At least some measure of blame for why there is currently a proto-fascist on his way to the White House is that the emails of the Democratic National Committee (and several key advisors to Hillary Clinton) were hacked by a group linked to the Russian government. These hacks took the form of spearphishing, which is when a computer intruder fakes an email from someone you know, and uses your trust to insert malicious code onto your computer.
For most people spearphishing takes the form of a scammer stealing credit card information, personally identifiable information like your social security number that could be used to fabricate an identity, or the passwords to your accounts. But in the case of this election, it has also been used to massively invade the privacy of the political parties (we know the Russians also hacked into Republicans, but they only leaked on Democrats because they wanted to swing the election: they were successful, by the way). And now, there is substantial evidence that this same technique — by the same Russian hacking group — has been deployed against think tanks.
While the motives this time might seem more benign (they are most likely seeking insider information about Trump’s appointees and foreign policy agenda), the fact that prominent institutions remain vulnerable to these attacks should be a cause of grave concern.
To start with, spearphishing relies on our trust of known people: a family member, a close colleague, an old friend. While we might be hesitant to open the email from a foreign sounding name with poor English in the subject, we are more likely to open an email that seems to come from our boss with familiar phrasing on it. Hackers can easily piece together these markers by examining your online presence, which is available for sale at a number of extremely high-density data clearinghouses.
Abusing that trust is one thing, but defending against that abuse is something else, and this is where it gets hard. How can you safeguard against a fake email that appears genuine? Most security experts write off these kinds of attacks as “social engineering,” that is, deliberately manipulating people into revealing security vulnerabilities. And that is how many computer security companies treat it as well. But placing the blame for this entirely on the user is not just counterproductive, it is giving up the fight before it’s even begun.
The common answer when this is brought up is to train or educate email users. This is, at best, a sisyphean task: not only are most email users not trained in how to use email safely, it relies on the user having a perfect record of never lazily clicking on an email. And like all security regimes that rely on defense perfection, all it takes is one failure and the entire edifice crumbles.
In theory, there are other ways that email users can be safeguarded against spearphishing. Identity verification online is still in its infancy, but there are many promising systems that could go a long way toward preventing a spoofed email from exposing a person or an organization to theft.
One possibility is integrating a form of blockchain technology into emails, since a blockchain is a decentralized network of highly encrypted nodes that are secure from most forms of tampering. Now, blockchains are not seamless, and are not perfect, so there might not be a truly secured way of safeguarding against phishing this way; even so, it is one method worth exploring.
Another possibility is integrating an RSA token-like device into a verification cycle for emails. RSA tokens are a highly secure form of two-factor authentication, but like with two-factor authentication really only work right now as a way to verify login. Using a two-factor system to verify emails would be much harder to implement — not impossible, mind you, but hard.
Hardness is the biggest challenge right now. It is entirely possible to create a secure, end-to-end encrypted, unhackable email system. But it would be very hard to use, and only the most paranoid and most highly technical would ever put in the effort to use such a thing. Things like PGP keys are part of the Free/Open Source Software movement’s guide to securing emails, but like everything else FOSS makes it is hard to implement and daunting to people who lack technical skills.
Right now, the biggest barrier to building emails that are secure from spearphishing isn’t the technical knowledge to do so, but rather how to implement that solution in a way that is transparent to users and is mostly invisible. And because usability seems to be at the bottom of every FOSS maker’s priority list, it is something that will probably have to fall on the traditional commercial firms to create — which means it will be expensive (again, adding to the difficulty of being secure at all).
Now, cost or difficulty should not be barriers to the two national parties. They can afford it, and one hopes that, now, they will choose to afford it. But spearphishing does, nevertheless, represent one of the truly hard challenges in cybersecurity right now. And because defending against phishing is still so difficult, and simply ignoring security is so much easier, it will continue to play an outsized role in future privacy attacks like we saw this year.
And that means the attacks on our institutions are going to continue for the foreseeable future. Fun, right?