Online security is completely broken, and we are engineering the world to make that – possibly unfixable – problem even worse, day by day.
We have a tendency to compare the online world to the offline one, so when we think of security we liken passwords to a door key.
We can over-extend that analogy: imagine you used the same key for your car, office, bank safe deposit box and house, and you have a rough approximation of the risk of re-using passwords. We can think of backdoor routes into sites – through unpatched security holes and similar – as more like climbing through a window.
But these hokey analogies only start to show some of the risk. In the case of the recent breach of Facebook’s security, which affected at least 30 million users, the vulnerability allowed the hackers – almost certainly a nation state – to impersonate logged-on users, roughly akin to disguising themselves as you to trick their way past building security. They never got the key, but they got in and had a look around.
The exploit to get into those Facebook accounts was a convoluted one, and reminds us of the complexity of modern online architecture – millions of lines of code, interlinked libraries, open-source components, and interaction between different sites. It’s akin to a building having a million windows, and someone has to constantly check whether they’re all locked.
If that sounds an impossible job, then you’d be right: almost every major web service has suffered a major breach at some point, and that’s not just the private sector ones. This weekend alone, around 30,000 US Department of Defense staff found their card and travel details had been accessed via an attack on a contractor.
And famously, even the agencies in charge of online security and their nation’s most closely-guarded secrets cannot avoid hacks: not only did the USA’s National Security Agency (NSA) and the UK’s GCHQ face losing their secrets via Edward Snowden’s disclosures, the NSA also lost control of some of its own hacking tools – which were then used in an attack which hit the NHS’s IT systems.
These are just the hacks that we know about: competent hackers – whether working for profit or for their government – don’t broadcast when they’ve got into a system. They just quietly sit back and hoover up the data they can freely access.
On top of these undiscovered leaks, there are ones that have been found but we haven’t been told about: Google was exposed earlier this month as having decided not to disclose a security hole which could have hit 500,000 users. It is unclear whether the company will face any repercussions for that decision.
To summarise: our biggest and most technologically sophisticated companies are regularly failing to protect the data they collect. So are our governments and even our intelligence agencies.
While they remain unable to do that, they are all collecting more data on more people than ever before, creating irresistible hoards of personal data, many of which are impossible to alter once collected: information accessed during the Facebook attack included details such as sexual orientation, search history, and other personal information.
So: ever bigger honeypots of data, that we can’t protect, with no obvious change in sight. That’s as bad as it gets, right? Wrong. Companies like Facebook, Google and Twitter now offer what’s called “open auth” – the ability to use your logged-in session with one of those sites to log in to others.
On the surface, that’s sensible: instead of millions of sites having to build secure login systems, fewer do – and you need to login less often, and type passwords much less.
But it also makes the already unassailable security risks even more systemic: getting into Facebook can now mean getting into dozens of other connected sites – and we’re moving more in that direction too.
Almost every serious security professional will tell you that online data security is fundamentally broken – and that we should move towards minimising the damage when serious attackers get into systems (and making it much easier to detect such intrusions) than pursuing the “fortress” model of illusory security.
Instead, we get security theatre – reminders about our own passwords and data, even as serious attackers take thousands or millions of these at a time.
We have created a huge systemic risk to our own privacy, finances and security – perhaps even to our economic system – and we barely understand it, or care about it. The experts know the security of the internet is broken. They’re just waiting for the public to care.