The next president must kill off the password to protect national security.
Our government and democracy is facing an existential cybersecurity assault. Nation states have recently hacked the National Security Agency (NSA), the Democratic National Committee (DNC) and the Office of Personnel Management (OPM). Our secrets including the names and personal information of everyone with security clearance has been stolen, and the selective leaking by nation states of hacked emails — in effect the weaponization of Wikileaks — could dramatically influence our elections.
The next administration needs to confront this cybersecurity threat head on and with the utmost urgency, but where to start? Turns out it all starts with something that everyone of us has a lot of — passwords. Believe it or not, killing the password is a matter of national security.
Yes, national security. Because that’s what cybersecurity is these days, as events of the past few months have made abundantly clear. First came the Russian hack of the Democratic National Committee, a year-long infiltration that exposed all sorts of embarrassing information from the DNC. Then came the theft — and posting online — of personal contact information for hundreds of Democratic lawmakers and aides, which opened them up to a flood of “obscene and sick” calls and text messages.
More recently, and most alarmingly, came the penetration of the NSA by a group calling itself the Shadow Brokers (also Russian), who invaded an NSA server and stole some of the agency’s best hacking tools. That attack alone sends the message that cybersecurity must be at the top of the national security agenda in the next White House administration.
The presidential candidates seem to be aware of the stakes. For example, Hillary Clinton recently said that “[Cybersecurity] is one of the most important challenges the next president is going to face, because the advances, the offensive advances by nation states that we know are very technically sophisticated—namely Russia, China, next level Iran, next level North Korea—are going to just accelerate.”
My advice to the next president: The most effective first step you can take to strengthen national cybersecurity is to kill the password.
Why the password? Because weak passwords and compromised credentials are the number-one attack vector in the vast majority of breaches. According to the 2016 Verizon Data Breach Investigations Report, 63 percent of confirmed data breaches — including the attack on the Democratic National Committee — leveraged weak, default or stolen passwords.
Further, research firm Forrester estimates that 80 percent of security breaches involve those privileged credentials that typically belong to the IT folks who administer the systems, databases and networks of an organization. These people hold the proverbial keys to the kingdom — and intruders know that hacking their accounts provides far deeper and broader access to critical data. Stolen privileged credentials was the attack vector used in the OPM breach.
But whoever gets hacked, passwords are usually the problem. As the Verizon report pointed out, “[Organizations] are leaving well-known vulnerabilities open and letting employees use easy-to-guess passwords — and often even the default [passwords] that devices come with.” The truth is that even the best passwords are nothing more than an inconvenience for the determined hacker.
That’s why I say it’s time for the next president to take executive action to hasten the death of the password. Like what? Well, just like President Obama is legislating nondiscrimination by directing all schools that receive federal funds to provide transgender bathrooms, the next president can mandate the elimination of passwords for organizations that get federal funding. For example, he or she should instead require the use of smart card technology or multi-factor authentication (MFA).
I would advise the next president to begin by extending Homeland Security Presidential Directive 12. HSPD-12 is a mandatory government-wide security standard for federal employees and contractors aimed at reducing identity fraud and protecting personal privacy. HSPD-12 currently applies only to federal employees and contractors but, as a first step, it should be extended it to apply to all entities that get large amounts of government funding or contracts.
Similarly, the Securities and Exchange Commission (SEC) recently mandated that public companies disclose cybersecurity risks and incidents. Further regulation can require public companies to disclose whether confidential financial information is solely protected by just passwords and whether additional forms of authentication are required to access that data. This will let investors decide if they want to continue to invest in companies with poor password hygiene.
The president could also take a page out of the payment card industry (PCI) playbook. The PCI has established a set of security standards designed to ensure that all companies handling credit card information maintain a secure environment. Recently, the PCI announced a new requirement specifically requiring multi-factor authentication in the cardholder data environment.
Agencies and industries everywhere are realizing that passwords alone are not enough. The next administration should reinforce this trend by launching a series of public service announcements for our citizens that focus on the problem of passwords. This is exactly what the government did back in the 1980s, when it spearheaded an extremely effective anti-smoking campaign led by Surgeon General C. Everett Koop. The reality is that passwords are putting our national security health at risk.
As recent hacks by state actors have made clear, cyberattack ranks high among the threats faced by our next president. Far more likely than a nuclear attack are more and more aggressive cyberattacks by nations like North Korea, Russia, Iran and China. Cyber really is the new front. That’s why the next administration must do everything it can to kill the password and implement next-level security technologies like multi-factor authentication. It is not an exaggeration to say that the future of our nation depends on it.