Human-Domain Security Evolution
Lessons from HDS origins paint a balanced future
Rarely described in the context of history, explore modern cybersecurity focusing on human impact countermeasures through evolutionary tales — the good, the bad and the ugly.
Introduction. Modern concepts are often re-imagined ideas from the past. As often stated, “if you want new ideas read old books.” How can a brief exploration of the legacy of Human-Domain Security (HDS) help guide our formation of new concepts? History has an interesting way of evolving our understanding of concepts and behaviours that retrospectively seem misaligned. Where did HDS come from and what were the core drivers for its evolution? Where did HDS go wrong? These questions challenge our understanding by placing current security concepts in the context of the arc of human history. Many sound practices come to us by way of evolution rather than revolution. Alternatively, revolution has provided us with game-changing ideas.
Defining Human-domain Security (HDS). Current concepts around insider threat, insider risk, insider trust, insider fraud, critical people protection, personnel security and counterintelligence (broadly captured through the notional concept of Human-Domain Security) are evolved from over a millennia of documented models, practise, and theory. The terms insider threat and insider risk often have negative connotations around intention, despite the definitions being clearly inclusive of both intentional and unintentional insiders. [1] Counterintelligence often imbues a sense of military or state security. Other recognised terms for similar constructs or capability may be positive. HDS seeks to disarm and expand its value to more sensitive parts of the world, and through a more positive application.
“HDS pillars mutually support one-another enabling a human-centric approach across people, process and technology”
HDS is a developmental term that cross-cuts the many ontologies into a single, palatable term of reference conceptually changing the nature of why counter-insider programs exist. Retooling our frame towards HDS presents a meaningful pretext seeking to 1) control human-based vulnerability along the continuum of information technology domains [2] helping to protect people from our own acts, and 2) protect people from sophisticated external human-based threat actors (i.e., hostile reverse social engineering) from a cyber-enabled all-hazard security lens. HDS is a mitigating frame of mind that stares at risk, threat, vulnerability and impact.
HDS is made up of six core pillars, each steering solutions back to an organisation’s most prised assets — people. HDS pillars include 1) human-centric, 2) threat-focused, 3) business-oriented, 4) privacy-engineered, 5) dynamic trust, and 6) data-driven. In summary, HDS depends on an irrefutable set of data (6) that includes privacy-engineered (4) infrastructure and storage. Since zero-trust starts with people, HDS seeks to more dynamically evaluate access, need-to-know, and behaviour (5) to limit negative impact to business operations and resilience (3). HDS evaluates an organisation from the outside-in and in the context of most dangerous and most likely threat vectors (2). HDS pillars mutually support one-another enabling a human-centric approach across people, process and technology.
While the user domain presents the most straightforward application of HDS [3], the aperture must not be excluded from other IT domains. The methods and applications to securing humans is derived from long-established and evolutionary principles spanning some 2500 years of documented models, practise, and theory.
Ancient Principles. Sun Tzu wrote The Art of War around 500 BCE. [4] Sun’s work paved a way for military strategists from Maoist China through European empirical conquests forming a key element of modern American defense doctrine. [5] While George Washington himself may not have read The Art of War he unwittingly applied many of Sun’s principles to help repel British military might.[6]
Important in the context of HDS, Chapter 13 of Sun’s chronicle advises on “the use of spies.” Here, Sun articulates the distinction between the five types of spy outlining their utility and function in a strategic sense. While Sun lists local, reverse, dead, and living spies as broad categories of spy — most germane to this context is the 2 ½ millennia-old concept of the insider spy. [4] In truth, all five of Sun’s spy types are relevant, but in the broadest sense the insider spy matters because the focus of HDS is to help make organisations more resilient to this precise information exfiltration source.
The insider spy is translated to be “…hired from among enemy officials” distinct from reverse spies who are hired by “enemy spies.” Re-articulated, insider spies are the people internal to an organisational camp that can report out critical or vital information to an adversary. [4] The techniques and technology available to insiders have only become more sophisticated.
The technology of the insider spy is what brings the work of Sun to cybersecurity. Whether through steganography or code-saboteurs, insider spies can use both ends of the technology spectrum and everything in between to harm an organisation. And, technology is core to countering this hazard but not absolute — people and process play an equally important role. Human-security, through Sun’s words, requires human intervention.
The military are not the only organisation to routinely cite and leverage Sun’s chronicle — it is widely used among business leaders across the globe. The Art of War chapter on the “Use of Spies” may be overlooked by business leaders, its value to leadership concepts murky at best. Those who read Sun’s chronicle will at least take chapter 13 as an addend for the sum of some very sage guidance. It might even be behind the origins of the first known corporate security program, at Ford Motor Company.
Industrial Age Principles. Ford Motor Company is considered [i] the first documented company to introduce a corporate security programme. [7] While the Pinkerton corps predates Ford’s corporate security programme, at the time of Ford’s security it was more like a third-party, private investigative and protective service. [8] The concept of corporate security was largely based on a fear of saboteurs to post-World War I (WWI) era critical industries, mainly mining and manufacturing. The Ford Service Department (FSD) was a brutal establishment placing its fears above any founded principles in how and why human security was important. The FSD was largely focused on perceived threats from labour unions, communist infiltrators, and saboteurs. Ford’s famous culture was reinforced by FSD while hidden behind a veil of secrecy. The FSD heavily surveilled its workforce, attempted to coerce employees, and enacted heavy-handed, preemptive tactics with potential threats. [7]
It is said that truth dies in the dark. There are few documented insights about the brutal FSD approach. Ford’s wilderness of unknowns mirrored a Soviet KGB “wilderness of mirrors” approach where few knew who was an FSD operative to include other FSD operatives. Its wrecking-ball approach employed Gestapo tactics used in its prosecution of perceived insiders with communist or union ties, often with little or no evidence. Coercion was the principle concept, hostile foreign adversaries (albeit legitimate) the principle purpose. Without proof needed, the FSD became a tool for internal control. The FSD burning platform cautions modern HDS. It also begs the question, how would modern technology have been used in the era of the Ford Service Department? Would FSD have used Artificial Intelligence (AI) to help predict which of the workforce required preventative coercion?
i. It turns out that the FSD was an artifact resulting from a 1917 U.S. Department of War (Defense Department predecessor) sponsored critical infrastructure protective service, titled the Plant Protection Service [10].
Conflict Principles. In the early phases of World War II, the British and later Americans had a need for Human-Domain Security to defend against the NAZI-Germany Axis activities threatening the alliance. The Special Operations Executive (SOE), currently a capability within the purview of MI-6, took steps to establish what we now refer to as identity access management (IAM) compartmentalising information, duties, and missions to guard against hostile espionage. [9] MI-5 followed suit and introduced additional safegaurds protecting sensitive operations employing double-agents or reverse spies in Sun’s jargon.
The U.S. Office of Strategic Studies (OSS) mission was largely reapportioned into what would become present day CIA. The OSS Commander modeled his organisational structure based on SOE structure and mission. SOE and OSS units were largely established to conduct unconventional warfare, and establish human networks of (in Sun’s terms) local and living spies to provide critical insights from abroad to the allies. In particular, they had a clear mission to discover insider spies, to run reverse spies, and leverage dead spies when needed. It was effective in the least-privilege concepts of IAM (in current jargon) practiced among three premier counterintelligence units that still provided sharing and cooperative mechanisms.
In 1943, the OSS established a special counter-espionage section (X-2) whose main purpose was to identify, detect, remediate and even turn suspected hostile spies on their masters. X-2 worked with MI-5 and MI-6 to identify insiders across the alliance, applying foundational elements of operational security (OPSEC), multi-intelligence indicators found in signals intelligence (SIGINT), and through double-agent operations. Later OSS would take these lessons and develop a concept of signature management as a means to limit adversary exposure. [10] This is a rare practise in modern society, but how might its use make an insider easier to identify through technical means?
Allies were not the only actor in this arena in WWII. They had to compete with Soviet Cheka and NAZI domestic control principles. Cheka introduced its toxic concepts during the Bolshevek Revolution and formally established itself under Soviet doctrine in 1917, predating even Ford formations. Through OSS, SOE and MI-5 principles the Allies were ultimately able to thwart dark tides globally.
Even today this struggle between how spies and counterspies operate remains, between Allies and western world order and the veil of secret police and brutality. In 2004, Vladimir Putin stated that “there are no ‘former’ Chekists,” in a nod and grin to his role in the KGB. [11] The human challenge for governments has only increased in complexity, and with the advent of always-on technology its only getting worse.
“malicious insiders engage in more than just cyber activities”
Modern Principles. In 2011, the U.S. established the National Insider Threat Task Force (NITTF) with the signing of Executive Order (E.O.) 13587. The task was split between the heads of intelligence and law, and to be enacted by the FBI and National Counterintelligence and Security Center (NCSC). [1] Recently under the DHS, the Cybersecurity & Infrastructure Security Agency (CISA) have provided additional resources and principles to define and proactively drive down the impact of insiders. [12] Counterintelligence executive, cybersecurity executive and legal executives neatly bound the problem and solution. The challenge is to co-mingle the perspectives and insights that help break away from mere awareness campaigns and posters.
MITRE, a U.S. federally funded research institute, established the Insider Threat Framework in 2020 citing other well-established frameworks. [13] From across these three focused areas (NITTF, CISA and MITRE), there are ample principles to help an organisation secure its human assets, but the solution is not a silver bullet — the principles only a casing at best. Even MITRE distinguishes between Advanced Persistent Threats (APTs) and insider threat stating that “malicious insiders engage in more than just cyber activities, and any credible, effective insider threat framework must account for the cyber, physical, organizational, and human components of insider threat.” [13]
This powerful statement clarifies the importance of doing things that are hard. Human-domain Security will continue to employ fragmented solutions until we start taking the tools provided to determine which principles to keep, which to leave behind. For example, the MITRE approach to building Insider Threat indicators is clear and logical. It matches other well-established principles discussed within this text. Even the Human-Focused Insider Threat Types build upon Sun’s chronicle. [13] HDS will continue to remain an all-hazards aspect that both benefits from and provides benefits to cybersecurity.
Summary. This brief report covered a period of 2500 years in a handful of paragraphs. It should be clear that the scale here does not adequately cover each area, abundant areas of investigation not captured or have been unexplored altogether. This in-depth report has unlocked some clear lanes to avoid and some bypasses.
Sun Tzu provides a foundation from which to build, not just for the insider spy but for each of the spies to strengthen our intelligence, to understand our vulnerabilities, and to know what our adversaries are after. We have learned that corporate security has not always prudently applied power in protecting its people, and that heavy-handed tactics are no longer acceptable. We have seen the era of conflict apply good and bad HDS principles advancing our ability to better leverage people, process, and technology to better protect critical assets including people. Finally, we observe the attention and scale of tools and concepts from across the NCSC, FBI, CISA and MITRE that start to pinpoint how we can effectively detect hostile and undesirable human activity and behaviour from a security lens.
Concepts that history has given us range from types of spies to early IAM concepts. This legacy has developed precursors to zero trust, least privilege and threat intelligence. We have observed the establishment of tradecraft to protect and detect hostile actors, and even some early concepts of compartmentalised sharing of sensitive and exquisite information. The legacy of HDS does not yet include or benefit from AI, but it soon will.
The arc of human countermeasures refining theory into practise will occur in this generation. The legacy of HDS shows how far we have come in just the last century. It will take investment and accepting a bit less rigor than we would like. It will also take prudence to ensure we restrain what we think we can do with what we should do. The hesitation of the smartest experts in the world comes not from whether HDS can be solved — it’s about ensuring the tool for good does not become a weapon for bad.
References:
[1] ODNI, “NATIONAL INSIDER THREAT TASK FORCE MISSION FACT SHEET.” Available: https://www.odni.gov/files/NCSC/documents/products/National_Insider_Threat_Task_Force_Fact_Sheet.pdf
[2] Kim, Fundamentals of Information Systems Security, 3rd Edition, 3rd ed. Jones & Bartlett Learning, 2016. https://webcache.googleusercontent.com/search?q=cache:lvdFIf8ULi8J:https://www.oreilly.com/library/view/fundamentals-of-information/9781284220742/xhtml/9781284220735_CH03_03.xhtml&cd=3&hl=nl&ct=clnk&gl=nl&client=firefox-b-d.
[3] H. Hoops, “The Extent of User Domain Risk,” Medium, Jun. 08, 2022. https://hatterashoops.medium.com/the-extent-of-user-domain-risk-da1f5a002516.
[4] T. Cleary, trans., The Art of War. Boston, MA: Shambhala Publications, 1991.” https://web.mit.edu/~dcltdw/AOW/
[5] “The Art of War,” Wikipedia. Jul. 11, 2023. [Online]. Available: https://en.wikipedia.org/w/index.php?title=The_Art_of_War&oldid=1164811464
[6] J. L. Bell, “Washington’s Five Books,” Journal of the American Revolution, Dec. 18, 2013. https://allthingsliberty.com/2013/12/washingtons-five-books/.
[7] K. Walby and R. K. Lippert, “Ford first? Corporate security and the US Department of War’s Plant Protection Service’s interior organization unit 1917–1918,” Labor History, vol. 56, no. 2, pp. 117–135, Mar. 2015, doi: 10.1080/0023656X.2015.1029811. https://www.tandfonline.com/doi/abs/10.1080/0023656X.2015.1029811.
[8] “Our Story | Pinkerton.” https://pinkerton.com/our-story/history (2023).
[9] “The History Press | Espionage and the SOE.” https://www.thehistorypress.co.uk/world-war-ii/espionage-and-the-soe/.
[10] National Counterintelligence Center, “Counterintelligence in the Office of Strategic Services’, CI Reader Volume 2 Chapter 3. https://irp.fas.org/ops/ci/docs/ci2/2ch3_a.htm.
[11] J. Schindler, “The 9 Russian Words That Explain KremlinGate,” Observer, Mar. 28, 2017. https://observer.com/2017/03/kremlingate-russia-spy-game-disinformation/.
[12] “Insider Threat Mitigation Guide | CISA,” Jun. 08, 2023. https://www.cisa.gov/resources-tools/resources/insider-threat-mitigation-guide.
[13] MITRE, “Insider Threat Research & Solutions.” 2022. [Online]. Available: https://insiderthreat.mitre.org/
