Cybersecurity is an ever larger field, with a close relationship with new concepts such as disinformation or psychological hacking. We’ve spoken about all of this with Cristina López Tarrida, engineer and specialist in social engineering and psychohacking. She has been a researcher at the University of Seville, and is currently a consultant and trainer in cybersecurity and intelligence. What’s more, in 2018, she was included on IDG’s ranking of the top 25 cybersecurity influencers in Spain.
We often hear about the effects of disinformation. What relationship is there between cybersecurity and disinformation? How does this disinformation affect companies’ security?_
Cristina López: Disinformation is a transversal phenomenon, which affects all areas including, of course, cybersecurity and company security. After all, it has a very close relationship with deceit, like when it is used to scam people with fake bitcoin investment schemes, which use famous faces as bait to trap victims.
On the other hand, one of the uses of disinformation is in smear campaigns. Until not that long ago, traditional media set the political and social agenda to a certain extent, highlighting the subjects it thought newsworthy. These days, that agenda is set at the click of a mouse or by whatever goes viral. It doesn’t seem logical to disparage the power of so-called citizen journalism or the capacity of social networks to create currents of opinion. The consequence of this is that, right now, almost anyone can damage a brand’s corporate image or prestige, and they can do this with very little money and have a great impact if they manage to go viral. Disinformation is, along with cyberattacks, the new battlefront for companies.
In 2020 the USA is going to hold presidential elections. What role do you think disinformation will play in the process? What can we as citizens do to tackle it?_
C.L: Disinformation is a real challenge for democratic systems. Mainly because freedom of expression is the greatest democratic virtue, while at the same time, it’s greatest weakness. Especially because there is a very fine line between ensuring the veracity of content and censorship. What’s more, it poses another question: who should act as the guardian of truth? State actors? Big tech? What guarantees do we have that they won’t act simply for their own good? In the fight to tip the balance in favor of one’s own interests, disinformation clearly plays a determining role. Fake news is still just a powerful form of disinformation that can get through to the general population. Why give up using it?
As citizens, we need to understand that we have a part to play in all this. In this world, where there never seems to be enough time to do anything, we need to make the effort not to accept all the information we receive without questioning it. We must be critical and practice a healthy skepticism, step back from the information to properly assess it. We have to accept that the way our minds work presents several vulnerabilities that can be exploited by anyone that knows how: our biases, our emotional thoughts, our reconstructive memory, our conservative mind… All of these elements are ingredients in the recipe of manipulation.
You’re an expert in psychohacking. How would you define this concept? How could we link it to cybersecurity technology?_
C.L: When I began to specialize in social engineering, I realized that, on most forums, it was exclusively linked to cybersecurity, which pulled focus from the huge potential that social engineering has in other areas. This is where I saw the need to create a new concept: psychological hacking, or psychohacking. I define it as the practice that encompasses the principles of psychology, especially social psychology, sociology and anthropology, which disinformation and influence campaigns are based on, with the singularity that it also includes the nuances and the challenges created by new paradigms and social behaviors stemming from the use of new technologies and the social network boom.
Bearing in mind the fact that social engineering attacks in cybersecurity are actually actions that aim to influence victims’ behavior so that they reveal information, perform some action, or make a decision that helps that attacker, pyschohacking is vital for understanding those mechanisms. Social engineering is one of the preferred attack vectors for cybercriminals: because it is cheap, both in terms of knowledge and economically speaking, and because it is easy to use.
Does psychohacking play a role in cyberwar? Are people an asset in these wars between states, or are they limited to using existing technology and exploiting vulnerabilities?_
C.L: Without a doubt. Psychohacking not only plays a role in cyberwar, but also in conventional wars and undeclared wars. Many of the conflicts we see nowadays are waged in individuals’ minds. Information has always been an essential part of national security strategies and great powers’ international policy. However, new technologies have made it much easier to access people’s minds and directly influence their perceptions and desires. They can even cause people to adopt attitudes, behaviors or decisions that favor whoever is trying to influence them.
The scope, impact and immediacy of operations of this kind in the digital age exponentially multiply all of the effects of this kind of action. The cognitive realm, along with cyberspace, is the new operational domain, given that it intersects the domains of land, air, sea and space. Battles are already being waged that transcend these traditional domains, and which can have equal or worse consequences than conventional warfare. With one difference: there is no need for any casualties.
Employees are still the weakest link in the cybersecurity chain. What measures do companies need to take to change this?_
C.L: I’m a staunch defender of rewriting this phrase: human beings are the fundamental link in the chain. Being weaker or stronger is a consequence, not a cause. This is why I believe that we need to emphasize how important the human factor is in the cybersecurity chain, and not how vulnerable it can be. This way we avoid the false sensation that it is not possible to revert this situation.
The first measure is likely to be making companies understand that, even if they invest a lot of time, effort and money in implementing the latest security, antivirus and firewall systems, if just one employee is careless or irresponsible, or falls victim to a scam, all of that investment will have been for nothing. Cybersecurity is not simply a technical question, and to forget that is to underestimate an important part of the solutions landscape.
The most important measure is employee awareness and training. We must provide them with the necessary tools to recognize a phishing, ransomware or whaling attack. But we also have to teach them how to recognize what emotions these attacks appeal to, what cognitive biases they exploit, what vulnerabilities in the way we reason and decide they take advantage of. Cybersecurity has a psychological and a sociological component, and we mustn’t forget this. Sun Tzu said so two thousand years ago: “Know the enemy and know yourself; in a hundred battles you will never be in peril.”
Last year IDG included you on its list of the 25 most influential Spanish cybersecurity professionals. On the list there were only four women. How do you think the presence of women is evolving in the sector?_
C.L: Like any change that is going to be lasting: slowly. But the fact that the evolution is slow doesn’t mean it’s not happening. I’m very optimistic about this; I think women have enough potential and character to conquer anything we want to. I therefore think it’s just a matter of time before there are more women in the sector, and the current proportions reverse. Cybersecurity has no gender, and it’s not a question of men and women, but of people. In cybersecurity, as in all areas of life, it’s about people.