agency, tapped into Google and Yahoo data links which are U.S. based companies. U.S. administrations, past and present, have all discussed banning purchases of some Chinese-based hardware technology. There are certainly case studies that demonstrate back doors have been injected into hardware technology destined for the U.S., though we have direct evidence from the Snowden leaks of the U.S doing the same. The Snowden leaks show how U.S.-based organizations are just as capable as any other country’s government organization of being malicious actors. Espionage, identify theft, and intellectual property theft are not new, the internet only allows a different method of performing these activities with lower costs, lower risks, and with some anonymity.
My concern with these ethnocentric views by managed security providers (MSP) is whether they can be objective in monitoring computer systems for other organizations or cybersecurity professionals monitoring their own organizations. Their biases could lead them to be so focused on looking for traffic from specific countries that they miss cyberattacks from other countries or their organization’s competitor.
I recall an MSP that monitors the network for an organization and the point of contact routinely mentioned China in discussions on cyberattacks. One day while reviewing some logs for the organization they monitor, I observed “SUCCESSFUL” logins from a country that did not originate from China. The MSP did not generate an alert to the organization. How did the MSP miss it?
One reason is that the MSP puts heavy emphasis on countries that the U.S. has embargoes on. It didn’t take but a few seconds of visually reviewing the logs to see that anomaly though the MSP has multiple analysts and a lot of computers analyzing the data to detect anomalies. The login turned out to be legit because the employee was in the country where the login occurred. I would consider that an anomaly since the person who authenticated was from the U.S. and doesn’t usually access email from that country of origin.
Biases can hinder our ability to detect some cyberthreats. Because there are no frameworks to determine the likelihood of any given organization being victimized by a cyberattack, we rely on intuition, which is influenced by our biases. To be effective cybersecurity professionals and provide a holistic view of our network security, assess risk, and monitor for signs of a cyberattack, we need to suppress our biases. We need to be present and observe what the events being generated by our computers are indicating, regardless of the origins of the event. Cyberattacks can come from anywhere, be initiated by anyone, and not originate in only one or a few countries. If you are working for an organization that offers public internet services, you have to expect internet visitors from anywhere. As cybersecurity professionals, we should be mindful of biases, and when discussing cyberattacks, we should speak generally and suppress ethnocentric viewpoints.