Time to destroy the hacker’s ballistic missile

Welcome to Enemy at the Gates!

This inaugural post and those that follow will use real-world and hypothetical cybercrime, cyber-espionage, and cyber-terrorism examples to comprehensively explore this question:

What is the true real-world identity of the living, breathing human being standing at the intranet or internet gate and is that living, breathing human being an enemy or a friend?

The goals are to offer the reader different ways of thinking about how vulnerabilities are exploited by criminal, nation-state, and terrorist hackers and, more importantly, suggest paths forward to effective solutions.

Through many years of studying the cyber identity problem, I’ve noticed that cybersecurity discussions often focus on identity verification technologies and techniques in a context disconnected from the living, breathing human being standing behind passwords, multi-factor authentication procedures, and even biometric measures.  

Most serious cyber breaches start with an anonymous living, breathing bad actor sending a malware-laden email to a target company employee. Just this month, the cybersecurity company Symantec announced that a second group of hackers targeted banks that use the SWIFT global financial transfer system. The report suggests the attackers used phishing emails containing malicious file attachments to deliver malware payloads into their target banks’ computer networks. To illustrate the seriousness of this incident, the first group of SWIFT hackers successfully stole $81 million from the Bangladesh Central Bank.

The criminal hackers involved in the more recent attack may have used simple email phishing where they had only general knowledge of the banks’ operations or spearphishing where they may have used social engineering techniques to gather specific information about bank employees to design a very convincing email. Certainly the focus of investigators is finding an answer to this question: “Which of the world’s 7.5 billion living, breathing human beings really clicked ‘send’?”   

Email is the cyber equivalent of a ballistic missile carrying a nuclear warhead and is a devastatingly effective hacker tool. Consider that the human being sending the email can be anyone operating from any location with no authentication mechanism available to the email server receiving the phishing or spearphishing email. The email technology in widespread use does not, as part of the protocol, demand that senders identify themselves in any context much less one in the real-world.

But none of this is new. The vulnerabilities baked into conventional email technology are well known. The amazing thing is that newer, more secure messaging systems haven’t yet killed it off.

Setting aside the question of why email is still around, we can conclude that hackers will always have the advantage as long as 40+ year-old conventional email technology remains in widespread use. The only effective solution is to adopt a top-to-bottom replacement for conventional email messaging. Critically, any such replacement must comprehensively address the anonymity problem.

It will be a very long and difficult process but the way forward is a focused, coordinated effort involving government standards agencies, legislatures, private companies, and cyber insurance providers. Government standards agencies such as the National Institute of Standards and Technology (NIST) should strongly promote security-focused guidelines for email replacement technologies; legislatures can use tax credits to encourage faster adoption of new messaging systems; insurance companies can use cyber policy rates to further boost the economic benefits of change.

Large businesses may hold the key to quicker adoption of new messaging technologies by using their size and economic influence to incentivize supply chains to adopt secure messaging technologies for business-to-business communication. Such action on the part of coalitions of large businesses can accelerate the successful retirement of SMTP email messaging throughout the broader economy since employees will become familiar with messaging alternatives and begin to use them when not at work.

[ RELATED: How to craft a security awareness program that works ]

Pushback from those who say this task is too difficult, expensive, or disruptive must be challenged with the unarguable fact that current email technology cannot be made secure and hackers are a very determined species.

Until email replacements are widely adopted and before focusing exclusively on the relative merits of anti-malware systems and other technologies designed to deal with attacks after the phishing email attachment is opened, security professionals should always ask ‘Who are the living, breathing human beings sending emails to my company’s employees? Are they friends or enemies at the gate?