Methods for Improving Government Cybersecurity

It is difficult to identify a major cyberattack in the recent five years in which identification, typically a hacked password, did not serve as the attack vector.

FREMONT, CA: A recent analysis by the Anti-Phishing Working Group (APWG) revealed that 2016 was the worst year ever for phishing scams, with the number of attacks growing by 65 percent over 2015. The DNC hack, the penetration of government email accounts in Norway, and the current attempt by state-sponsored hackers to acquire the passwords of famous U.S. journalists all involved phishing. Phishing is on the rise for a straightforward reason: it is a relatively inexpensive and effective form of attack that places the onus of security on the user. And considering that many users repeat passwords, hacked credentials can be exploited to overcome typical network security measures and gain access to other systems.

In response to the rising frequency of authentication-based assaults, governments throughout the globe are exploring policies aimed at promoting the adoption of multi-factor authentication (MFA) solutions that can prevent password-based attacks and better safeguard sensitive data and systems. The United States, United Kingdom, European Union, Hong Kong, Taiwan, Estonia, and Australia are among the nations that have prioritized this issue over the past five years.

Numerous MFA technologies compete for attention, but not all of them are made equal. Some contain security flaws that make them prone to phishing, such as one-time passwords (OTPs), which are still shared secrets that can be hacked despite being more secure than single-factor authentication. Some solutions are unnecessarily complicated to use or are constructed in a way that raises new privacy problems.

As policymakers seek to address these authentication challenges, they must adopt solutions that move away from the shared secret paradigm while remaining user-friendly for both consumers and employees. According to a new white paper produced by The Chertoff Group, governments may best protect essential assets in cyberspace by adhering to some critical criteria for authentication policy.

● Have a plan that addresses authentication explicitly. Even though a good approach to authentication is only one component of a proper strategy for cyber risk management, any cyber project that lacks an emphasis on robust authentication is tragically insufficient.

● Recognize the security constraints associated with shared secrets. Policymakers should recognize the limitations of first-generation MFA technologies such as one-time passwords (OTPs) that rely on shared secrets and seek to incentivize the adoption of more secure alternatives, such as those that use public-key cryptography with keys that are permanently stored on the user's device and never leave it, such as FIDO authentication standards.

● Ensure authentication solutions support mobile. Any policy that does not optimize the use of MFA in the mobile environment will fail to sufficiently safeguard transactions completed in that environment as mobile transaction usage increases.

● Avoid prescribing a specific technology or solution; instead, concentrate on standards and outcomes. Authentication is through a period of technological advancement, and new, improved methods will continue to develop. For this reason, governments should adopt an authentication strategy based on principles that do not restrict the adoption of emerging technology.

● Encourage widespread usage by selecting simple authentication solutions. Users are frustrated by poor usability, which limits widespread adoption. Next-generation MFA technologies significantly reduce this "user friction" and provide even larger security improvements. Policymakers should seek out incentives to promote the use of MFA of the next generation that prioritizes both security and user experience.