MY professional background is in network infrastructure, cybersecurity and renewable energy.
From this experience, I offer five counterintuitive cybersecurity tenets or principles: Firstly, cybersecurity based on secrecy is inherently fragile.
The more secrets a system has, the less secure it is.
A door lock that has a secret but unchangeable locking mechanism is less secure than a commercially purchased door lock with an easily changeable key.
In cryptography, this is known as Kerckhoffs’ principle: Put all your secrecy into the key and none into the cryptographic algorithm. The key is unique and easily changeable; the algorithm is system-wide and much more likely to become public.
In fact, algorithms are deliberately published so that they get analysed broadly.
Militaries and governments spend an enormous amount of money trying to maintain secret research labs, missions and projects and even they do not always get security right.
Once secrets become public, there is no way to go back.
Second, omitting technical details from published research is a poor security measure.
We tried this in cybersecurity with regard to vulnerabilities, announcing general information, but not publishing specifics.
The problem is that once the general information is announced, it is much easier to replicate the results and generate the exploits.
Third, technical difficulty as a security measure has only short-term value.
I’m referring to the recommended password length/characters/etc, multi-factor authorisation and even biometric access.
Technology only gets better — sometimes exponentially; it never gets worse.
To believe that some research cannot be replicated by amateurs because it requires equipment only available to state-of-the-art research centers is naïve and short-sighted at best.
Fourth, securing data in computer networks is risky at best.
If you read newspapers, you know the current state of the art in cybersecurity: Everything gets hacked.
Cybercriminals steal money from banks. Cyber spies steal data from military or government computers.
Although people talk about COVID-19 bio research in terms of cybersecurity, that is largely a red herring; even if no papers existed, the research data would still be on a network-connected computer somewhere.
Not all computers are hacked and not all data gets stolen, but the risks are there.
Manage the risk, I repeat – manage the risk! There are two basic types of threats in cyberspace.
There are the opportunists: for example, criminals who want to break into a company’s system and steal a thousand credit card numbers.
Against these attackers, relative security is what matters.
Because the criminals do not care whom they attack, you are safe if you are more secure than other networks.
The other type of threat is a targeted attack.
These are attackers who, for whatever reason, want to attack a particular network. The buzzword in cybersecurity for this is “advanced persistent threat.” (APT).
This term also usually refers to nation-state sponsored hacker groups with large resources and playing the long game.
It is almost impossible to secure a network against a sufficiently skilled and tenacious APT adversary.
All we can do is make the attacker’s job harder and minimise exposure of critical information.
At the risk of sounding like an annoying mother – backup all critical data…regularly, and check restoration of backed up data too.
Don’t assume anything. Lastly, national security policies and laws that restrict publication or knowledge sharing will not work in an international community, especially in the Internet age with everything now online and constantly being updated.
Cybersecurity and privacy will always remain a delicate balancing act and government policies should reflect flexibility and at least set the acceptable boundaries for all citizens. It all boils down to this –prioritise and manage the risk.
Unsurprisingly insecure
The accuracy of a voting machine is dependent on the software that runs it.
If that software is corrupted or hacked, it can misreport the votes.
There is a common assumption that we can check the legitimacy of the software that is installed by checking a “hash code” and comparing it to the hash code of the authorised software.
In practice the scheme is supposed to work like this: Software provided by the voting-machine vendor examines all the installed software in the voting machine,to make sure it’s the right stuff.
There are some flaws in this concept: it’s hard to find “all the installed software in the voting machine,” because modern computers have many layers underneath what you examine.
But mainly, if a hacker can corrupt the vote-tallying software, perhaps they can corrupt the hash-generating function as well, so that whenever you ask the checker “does the voting machine have the right software installed,” it will say, “Yes, boss”.
For that reason, election security experts never put much reliance in this hashcode idea; instead they insist that you can’t fully trust what software is installed! Sound familiar to all you conspiracy theorists?
So you must achieve election integrity by doing recounts or risk-limiting audits of the paper ballots.
But you might have thought that the hash-code could at least help protect against accidental, non-malicious errors in configuration.
You would be wrong. Testing naturally tends to focus on “does the system work right when used as intended?”
Using the system in unintended ways (which is what hackers would do) is not something anyone will notice unless specifically being looking for!
Hence recommendations on conducting regular cyber vulnerability analyses on networks as a baseline audit and building on your cyber risk maturity matrix.
If you thought it couldn’t get worse, here’s an unknown fact of many voting machines used globally, including the ones used in several states in the recent 2020 US Presidential elections – acceptance testing of voting systems is done by the vendor, not by the customer!
Acceptance testing is the process by which a customer checks a delivered product to make sure it satisfies requirements. To have the vendor do acceptance testing pretty much defeats the purpose. Are we surprised?
You know: fool me once, shame on you; fool me twice, shame on me. Every time that we imagine that a voting-machine manufacturer might have sound security practices, it turns out that they’ve taken shortcuts and they’ve made mistakes.
In this, voting-machine manufacturers are no different from any other makers of software.
There’s lots of insecure software out there made by software developers who cut corners and don’t pay attention to security, and why should we think that voting machines are any different?
So if we want to trust our elections, I suggest that we should vote on handmarked paper ballots, counted by optical scanners, and recountable by hand.
Those optical scanners are pretty accurate when they haven’t been hacked and it’s impractical to count all the ballots without them.
But we should always check up on the machines by doing random audits of the paper ballots.
And those audits should be “strong” enough — that is, use good statistical methods and check enough of the ballots — to catch the mistakes that the machines might make or if they are hacked.
Effective double-checking — the technical term is Risk-Limiting Audit. As some security expert (and former conman) once said “there’s no such thing as a fool-proof system.
That concept fails to take into account the creativity of fools”.
Here’s wishing you all a blessed weekend, stay safe and well in both digital and physical worlds.
- Ilaitia B. Tuisawau is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com
