The Best Offense Is A Diverse Defense
Why diversity is cybersecurity’s best weapon
THE MORAL CASE FOR DIVERSITY IS OBVIOUS. Put simply, it is the ethical thing to do. But the business case for promoting workplace diversity is actually just as compelling, particularly when it concerns cybersecurity. Unfortunately, cybersecurity at present is not a very diverse field. And the latest figures show that it’s actually becoming less, rather than more, diverse. That must change if U. S. organizations hope to prevent, or at least mitigate, the endless stream of cyberattacks that are already underway.
Cybersecurity is a relatively new field. But with computers being ubiquitous and the Internet of Things ensuring that computers will only become more pervasive, cybersecurity has captured the attention and imagination of both heroes and villains. Unlike traditional force-protection and “hard” security measures, cybersecurity knows no borders, clocks or societal constraints. Attacks come from anywhere, anytime and from within any border. As a result, the types of attacks vary greatly based on many factors.
Those tasked with cyber defense tend to focus on more easily quantifiable qualifications like knowledge of hardware and technology. But to provide effective cyber defense, it would also be wise to take into consideration more qualitative elements like gender, language, culture, age, economic background, and the host of other traits that define humanity.
“Because there is no silver bullet in cybersecurity, no quick fix, we have to solve problems holistically,” explained Summer Fowler, then-deputy director of the Cybersecurity Solutions Directorate, a part of Carnegie Mellon University’s CERT program. “We need to deal with people, process and technology. That means we need people from diverse backgrounds who understand and relate to an array of people. And I’m not just talking about gender and ethnicity. We really need right-brain thinkers, left-brain thinkers, people who can come at these problems from very different angles.”
Fowler is not alone in her belief. The Department of Homeland Security released a similarreport in December 2015 titled“The Need for Women and Minorities in Cybersecurity”:
As the cybersecurity industry continues to grow, it will be critical for organizations to diversify their workforce. Diversity encourages a culture where divergent opinions can be brought together to develop innovative solutions to solve some of the toughest problems our nation faces today. Although women today comprise more than half of the U. S. professional workforce, they only play a small role in information technology (IT)…. The lack of women in IT and cybersecurity represents a failure to capitalize on the benefits of diverse perspectives: in a world dependent on innovation, diversity can bring the best and brightest problem-solvers to the table; and at a time when technology drives economic growth, it can yield a larger and more competitive workforce. Similar to the scarcity of women in IT and cybersecurity, minorities are also underrepresented in this field. IT and cybersecurity continue to have a need for professionals with technical skills, which can be taught inside and outside the classroom.
The numbers back up these statements. In a 2013 panel on diversity in cybersecurity, the National Institute of Standards and Technology reported that only 25 percent of the IT workforce were women, and 8 to 13 percent worked specifically in cybersecurity. The statistics on Hispanics and African-Americans were worse: Only 5 percent of the cybersecurity workforce was Hispanic, and 7 percent African-American. Even with such statistics, the American representation of women, Hispanics and African-Americans in cybersecurity still outnumbered Europe and Asia.
For many, though, the numbers present only an abstract picture. However, specific examples abound on how a diverse workforce can make a real difference in cybersecurity, such as the cyber theft of $81 million in early 2016.
The Federal Reserve Bank of New York (Fed)repeatedly received seemingly legitimate requests from the Bank of Bangladesh to wire $1 billion in differing amounts. According to the Fed, the money transfer requests had been “fully authenticated” through the international financial messaging system known as SWIFT.
Four of the requests had succeeded in transferring approximately $81 million that would later disappear and reappear in accounts in the Philippines. Why did the Fed honor only four of the numerous requests? The answer is actually a lack of diversity.
The fifth request for a $20 million transfer to a Sri Lankan account alerted the Fed. Pinged by the large number of requests, a cybersecurity official noticed the misspelled word “foundation” in “Shalika Fandation.” A lack of diversity among the Filipino hackers empowered the Fed official to uncover the larger plot, saving more than $900 million.
Without question, the stakes are high. In a report by Hewlett Packard and U.S.-based Ponemon Institute of Cyber Crime, hacking costs the average American firm $15.4 million per year. In “Cybercrime and the Internet of Threats,” a whitepaper by Juniper Research, nearly 60 percent of expected global data breaches will occur in North America. It also posits that the rapid “digitization of consumers’ lives and enterprise records” breaches will top $2.1 trillion by 2019.
Because of the intimate and cultural nature of cybercrime, the only effective defense is a thorough understanding of threats combined with innovative responses. That can be better achieved by creating a diverse workforce that can correctly interpret, understand and respond to such threats. When it comes to cybersecurity, the best offense is a diverse defense.
Hacking costs American firms $15.4 million annually
Data breaches predicted to total $2.1 trillion by 2019