The Petraeus Affair: Human Nature Beats IT Security Every Time

The unfolding scandal with former CIA Director Gen. David Petraeus (ret.) and the crazy cast of characters that seem to have bumbled their way from positions of power and opportunities for greatness are at once a tale of human weakness - and also why there will always be a need for IT security improvements. Because at the end of the day, even the smartest, most accomplished human beings can be as dumb as a box of rocks.

Man vs. Machine: Dumb & Dumberer?

Something I tell my students at the start of every semester is a line borrowed from novelist Diane Carey, which goes something like "you know why they don't put legs on a computer, right? Because they will walk off a cliff if you tell them to." The idea is to make them feel less intimidated about the software with which they're about to work and point out the very real notion that computers are ultimately stupid. They will do only what you tell them to, and you have to explain it in hyper-literal terms.

But as literal and limited as computers are, there are times you have to wonder about the humans who created them and work with them every day.

The ongoing revelations surrounding Gen. Petraeus, Paula Broadwell, Jill Kelley, Gen. John R. Allen and the rest of the cast of high-profile characters shows an unfortunate situation that will undoubtedly cause harm to many families and careers. But from an IT security standpoint, it also shows just how careless anyone can be when it comes to technology practices and policies.

That may seem nitpicky in the face of everything else that could have potentially gone wrong in this scenario - political extortion, loss of state secrets and even assets' lives - but the fact that communications of this nature were being conducted over any electronic network, let alone a public cloud service like Gmail, only proves my point: No matter how much you try to drill security into your co-workers and families, human nature can always countermand common sense and security measures will be rendered worthless.

The Art of Conversational Hacking

Convicted hacker Kevin Mitnick has made an art form out of social engineering because of this very principle. No matter how many rules are in place, people don't believe they are dumb enough to fall for something that could cause a security breach. And if they're doing something they shouldn't, they never think they are going to get caught.

Having an extramarital affair is a rather extreme example of IT misuse, but it's not uncommon. More mundane examples would include opening a weird email attachment even after skimming over the latest security directive from the IT Department, or leaving the company laptop sitting at the coffeehouse table for just two seconds while you run up to the counter for more vanilla in your coffee.

Innocuous situations like this can often be just that - innocuous. But they can just as easily turn into an opportunity for someone to access your data and devices. Nothing is invulnerable, everything can be hacked given time and resources, but many people seem intent on making things easier for the bad guys.

Watch Yourself

This is not me encouraging you to be even more diligent if you're sleeping around. There's a better solution for that, like, oh, not sleeping around. But this Petraeus situation is yet-another example of human boneheadedness in the national news that cannot be ignored. These are pretty smart people, by all indications, yet here they are getting caught doing dumb things. 

And if they could be so careless when they were actually trying to hide something from the public eye, think about how easily mistakes get made when all someone is doing is carrying on with their daily business.

Real diligence is being more careful with the way you communicate and exchange information, as well as hold information. We all want to trust those around us, but there are times when you should question why someone is asking you for something out of the ordinary or sending you an uncharacteristic email or looking so intently at other patrons' computers in the coffeehouse.

Will this lesson take hold? Perhaps, in isolated cases. But given the number of affairs discovered on social networks and the number of reported data breaches we hear about almost every day, security experts will never be out of a job.

 

Image by Darren Livingston, courtesy of the CIA.