Last month, the Department for Homeland Security and the FBI released their joint analysis report
with technical details on how the hackers affected the email breaches. All the attacks used spear-phishing, where the hackers sent a legitimate looking email with hyperlinks or attachments that when clicked launched malware that opened a backdoor into the victim’s computer or directed the victim to a fake web page that solicited login and password credentials.
I began writing
in the media about the dangers of spear-phishing two years ago, in the immediate aftermath of the infamous Sony Pictures breach. My goal was to shift attention away from the salacious inside-Hollywood gossip in the emails released by the hackers and encourage people to instead focus on how the hackers had accomplished this. I also hoped to draw more attention to what it meant for the future of the Internet, in the hope that policymakers and organizations would wake up to this threat.
Then came news of the massive OPM breach
, the Excellus BlueCross BlueShield data breach
, infrastructure hacks by Iranians
, and a steady, continuing stream of ransomware attacks — all using spear-phishing. Each attack seemed to inspire more, upping the ante. And with the DNC hack, spear-phishing has now struck a blow at the very foundation of our democratic process: our system of fair elections.
But worse is likely to come.
The reality is that spear-phishing attacks are easy to craft and many users, even after being trained in spotting spear-phishing, continue to fall victim. A case in point was a simulated spear-phishing attack my research team recently conducted over three days in a large financial company whose chief technical officer opted to participate in our study. That simulated attack netted close to a 55% success rate (in which someone actually clicked on the “malicious” hyperlink in the email) within a few hours of the attack. Reminders sent on the next two days kept netting more victims, with the overall attack realizing close to an 80% victimization rate.
This was despite the fact that the employees targeted were trained in spotting such attacks and almost all reported high confidence in their ability to detect a phish. Such findings are common in cybersecurity research, and particularly sobering because, as we witnessed during the elections, a single victim can cause a massive compromise.
However, suggesting that people stop using email for anything important — as the President-elect did
— is not a solution. Not when the very engine of all communication today is email. It is the reason the Internet became popular. Instead of discouraging the use of email, the Trump administration should instead work on helping to save the Internet by encouraging people to take steps to limit the threat of spear-phishing.
A good start would be encouraging more be done to plug the single biggest weakness in email: its system of authentication using logins and password. Email and most online services use this simple mechanism to assess who should be provided access to an account. But these credentials are also easily stolen and reused, which is why they are the primary target of most hackers.
A technical solution for this already exists in two-factor authentication, or 2FA. This is when an additional numeric code is sent to a separate device possessed by the user that has to be entered along with the user login and password. Because login credentials by themselves are of little value without this additional pin, 2FA makes it much harder for hackers to compromise an account. When properly enabled and used, 2FA works like automobile seat belts; it cannot guarantee complete safety, but it sure can significantly minimize risk.
The overall adoption of 2FA, however, remains low
because many organizations still don’t provide support for it, partly because there is no requirement to do so. Among the organizations that do, it is often left to users — many of whom are oblivious to 2FA — to enable it.
Here is where and how President Trump can help. Just like federal law requires automobiles to be fitted with seat belts, Trump could push for legislation that makes it mandatory for all online services that acquire user credentials to support 2FA. Furthermore, legislation could be enacted that makes it such that organizations that enable it by default receive liability protections from any breaches that occur due to a credential theft. This would incentivize organizations to adopt the technology and share the responsibility for its use with consumers.
Finally, user education is necessary. While many users are unaware of 2FA, others use it on a few services, often only when they initially log on to a system. 2FA has limited efficacy if a hacker accesses an authenticated computer with already open, active sessions. And it has even less value if only some users adopt it, while others don’t, providing an alternative conduit for the hacker. At the user level, the other biggest complaint remains the few seconds 2FA use adds to the start of an online session. But, as we have now realized, these few seconds could dictate the future of an organization — or influence the outcome of an election. All netizens must, therefore, be educated on the proper use of 2FA, and this requires federal grants for research and training.
Rather than building real walls to protect against imaginary threats, President Trump should work to build a virtual wall to protect our Internet. Support for 2FA is a necessary building block to make that a reality.