OK, so I said earlier this week that I normally get asked about security by someone who is threatened by the onwards march of digitalisation. Sure, security is important, and the issue is that for every step of innovation we create a step of risk. We don’t know the risks until they are exposed and then, with the benefit of hindsight, we can lock them down. However, whilst they are exposed and unknown, they are an issue.
Today, we know that usernames and passwords are massive risks and create exposure. Then we carry on using them regardless, because our systems and procedures cannot adapt fast enough to lock them down or, equally, we don’t have an effective replacement. There is an obvious, effective replacement for username and password today, which is IP address, GPS location, fingerprint phone biometric, voice recognition and more, all driven by the mobile phone.
The concern I actually have is that if all major hacks are driven by social engineering – which most hackers would tell you they are – then how come we’re not cracking down on advising staff and customers about this? Equally, what would we do if a state-sponsored attack really tried to compromise national security and bring down the financial system? Impossible? Not really, as I learned at a recent conference.
A guy was presenting about national security and just put up an equation of:
Equifax + OPM + ISIS = -(USA)
Now not everyone will be familiar with all these things, so a quick explanation.
First, I’m sure all of you are aware of the Equifax hack – if not, what rock have you been sleeping under? – where 145 million Americans lost what had been their most secure number: their Social Security Number (SSN). This, along with their name and address and date of birth, is the magic key to open most services, including bank accounts. It is also the magic key to access most of those accounts online. This compromise is one of the single most important hacks of this decade, and is leading to calls to reform the security systems of the USA at last.
Then add the second acronym here: OPM, the Office of Personnel Management. This is the US office that manages the civil service of the federal government, and all government employee records for the USA. The OPM was hacked in April 2015 where birth dates, home addresses, Social Security numbers and other personal information was compromised for 4.2 million current and former federal government employees.
A second breach took place in June 2015 involving an astounding 21.5 million individuals. Social Security numbers were stolen from background investigation records, including 5.6 million records that contained fingerprints.
Now imagine that these two breaches were state sponsored by ISIS or North Korea and Houston, we have a problem. In fact, the speaker who put this equation on screen reckoned that if a sinister nation wanted to bring down America, all they had to do was to get this sort of information to change the passwords of most American government officials and consumers, and the USA would come to a halt. 75% of American commercial and government activity would just stop, with immediate effect.
Yep, that’s pretty scary but of course, it could never happen. Kim Jong-un isn’t that clever, is he?