The Most Pressing Cybersecurity Issue

At least some mea­sure of blame for why there is cur­rent­ly a pro­to-fas­cist on his way to the White House is that the emails of the Demo­c­ra­t­ic Nation­al Com­mit­tee (and sev­er­al key advi­sors to Hillary Clin­ton) were hacked by a group linked to the Russ­ian gov­ern­ment. These hacks took the form of spearphish­ing, which is when a com­put­er intrud­er fakes an email from some­one you know, and uses your trust to insert mali­cious code onto your com­put­er.

For most peo­ple spearphish­ing takes the form of a scam­mer steal­ing cred­it card infor­ma­tion, per­son­al­ly iden­ti­fi­able infor­ma­tion like your social secu­ri­ty num­ber that could be used to fab­ri­cate an iden­ti­ty, or the pass­words to your accounts. But in the case of this elec­tion, it has also been used to mas­sive­ly invade the pri­va­cy of the polit­i­cal par­ties (we know the Rus­sians also hacked into Repub­li­cans, but they only leaked on Democ­rats because they want­ed to swing the elec­tion: they were suc­cess­ful, by the way). And now, there is sub­stan­tial evi­dence that this same tech­nique — by the same Russ­ian hack­ing group — has been deployed against think tanks.

While the motives this time might seem more benign (they are most like­ly seek­ing insid­er infor­ma­tion about Trump’s appointees and for­eign pol­i­cy agen­da), the fact that promi­nent insti­tu­tions remain vul­ner­a­ble to these attacks should be a cause of grave con­cern.

To start with, spearphish­ing relies on our trust of known peo­ple: a fam­i­ly mem­ber, a close col­league, an old friend. While we might be hes­i­tant to open the email from a for­eign sound­ing name with poor Eng­lish in the sub­ject, we are more like­ly to open an email that seems to come from our boss with famil­iar phras­ing on it. Hack­ers can eas­i­ly piece togeth­er these mark­ers by exam­in­ing your online pres­ence, which is avail­able for sale at a num­ber of extreme­ly high-den­si­ty data clear­ing­hous­es.

Abus­ing that trust is one thing, but defend­ing against that abuse is some­thing else, and this is where it gets hard. How can you safe­guard against a fake email that appears gen­uine? Most secu­ri­ty experts write off these kinds of attacks as “social engi­neer­ing,” that is, delib­er­ate­ly manip­u­lat­ing peo­ple into reveal­ing secu­ri­ty vul­ner­a­bil­i­ties. And that is how many com­put­er secu­ri­ty com­pa­nies treat it as well. But plac­ing the blame for this entire­ly on the user is not just coun­ter­pro­duc­tive, it is giv­ing up the fight before it’s even begun.

The com­mon answer when this is brought up is to train or edu­cate email users. This is, at best, a sisyphean task: not only are most email users not trained in how to use email safe­ly, it relies on the user hav­ing a per­fect record of nev­er lazi­ly click­ing on an email. And like all secu­ri­ty regimes that rely on defense per­fec­tion, all it takes is one fail­ure and the entire edi­fice crum­bles.

In the­o­ry, there are oth­er ways that email users can be safe­guard­ed against spearphish­ing. Iden­ti­ty ver­i­fi­ca­tion online is still in its infan­cy, but there are many promis­ing sys­tems that could go a long way toward pre­vent­ing a spoofed email from expos­ing a per­son or an orga­ni­za­tion to theft.

One pos­si­bil­i­ty is inte­grat­ing a form of blockchain tech­nol­o­gy into emails, since a blockchain is a decen­tral­ized net­work of high­ly encrypt­ed nodes that are secure from most forms of tam­per­ing. Now, blockchains are not seam­less, and are not per­fect, so there might not be a tru­ly secured way of safe­guard­ing against phish­ing this way; even so, it is one method worth explor­ing.

Anoth­er pos­si­bil­i­ty is inte­grat­ing an RSA token-like device into a ver­i­fi­ca­tion cycle for emails. RSA tokens are a high­ly secure form of two-fac­tor authen­ti­ca­tion, but like with two-fac­tor authen­ti­ca­tion real­ly only work right now as a way to ver­i­fy login. Using a two-fac­tor sys­tem to ver­i­fy emails would be much hard­er to imple­ment — not impos­si­ble, mind you, but hard.

Hard­ness is the biggest chal­lenge right now. It is entire­ly pos­si­ble to cre­ate a secure, end-to-end encrypt­ed, unhack­able email sys­tem. But it would be very hard to use, and only the most para­noid and most high­ly tech­ni­cal would ever put in the effort to use such a thing. Things like PGP keys are part of the Free/Open Source Soft­ware move­men­t’s guide to secur­ing emails, but like every­thing else FOSS makes it is hard to imple­ment and daunt­ing to peo­ple who lack tech­ni­cal skills.

Right now, the biggest bar­ri­er to build­ing emails that are secure from spearphish­ing isn’t the tech­ni­cal knowl­edge to do so, but rather how to imple­ment that solu­tion in a way that is trans­par­ent to users and is most­ly invis­i­ble. And because usabil­i­ty seems to be at the bot­tom of every FOSS mak­er’s pri­or­i­ty list, it is some­thing that will prob­a­bly have to fall on the tra­di­tion­al com­mer­cial firms to cre­ate — which means it will be expen­sive (again, adding to the dif­fi­cul­ty of being secure at all).

Now, cost or dif­fi­cul­ty should not be bar­ri­ers to the two nation­al par­ties. They can afford it, and one hopes that, now, they will choose to afford it. But spearphish­ing does, nev­er­the­less, rep­re­sent one of the tru­ly hard chal­lenges in cyber­se­cu­ri­ty right now. And because defend­ing against phish­ing is still so dif­fi­cult, and sim­ply ignor­ing secu­ri­ty is so much eas­i­er, it will con­tin­ue to play an out­sized role in future pri­va­cy attacks like we saw this year.

And that means the attacks on our insti­tu­tions are going to con­tin­ue for the fore­see­able future. Fun, right?

Joshua Foust used to be a foreign policy maven. Now he helps organizations communicate strategically and build audiences.