Weaponizing Autism for the cyber security workforce.

At key points in human history, there have been turning points, defining moments that indelibly changed the course of life for every single person in the world after. From Alan Turing shortening the duration of World War II by years, and thereby saving countless lives, with his contributions to cryptography and computing, to Nikola Tesla developing alternating current to power some of our greatest inventions; there have always been the marvelous contributions of gifted individuals, work that changed paradigms. Society, generally speaking, works methodically to make marginal improvements to things and processes. What geniuses like Turing and Tesla did, is step outside the widely accepted field of knowledge at the time, to innovate completely new ways of doing these same things. A significant number of these savants, if we look at records of their interactions with others, their sheer ingenuity, and some key personality traits, would today be diagnosed with Autism Spectrum Disorder.

More than 3.5 million Americans live with autism spectrum disorder, that is 1 out of every 68 people1 . In 2017 the National Cyber Crime Unite / Prevent team from the National Crime Agency published an Intelligence Assessment entitled ‘Pathways into Cyber Crime’ in which they disclose ‘Autism Spectrum Disorder (ASD) appears to be more prevalent amongst cyber criminals than the general populace.”2 . Then in 2011, another study was conducted, this time at multiple hacker conferences over a 4-year time period. The findings of this study showed that about two-thirds of the hackers had an Autism-Spectrum Quotient (AQ) score that placed them in the intermediate area of the autism spectrum .

In the Spring of 2018, we conducted a small exploratory survey (N=290) of computer security professionals who had been officially diagnosed with Autism Spectrum Disorder about the impact the disorder has had on their career. Here is a sample of some of the results:

Sensory and social challenges are the top reported challenges that individuals with autism face in the workplace. This supports other research and self-reports that individuals with autism value the ability to work from home or within an environment with reduced distractions.

The data reports that individuals with ADS occasionally or sometimes feel their autism impacts their ability to perform their job. Further research into this area could provide information in specific ways and areas individuals are affected.

We found the large number of “unsure” responses to be worthy of further investigation. As ASD may not be directly cited as a reason for dismissing someone from a job, further understand of this could indicate specific behaviors that could contribute to be dismissed from a workplace.

Social interactions with peers can be a major challenge for individuals diagnosed with ASD. These findings indicate that individuals with autism do feel bullied, experienced rude or dismissive remarks or find social engagements to be highly detrimental to their workplace experience. Further research in this area could enhance compassion, empathy, understanding, and tolerance for the behaviors individuals with ASD exhibit.

The three major things we take from this study are:

  1. The broad depth of differences in adults on the spectrum

2. The vast majority of professionals on the Autism Spectrum say that Autism has interfered with them doing their jobs successfully

3. Most have experienced bullying in the workplace.

These three major findings show a need for workplaces to remain flexible, and work to design teams and processes to help ease the potential conflict and increase efficiencies. All of this data also makes it fairly clear why people with ASD are drawn to both Cyber Crime and Cyber Security. These professions have been the best about thinking outside of the box, but still fall short the more these employees climb within the organization. Research has shown that typical work and office structures are harder for people on the spectrum to both work within and understand. While it may be easier for a manager to play it safe, they would be missing out on the dramatic insights that personnel with ASD can bring to their organization and work products.

The Cyber Security profession has seen a huge shift over the last 10–15 years. Most noticeably, Cyber Security is no longer a place for personnel that cannot cut it as System Administrators. Today, most companies and organizations realize they cannot survive without talented people in this area and have put a renewed emphasis on getting the right people empowered in the right jobs. Much like the mindset of how we fill these roles, we need to again shift the mentality of who we look for and how we manage these teams. Cyber Security presents an asymmetric challenge. An extremely talented individual can often be better than a team with moderate talent. Looking at people for the holistic skills they have versus how they fit the job we are hiring for is a crucial step to including an extremely valuable resource, analysts with Autism Spectrum Disorder (ASD). Looking at the statistics above it is clear that people on the spectrum do not feel that they are an integrated part of the workforce. From the additional comments section at the end of the survey, only a few feels that they have lost a job due to being on the spectrum. The other data collected points to many of these highly intelligent workers leaving jobs because of the lack of feeling a part of the team. This research and he experiences of this team bear out the truth that that to truly succeed and fully utilize the type of skills and intelligence ASD employees can bring the work culture must change. While the ideal situation is to change the culture from the lowest level up, there is very little doubt that managers must change their perceptions of people on the spectrum and establish strategies and policies that allow the workforce to utilize this unique skill set.

Traditionally managers work to bend personnel to existing hiring, staffing, and corporate models as opposed to building models around the personnel that we need. While this is nothing new, there is a critical need to hire people that think like and can see the trends of the attackers. As stated in numerous studies and articles, people on the Autism Spectrum are consistently drawn to the Cyber Crime path, and rarely towards the organized offensive or defensive cyber security roles that exist within the corporate IT industry. This discouraging trend can generally be attributed to the lack of flexibility in work hours, lack of control of the person’s work environment, lack of understanding by both peers and managers, and finally the lack of fulfilling outcomes from a significant majority of their work. To workers on the Autism Spectrum, they can see past the typical noise that hides attacks and have a unique ability to target the hidden indicators and signals of an attack. This generally can be seen in two very frequent features of ASD: the inability to accept minor nuances or deviations from established patterns, and evaluating each phenomenon as a unique instance that must be looked at in its entirety.

Cyber Security managers must do a better job of finding talent, including those with the rare talents that come with ASD, and instilling in their teams the appropriate communication skills, attitudes, and expectations for neurotypical team members and team members on the spectrum to complement each other instead of working as stove piped islands. This approach would go a long way to improving the overall ability to defend at a time that defending anything in the Cyber realm is near impossible. As the markets begin to shift to Artificial Intelligence (AI) for intrusion detection and prevention, it is sad that we have overlooked people with ASD, which in my experience have shown the ability to find things the AI and Machine Learning (ML) systems still struggle with and miss. Managers and supervisors in this space must build a culture to embrace and encourage the out of the box thinking the ASD people bring and work towards cultivating an understanding among the staff of how to work closely with these gifted peers. While it is difficult for people to grasp, the current culture of isolating ASD employees from others will continue to work against the needed end-state of a cohesive team of problem solvers.

As managers of some of the most dynamic and important functions within IT we must do more to move past keeping up with the attackers. The unique skill sets that ASD employees can bring to the team are invaluable in the everlasting battle between the attackers and defenders, and should be something we are all looking to incorporate into critical teams. This means working outside of the cultural and social norms that managers find comfortable. Working to modify interview tactics, existing flexibility, and environmental options for all candidates is the first of many steps to attracting, hiring, and retaining talented people across the board, but more especially those with ASD.

On top of an overall shift in workforce mentality, there are a couple of hot-fixes managers can implement immediately to help create a more inclusive environment: 1) Work closely with ASD employees to ensure they clearly understand who they should and shouldn’t engage directly with in the office. Power differentials and office politics are something that management must actively delineate with those on the spectrum. This goes a long way toward helping relieve the potential of bullying and negative interactions Second, managers also must identify the strengths of the employee and work to not just structure the teams around these resources but also be open-minded in addressing workplace issues that usually attend ASD. A good example of this is working to find a way to remind the ASD employee in a kind but proactive way of upcoming deadlines and acknowledging when work has or hasn’t been received. A good manager must always be watching ASD employees to look for which tasks seem menial and draw little to no interest. When this occurs, the employee will generally stop working on them without notice, which obviously is a cause for potential conflict.

While this is more work on the manager, there is no doubt that the skills ASD employees can bring far outweigh the cost in managerial overhead. s history has shown, someone with Autism can be a game changer for a company, a country, or even the world.

10 reasons why Asperger people are better at cybersecurity

  1. Most hackers are atypical. A research document from Scotland Yard last year indicates the majority of hackers in England are Aspergers. Some of them are identified; others don’t disclose it.
  2. Aspergers are extremely detailed oriented, which leads to a “no stone unturned” approach to cybersecurity.
  3. Aspergers are cognitively different, so they are naturally “out of the box” and find innovative solutions to problems without the usual cognitive “Blind spot” of non-autistic people.
  4. Aspergers are extremely focused and can have a high level of concentration. They are capable of hyperfocusing and never let go when they are looking for something.
  5. They have a high capacity for analysis. You can find brilliant Asperger people working as Security Operations Center (SOC) analysts, for example.
  6. They have a demonstrated superior capacity to identify patterns. The Israeli army has created an elite squad (“unit 9900”) composed solely of Autistics to deduct with pattern recognition troop movements on satellite images.
  7. It’s been scientifically proven that Aspergers are methodological and make more rational decisions (less cognitive biases).
  8. Many Aspergers are “optimal problem solvers” — they focus on finding the best solutions, not one of the best.
  9. Autistics have what is called Specific Interests: They will read and memorize huge amounts of information in an obsessive way and, therefore, excel in their field of expertise.
  10. People on the spectrum search for intellectual stimulation, complex challenges, and many have the “investigator profile,” which is highly valuable for forensics and pen testing.

http://www.autism-society.org/what-is/facts-and-statistics/ 2 http://www.nationalcrimeagency.gov.uk/publications/791-pathways-into-cyber-crime/file 3 https://www.cnet.com/news/aspergers-study-asks-are-hackers-cognitively-different/

“I am always ready to learn although I do not always like being taught.” — Winston Churchill