Digital Security: You Are the Weakest Link
Singapore’s decision to cut Internet access from 100,000 public servants accepts the reality: the greatest vulnerability in any network is the people who use it.
“The only truly secure system,” Professor Gene Spafford observed of computers in 1989, “is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards — and even then I have my doubts.”
Quarter of a century later, the spread of technology into every aspect of our lives makes security all the more important. At the same time, that ubiquity also means that we need to be able to access our data and interact with others seamlessly. The lead-lined room might keep our data secure, but also makes it harder to share the draft of a report, book movie tickets online, or play Words with Friends (as we now know even President Obama does).
This tension between security and convenience has long bedevilled IT departments. Efforts at complete control have been abandoned in many organisations, which now follow a “bring your own device” or BYOD policy. Blurring personal and professional lines can increase productivity if workers are more comfortable using their own devices, as well as ensuring that they are still connected to the office in the evening and on weekends.
But with convenience comes risk. Accessing corporate data from multiple devices increases the possibility of a breach if a user’s device is infected with malware, or the loss of data if a device is misplaced. Because the user typically owns the device, organisations have less control over the software that can be installed and what happens if an employee is fired or simply takes a smartphone on holiday.
Not everyone is willing to privilege convenience over security in this way. Singapore’s government recently took a step in the opposite direction with its decision to cut access to the Internet on official computers, affecting more than 100,000 public servants. The move was criticised in some quarters as being a luddite’s response to technology and even, bizarrely, as somehow driven by opposition to free speech. (Officials will still have Internet access on personal and agency-provided devices, while teachers will be exempted completely.)
Underlying this bold — some would argue, excessive — measure is a simple truth: the main vulnerability that cybersecurity experts cannot patch is the gullibility of users.
Hacking as Social Science Rather than Computer Science
There is no question that cybercrime and cyberterrorism are real threats.
Juniper Research estimates that the global cost of cybercrime will exceed US$2 trillion by 2019. Governments around the world have been targeted by hackers for financial and other reasons. Singapore’s Cyber Security Agency revealed that 16 attacks made it past government firewalls in the past year alone.
Law professors are not immune. Earlier this year, a juris doctor student at Singapore Management University was jailed for two months after using a USB keylogger to steal passwords from a classroom computer and then delete exam papers.
Some attacks involve sophisticated software or physical intrusions into a network, but most rely on an oblivious accomplice within the organisation opening a file or clicking on a link.
Many of us have been approached by Nigerian bankers trying to smuggle cash out of the country. We periodically receive plaintive emails from a distant friend who claims to have lost all of her credit cards while travelling. Or we get an official-looking note telling us that we must confirm our account details by clicking on this official-looking link.
Playing on our greed, our sympathy, or our gullibility does not require a degree in computer science. These are the skills of the grafter, the con-artist who has been parting fools and their money since there was money to be taken. Unsurprisingly, a good number of people are regularly fooled — or don’t even think before opening an attachment or a website. Estimates of the number of users who will fall prey to such “phishing” attacks vary, but the lowest tends to be about 10 percent. (One IT security professional proudly describes how six months of training brought the number in his organisation down to 5 percent.)
It might be seen as fatalistic to conclude that even Singapore’s highly-trained and well-paid officials cannot be trusted not to take the phisher’s bait. But in the past two months, even the CEO of Twitter and Facebook’s own Mark Zuckerberg were both hacked. (Zuckerberg’s password was, reportedly, “dadada”.)
So if one accepts that public servants are also human, the decision to make it much harder to compromise certain computers begins to make sense. Time will tell whether the trade-off in efficiency is worth it.
Let Me In!
So what can the rest of us do? Cutting ourselves off from the Internet is one option, but unlikely to be a realistic one.
The bottom line is not to click on links or open attachments from suspicious emails — and that every email is suspicious. Even if something looks genuine, such as a message from your bank or telco provider, go to the original website (and type it in yourself). Never provide account details — even over the phone, unless you called them.
Another key to remaining reasonably secure online is having decent passwords. Hackers don’t need to bother phishing if your password can simply be guessed within a couple of tries.
When millions of accounts were compromised at Adobe and LinkedIn, the most popular password on each was found to be “123456”. Other common choices were “password”, the cunningly disguised “passw0rd”, and so on. Further down, fully 33,000 users chose the passive aggressive “letmein”.
Many organizations now require employees to change their passwords regularly. The thinking seems to be that if you choose a secure enough password — upper and lower case, numbers, special symbols like #, and so on — it will take a dedicated hacker several months to try every possible combination. By the time he or she works out your login, hah! You have a new one.
The reality, of course, is that most of us are not quite so interesting to hackers. The far greater danger is that, by needing to have a new password every few months, we are either going to forget it or choose something simple. Say, password1, then password2, and so on. We are also more likely to write it down — another vulnerability. As a result, earlier this year, Britain’s signals intelligence agency, GCHQ, advised against regular password expiry.
This does, however, mean that your passwords should be good. An easy method of coming up with a decent password is to think of a phrase rather than a word. For example, you might take a quote from Shakespeare: “To be, or not to be — that is the question.” Take only the first letters and it becomes “Tbontbtitq”. Change the second “to” to a numeral and replace “question” with punctuation and you get “Tbon2btit?”. A web-based password analyser estimates that it would take a computer 10 years to crack that. (Note: please don’t actually use “Tbon2btit?”, as it has just been published on a website with the word “password” and is now vulnerable.)
Note also that you should not use the same password on different websites. This presents an additional challenge to remembering them, unless you come up with a mnemonic for variations based on the website’s name. Another solution is a password-saving website, which works for many users — but means putting all your eggs in a basket that is especially attractive to hackers (as LastPass discovered when it was hacked last year).
Back to the Cave?
As technology takes over more of our lives, the tension between security and convenience will become more pressing. With the rise of Smart Nation, driverless cars, and next-generation fitness-trackers, more organisations will possess more data on us than ever before — and we will be entrusting our safety to the integrity of those systems.
In such a world, requiring government employees to switch between devices might not be so bad a trade-off if it protects government data. As for the rest of us, it is possible to keep our data secure. Just turn your computer off, and leave it and your smartphone in the lead-lined room. Then go and queue up for movie tickets — or try a proper game of Scrabble against a flesh-and-blood friend.
The writer is Dean of the National University of Singapore Faculty of Law.
A version of this article was published in the Straits Times on 19 July 2016.