Human Behavior: The Missing Element of the Biden Cybersecurity Executive Order

On May 12^th, in the aftermath of the SolarWinds cyber-attack, President Biden signed an Executive Order (EO) to strengthen the United States’ cybersecurity infrastructure and practices. The order covered a broad list of topics, including new policies, processes, and technologies to strengthen the security of Federal and private assets. However, conspicuously absent was discussion of how to improve the first line of defense: the people who operate digital systems. According to the Verizon Data Breach Investigation Report, humans have been the most popular attack vectors for hackers over the past year. In fact, 85% of breaches involved a human element. Yet, this element of cybersecurity went largely unaddressed in the order.

The EO from the President’s desk includes sweeping technical and process-oriented changes designed to strengthen America’s cybersecurity system. From accelerated migration to secure cloud services to network segmentation and network data and log analysis, the priorities outlined in the Executive Order would likely improve America’s ability to predict, prevent, protect, and respond to cyber threats. But it is a potentially dire mistake that the most significant vector for attack – users’ own un-secure behavior – is not paid more attention. Neither user training and awareness programs nor research into behavioral security are mentioned in the Executive Order. In fact, in a search of the EO, the word “people” appears just once, and “training” is only used three times, primarily in the context of establishing a training program for updated technologies and ensuring it is made available to all federal employees. As the order expands the federal government’s digital risk perimeter – i.e. the size of the government’s digital footprint – the first guardians are not the AI tools nor the threat detection services, but the users who decide how to address what these tools discover.

Humans are under constant manipulation online, where they are subjected to self-learning algorithms, behavioral triggers, and curated content that influence their decision making. Cyber criminals utilize these existing vectors of psychological manipulation to attack users, gain their trust and eventually penetrate secure networks to execute attacks. An indicator of how successful this approach has been is the 11% increase in successful phishing attacks between 2020 and 2021. In total, the tactic accounts for 36% of data breaches, according to the Verizon Data Breach Investigation Report, 2021. Furthermore, the increasing digital load on users has been known to prevent them from executing their work properly (Bada & Nurse, 2020). However, the biggest concern for cyber professionals is how users behave in the digital environment.

Users often have trouble believing that they could actually suffer from a cyber-attack and are consequently less rational in their approach toward online decision making (Bada & Nurse, 2020). This irrational behavior opens them up to a host of social engineering attacks that are usually step one in more complex cyberattacks. Additionally, as more and more user data becomes available online, hackers can build better estimations of their targets’ behaviors and responses. This data can be weaponized by AI algorithms for even more dangerous and targeted spear phishing campaigns.

Given the evolving realities of cybercrime, the Executive Order’s lack of focus on behavioral training and research will reduce the impact of the solutions it does propose. More tools and processes do not necessarily add protection. In fact, the problem of un-secure user behavior may be compounded with all the additional tools, processes, and policies with which users must contend. Cyber security is as much or more a human problem as it is a technology or process problem, and weaknesses in one arm of this trio undermines the effectiveness of the other two. The EO focuses on training programs to educate users on improved technologies and processes, and that is definitely a good thing. However, without affecting behavioral changes, the order cannot fully yield the desired impacts. There must be a concentrated effort to study user behaviors for potential areas of exploitation and to design methods that change them for the better. Without which, it is not beyond the realm of imagination that another “solarwinds123” password could collapse a critical federal system again in the near future.