Cybersecurity and public theatre
This article is prompted by reports based on a press release put out by the PR agency for Nord VPN, a cybersecurity company. Shock horror: among the top 10 most common passwords are “admin”, “123456” and several variants of “password”. The password “admin” is very often part of the initial setup used by lots of networking equipment manufacturers. It is not surprising that many of their customers don’t see any reason to change the default. Indeed, changing a default password can lead to a whole world of pain if you forget the replacement, while an insecure password is only a minor element in dealing with network security.
I am not going to defend people who rely hopelessly insecure passwords such the other two above, but most of the advice given by supposed security experts is nonsense. It ignores the human elements of cybersecurity. Of course, it is nearly impossible to crack a long password including random characters – e.g. ^9UC1e#3E%U3 – but that really is not the issue. Brute-force password cracking (in the mode of movie thrillers) can easily be stopped by not allowing sequences of failed access attempts.
Indeed, passwords of the type given are a complete menace, because they cannot be memorised and must be stored. This simply moves the vulnerability to the storage arrangement. Further, every expert wants users to adopt a different password for each application. That again means that storage is unavoidable. In my case, my (hopefully secure) password storage contains over 550 passwords. Some of them are out-of-date or refer to defunct services but there are at least 400 active passwords.
I could store those locally, in which case I need to store the password database on at least a dozen separate devices which gives rise to the inevitable risk when one of those devices is lost or stolen. Alternatively, I can rely on cloud-based storage, which is a gamble on both the competence of the cloud operator and having access to a reasonable internet connection when I need it.
The truth is that what might have been good advice when the number of apps, services, etc requiring access security was small, but the advice is no longer either realistic or sensible. So, perhaps we should rely upon biometric security. This is only marginally better. How often does the fingerprint reader on your phone or laptop work as it is supposed to do. In my case, probably less than 20% of attempts succeed – and even worse on some devices – so one must fall back on passwords or PIN numbers (even less secure). My experience with face or voice recognition is barely better.
There is a more fundamental problem. How do the likes of Nord VPN know what are the most common passwords? Well, they rely on people who analyse lists of stolen passwords. But if your password has been stolen, it doesn’t matter how secure it is: someone somewhere has access to it and to your account(s). The true threat to cybersecurity comes from people who give away their access credentials willingly as well as from those who allow such credentials to be stored carelessly and harvested easily.
Most cybersecurity is shadow play – a pretence that offers minimal protection, but which is adopted because real security costs too much and involves too much inconvenience.
Think of anti-money laundering (AML) regulations as a related example. Almost by definition they cannot work without blocking vast numbers of transactions at enormous cost to banks and their customers. Any process of selection among money launderers will mean that the ones which thrive are those who are good at playing the rules. It is the ineffective and, occasionally, unlucky operators that get caught. So, AML regulators are in the whack-a-mole business that is doomed to failure on a large scale.
Their job, as with cybersecurity, is shadow play, but the costs of the pretence are enormous. Look at Trustpilot reviews of online banks. Many praise their ease of operation, but 10%-20% are reviews are from furious customers whose access to their account has been blocked or their money has been frozen. It is almost certain that in 95% of such cases the bank’s software has generated a false positive for money laundering transactions or something similar. Such false positives are then exacerbated by the slow response of the bank to clearing what were entirely innocent transactions.
I have seen that in practice: the international payment processor now known as Wise will “lose” (in reality, freeze) even modest transfers into an account that aren’t linked to another payment. The whole situation is made worse because they will deny that the transfer has been frozen on the grounds that they are not allowed to warn potential money launderers. Please … are customers, including potential money launderers, supposed to be that stupid? Banks and regulators should start from the assumption that money launderers have strong incentives to be savvier than the average regulator or bank staffer.
The current pattern of behaviour merely increases cynicism about the motives and competence of both banks and regulators. For anyone determined, getting round the regulations is easy by probing enough to learn how the systems work.
Large numbers of false positives and appalling customer service are not bugs, they are features of the business model followed by online banks, especially those dealing with many international transfers. The banks are caught between threats of dire penalties from financial regulators for facilitating money laundering, while in today’s mobile world their customers expect easy and cheap money transfers, especially within Europe.
So, what the online banks do is pure shadow play: they freeze lots of transfers as a charade for regulators, knowing that this will infuriate some customers who either leave or learn how play their systems. At the same time, they cannot afford to deal with false positives quickly, because that would incur heavy staff costs and force them to charge more heavily for their services.
The same logic applies across the board to most cybersecurity. Ensuring high levels of protection for networks and IT services is hard and costly. The weakest point is people, especially those who are ill-motivated and under pressure. They write passwords on Post-It notes and stick them on their screen or leave them on a desk. All a would-be intruder has to do is to take a photo of the written prompt or password.
Even if that is stopped, staff and outsiders will unwittingly give access to networks in many ways. And, of course, careless and/or dumb developers will allow their unencrypted databases to be accessible over the internet. The point is that the ways of compromising cybersecurity are almost infinite, which teenage hackers and unfriendly agents know full well.
Most cybersecurity is a matter of making life harder for would-be intruders than other networks do, thus persuading them to try somewhere else. It is a relative, not an absolute, game which depends not only on how good your cybersecurity is, but on your value as a potential target. If you are the NSA or military intelligence, then your value to the right unfriendly agent is almost infinite. Consequently, the costs of implementing extreme levels of cybersecurity will be almost equally high – until, of course, you give all the information away for free by failing to check for disaffected employees and consultants.
This brings us back to people. Not only must you ensure that staff follow strict and very inconvenient protocols, but you must check the vulnerability of staff at frequent intervals. In the past, it was sexual preferences that made people vulnerable, today it is gambling debts and family members. To maintain high levels of cybersecurity may be inconsistent with liberal values as reflected in both employment laws and codes of good practice.
But getting staff to comply with strict and inconvenient cybersecurity protocols is only the beginning of the story. Customers are even more of a problem. The reason that both companies and public organisations want to roll out services that raise issues of cybersecurity is because they want to save money. However, customers won’t cooperate if these services are inconvenient and slow, which would be the consequence of adopting strict cybersecurity provisions. And there is the substantial portion of the population who would effectively be excluded by such provisions. These are not just the disabled and old but also many youngsters who won’t tolerate anything more than 1-click access.
Cybersecurity thresholds for most services must be lowered to a level that 95% to 99% of the population can accept. That is very limited and, thus, extremely vulnerable to being compromised in one of many ways. Without doing that, the organisations finish up having to support traditional and online methods of access and service, which sabotages the vision of using online services to reduce costs.
Consequently, the question arises of how the costs of breaches in cybersecurity should be borne. Referring to the case of AML, the online banks try to pretend that this is out of their control and, thus, pass it on to their customers. That may work for a while but quite quickly there may be separate regulatory and consumer pressure to improve how false positives are dealt with. Even a combination of transparency and service targets to deal with cases in 2 or 3 days would solve most dissatisfaction, though at the cost of an increase in operating costs for banks. Still, the alternative is what already visible in several European countries, which is a loss of trust in and business for prominent online banks.
In the case of cybersecurity, banks have already been pushed into acting as insurers and prevention agents for the kinds of cybersecurity breaches that lead to fraud on individuals and households. The intentions are good – you shouldn’t facilitate crooks who persuade vulnerable customers to transfer large sums of money to fraudulent accounts – but the implications are frightening for any payment processor. If an agent is responsible for remedying the consequences of their customers being defrauded, where do we stop?
The issue of moral hazard (changes in behaviour caused by insurance) becomes very important. Then, there is the difficulty of dealing with people who have patently been stupid or maybe even complicit in what happened. Such problems can be mitigated but serious action would involve (a) much more intrusive cybersecurity, (b) putting many transactions into escrow and carrying out careful checks before money is released from escrow, and (c) vastly increasing public spending on following up and punishing such fraud.
Currently, almost everyone shies away from the costs and inconvenience of treating such security breaches seriously. This takes us back to cybersecurity theatre, a half-hearted pretence that fails to protect either banks or companies, but which allows them to put off the measures and costs that would be implied by taking cybersecurity seriously. We all want the speed and convenience of instant bank transfers or the services provided by apps, while choosing to ignore the inherent vulnerabilities – or large deliberate gaps – left for unfriendly agents or criminal organisations.
In theory, the economist in me argues that forcing banks and other companies to rectify the costs of some cybersecurity breaches will prod them implement less vulnerable processes. But remember the real weakness is people. So, the only incentive is to get people who are most likely to facilitate cybersecurity breaches to opt out, e.g. lengthy and bureaucratic application procedures. Such a response is usually regarded as discriminatory and imposes large social costs to, in effect, just move cybersecurity risks around.
And, finally, think about the visions of governments and tech companies to have a universal login ID such the Gov-UK One and associated access arrangements. How bad will the disaster be when, as will inevitably happen, its cybersecurity is compromised on a large scale? Uniform cybersecurity arrangements are even worse than multiple versions of cybersecurity theatre.
None of the above means that it is a good strategy to use very weak passwords. That is easily used as a signal that you are particularly vulnerable to a whole variety of exploits intended to compromise your security and, thus, steal money, data and other things. Using strong passwords is a signal of caution and probable difficulty in compromising your cybersecurity. It doesn’t mean that you would, in fact, have much immunity to external attack. Still, it may reduce the probability of such attacks, because you have signalled that there are easier targets elsewhere.
In the shadow world of cybersecurity, the point is not merely your level of protection but whether, for hostile actors, the likely effort can be justified by the potential rewards. Hackers and criminals are equally capable of learning lesson from economics as academics.
Setting such considerations aside, what I have highlighted is that cybersecurity is largely a pretence. Most of arguments retailed to the public today reflect a world that disappeared with the widespread growth of networks and the internet. We have seen the enemy, and it is us! I do not pretend to offer an answer. I believe that most, perhaps all, of those who do are posturing and relying on cybersecurity theatre rather than offering practical protection. The pressures for greater convenience and lower costs are incompatible with high levels of cybersecurity.
This nails it. The 550+ password problem is real and most infosec pros dunno how to address it without creating perverse incentives. I've worked with teams who tried implementing strict rotation policies and ended up with Excel files of passwords floating around. The moral hazard point about AML regs is especially sharp because it mirrors what happens when you make prevention theater teh primary metric instead of actual outcoem reduction. Banks optimize for appearing compliant rather than reducing fraud risk.
Thank you Gordon, for adding to both my education and concern. It has caused me to recall an observation decades ago by my parents' carpenter: "locks are only for honest people".
I admit that, knowing very little about online security, save for decent passwords, I have lived in the hope that someone knows what they are doing - perhaps unwise - but as is so common. I feel there is little else that I can do.