Human beings are creatures of habit, and digital systems have “humans in the loop” who inherently want to do things the way they always have. It’s a rate-limiting step for digital transformation, and a massive and under-appreciated barrier to improving cybersecurity.
It’s the simple human preference for doing tomorrow what you did yesterday that leads users to repeat passwords, delay installing patches, and stick with old software because they’re comfortable with it. Cyber-attackers know this behavioral inertia is often the weakest link, so they exploit it. Phishing attacks work because an email seems to come from a familiar friend or business, and fake web pages that host malware fool people because users recognize the look and feel and just click through or enter data without thinking.
It’s not just individual behavioral inertia that makes it easy for bad actors. Organizational inertia is equally a problem, and it’s often the largest organizations that are most stuck in their ways.
A recent report from Omdia and CCIA, a tech industry trade group, illustrates powerfully how procurement processes inside U.S. government agencies are falling prey to this trap. The report looks specifically at the government market for one of the more mundane and yet most important and widely used software packages — office productivity software. The market is stunningly concentrated, with Microsoft’s office suite at around 85 percent, and the rest split out between Google (12 percent) and a few mostly legacy providers.
Whether or not this is an issue for competition policy is a different question, and I believe no company should be faulted for overwhelming success, as long as markets are functioning fairly and they win based on product quality. Innovation potential is another consideration, and there are legitimate arguments on both sides about whether market concentration is good or bad for innovation over time.
But from the perspective of someone who worries about cybersecurity, putting 85 percent of your eggs in a single basket is just a bad idea. What if all the eggs break at once? Software inevitably has bugs and vulnerabilities that make it susceptible to “cracking.” There is no such thing as a single cybersecurity gold standard — and even if there were a system that reached that pinnacle today, it wouldn’t be able to stay there tomorrow, unless it could anticipate and adapt at a faster rate than its well-resourced and unconstrained adversaries.
The U.S. government is a high-value target, and relying on one vendor for 85 percent of its communications and collaboration software shines a bright light on that fact. It highlights a large attack surface and makes it too easy for criminals and state actors looking for major vulnerabilities.
Consider what it looks like to those bad actors.
Would you rather go after a very large and uniform target, with a monoculture where everyone is working on the same platform and doing the same thing? Or a somewhat more irregular and diverse landscape where not everything looks the same, and you have to understand local variations in the attack surface, which are likely also to be changing in different directions and at different rates? It’s not only good actors who like and benefit from scale. It’s bad actors, too, and in an offense-dominant environment, certain kinds of scale are better for bad actors than good ones.
It’s easy to understand how we landed in this place, and it isn’t necessarily anyone’s fault. Procurement officers have standing relationships …….
Source: https://thehill.com/opinion/cybersecurity/580383-inertia-is-the-enemy-of-cybersecurity