Mata Hari and her bridesmaids (Robert Hanssen and Aldrich Ames)
Over the years, I’ve had this recurring conversation\argument with cyber and intelligence practitioners regarding the trust lifecycle. The crux of it revolves around how you go about effectively assigning, monitoring and adjusting individual trust levels. Most of us when questioned about trust will tell you that it’s made up of behavioral elements like:
- Acting with honesty and integrity
- Not acting on hidden agendas
- Maintaining transparent communications
- Keeping your promises
- Meeting your obligations
- Looking out for other people’s interests
Indeed, these are all distinct and recognizable traits, but how can we use them to design complex security solutions? After all, how do you code a function that checks if a user has a hidden agenda?
In order for these social concepts to be of any use, we need to understand the nature of trust; we must go beyond the simple question of good and evil. Under the microscope, trust exhibits the following four characteristics:
- It’s transferable—We assign a higher degree of trust to individuals who come recommended by people we already trust.
- It’s inheritable—We tend to trust a relative of a trusted friend.
- It’s socially derived—We tend to trust individuals who share our cultural, social, or political heritage and network.
- It’s cumulative—We tend to increase our trust levels in individuals who have previously proved themselves trustworthy.
These evaluation principles (which are essentially deterministic Turing tests) work very well in social relationships but frequently fail in complex security environments. The source of the problem is that most of us instinctively classify the world into “friend,” “foe,” or “unclassified TBD” categories. We also like to believe that once categorized, the subject in question will indefinitely conform to our classifications and expectations. This tendency is hardwired into our evolutionary decision-making process and, to a large degree, also forms the basis for many irrational behaviors like racism and anti-Antisemitism.
After conducting numerous security sweeps, penetration tests, and postmortems on breaches, I have come to conclude that most individuals—given the right opportunity and motive—could spontaneously flip the color of their hat.
The concept of credential-based security (that is, non-expiring clearance) is reminiscent of cheese, especially the cheap Swiss variety, the one with too many holes. Now, don’t get me wrong, I have the same tolerance for curious mice as the next guy, but the text books are full of big rats that were—paradoxically—supposed to guard the cheesy comestibles, not eat or sell them! Recall that Aldrich Ames, Robert Hanssen and Kim Philby, just to name a few, each had the highest top-secret clearance and all the right personal and social attributes. Philby, actually wrote the chapter dedicated to Counter Espionage Methods in the SOE spy training manual used at Camp X.
So ultimately, it’s not the rogue, external, bloodthirsty anarchists or money-hungry crackers one needs to worry about. Rather, it’s the trusted senior employees responsible for the daily maintenance, administration, and security of the corporate resources. This could run the gamut from as high as the CISO who spies on the CEO’s email all the way down to the DBA who is running SELECT statements on the HR compensation database.
The lesson that I have learned from all of this is that most people, regardless of how trustworthy they seem, cannot be completely trusted at all times.
And you can trust me on this one.
Trust
Oh, trust, thou fickle, fleeting muse,
A double-edged sword we cannot refuse.
We build you on traits—honesty, care,
Promises kept, intentions laid bare.
Yet in the shadows, a treacherous game,
Mata Hari dances, igniting her flame.
With bridesmaids Hanssen and Ames by her side,
The trust we bestowed, so often denied.
The CISO spies, the DBA queries,
The cracks in the armor are all too eerie.
Credentialed guardians, cheese-holed and frail,
Are the very reasons our defenses fail.
For trust, though transferable, fails the test,
When a friend of a friend betrays the rest.
Inheritable ties, so easily snared,
By networks and politics cunningly bared.
It’s cumulative, yes, but never immune,
To the hat-flipping motives that change with the moon.
A trusted hand can flip on a dime,
And loyalty fades in the face of crime.
“Friend or foe,” our brains decide,
Yet shades of gray so often hide,
The hidden agenda, the secret ploy,
The hearts corrupted by power or joy.
The Swiss-cheese model, so porous, so weak,
Is breached by insiders, the havoc they wreak.
Ames with his whispers, Hanssen’s dark trade,
Philby’s betrayals in shadows displayed.
So guard your resources, question each claim,
For trust misplaced can lead to blame.
Beware the bridesmaids and dancers, all three,
Who twirl through the gaps of your security.
The lesson is simple, the truth is plain:
No trust is eternal, nor wholly sane.
Question the trusted, verify all,
For even the mighty are destined to fall.
And if you doubt this rhyme’s intent,
You can trust me on this—110 percent.
Credit: Sadie H. vocals, Jill F. keyboard, Sheva A. strings.
The struggle here is to transmut the abstract (trust) into the concrete (security algorithms). Trust, like love or justice, requires the fuzziest of logic, often absolutely upending the most elaborate protocols on the simplest of pretexts (think airliners as WMD or Y.Rabin’s orthodox assassin). Complex rules based systems are inevitably of only limited accuracy and reliability becuse whatever one individual or group devises, another individual or group can ulimately overcome, given sufficient time, resources and MOTAVATION. As I see it, motavation is the key factor which can be understood. Seeing the context of the potential bad act is the first hint about what color hat the cowboy is wearing.
Great comment, I agree entirely. Human trust, at least in the social context, is based on millions of years of evolutionary development which manifests itself in the form of subtle physical nuances including body language, facial expressions, perspiration, changes in complexion, subtle eye movements, etc. Most of us are largely adept at recognizing and interpreting these nuances. The challenge is taking that instinct and incorporating it into a deterministic algorithm that is capable of successfully evaluating an individual’s trust level over an extended period of time and adjusting where necessary.
Hola! I’ve been following your blog for a while and finally decided to give you a shout from Huffman Tx!
Keep up the great work!