Editor’s Note: Arun Vishwanath is an associate professor in the department of communication at the State University of New York at Buffalo. The views expressed are his own.
Arun Vishwanath: Estonia offers good example of how to boost cyber security
He says a new system of authenticating users online could make a big difference in fighting hackers
We can and we must. After all, this is our personal information they are monetizing.
After all, this is where most of us spend much of our time these days. And it’s also where all manner of criminals – from “hacktivists” to state-sponsored espionage units – lurk. Cyber attacks have already breached many major corporations, infrastructure facilities and military installations. And by now, every one of us has probably been targeted in some way, some of us repeatedly.
All this is costing governments and individuals enormous amounts every year. One study estimated the cost to the global economy from cybercrime at more than $400 billion each year, a figure that is only likely to rise as more and more transactions are conducted online. But there is a way to stop many of these attacks, one that requires shoring up a fundamental weakness of the Internet that hackers exploit: the mechanism used by computer systems for authenticating users.
In the real world, authenticating someone is easily done by checking something the person already has – a credit card, a driver’s license, a passport – to serve as irrefutable proof of their identity.
Online transactions, however, rely on a system of credentialing, usually someone entering a login and password combination that only they are supposed to know. There is nothing the user can show that can serve as definitive proof of identity, meaning if anyone else uses these credentials, there is virtually no way of distinguishing them from the legitimate person.
As a result, the vast majority of cyber attacks are attempts to steal credentials, either directly from people or indirectly from the servers of organizations storing this information. What we need instead is an online mechanism for authenticating users that is founded on some real-world identifiers that would essentially create a virtual wall against hackers. This is precisely what Estonia, today one of the most technologically progressive nations in the world, successfully did.
When it gained independence from the Soviet Union, many Estonians didn’t even have a phone line, let alone a mobile phone. However, the newly formed government leapfrogged the usual development steps through a series of technologically progressive initiatives that brought its entire business, communication and governance systems online.
To prevent stolen credentials from undermining these, the government implemented a “Public Key Infrastructure” (PKI), basically a nationwide electronic ID card with an encrypted key that securely identifies users to servers online. Swiping the card in addition to entering login credentials works like a real-world authentication system, where individuals present their credentials along with something only they can possess.
Thanks to this, Estonia’s 1.3 million citizens can do everything from file taxes to fill their prescriptions, sign contracts, and even vote online – confident that no one is impersonating them. This has led to significant savings, such as tax returns being processed in less than two days, and has also spurred tremendous innovation, with companies such as Skype and TransferWise among the numerous tech start-ups that begin there each year.
While other European nations have followed Estonia’s lead, attempts in the United States, some dating back to the mid-1990s, remain stymied by our nation’s size and a pervasive distrust in government-led centralization. But there might be a solution, one that utilizes a unique identifier but does not involve the government: our cellphones.
Virtually every one of us has a mobile phone, and not only are our phone numbers tied to our credit history – and by extension, our identity – but many mobile services also support SIM cards that can store encrypted data. Furthermore, many of today’s handsets require biometrics like fingerprints for access, making it impossible to use them without authorization.
Thus a PKI could be linked to a specific cellphone number we choose, in the way the popular app WhatsApp does. This system could be developed by mobile service providers like Verizon or AT&T, who cover most of the nation’s users, or by handset makers like Apple and Samsung, whose mobile payment solutions could further benefit from such authentication.
Of course, although the development of a PKI would create a significant hurdle for hackers, it still won’t protect users who are careless about their devices. Nor can it protect users who click on malware-laden spearphishing emails that open back doors into computers, completely circumventing the hacker’s need for user credentials. The reality is that all Internet users – the weakest links in cyber security – will need to lay the final brick in the virtual wall.
For a start, by learning how to spot and report suspicious phishing emails. Whenever possible, we should also enable security protections such as two-factor authentication – an analogue to PKI, where users are sent a pin-number to any phone or device they choose, to be entered during login. And more generally, we can develop better “cyber hygiene”. This means adopting cyber safe behaviors such as using online password vaults to store and create complex passwords, using separate email accounts for important logins, and using a secure browser rather than email client to log into these accounts.
Regardless of who ultimately wins the presidency, protecting cyberspace must be a priority. And it will require a wall not of bricks and barbed wire, but a virtual one that we all help build, using our ingenuity, leveraging technology, and developing better habits in cyber space.