Preventing Hacking Is Not an Easy Problem

Particularly in light of the fact that one flaming hot take about the DNC hack is that it’s John Podesta’s fault for not knowing that his IT staff was giving him bad information, this comment by Abigail Nussbaum is worth highlighting:

I work at a tech company employing slightly less than a thousand employees, most of whom are reasonably tech-savvy, in their thirties or fourties, and work fixed hours in a fixed location while managing their lives on their personal devices. Your suggestions would be tough-to-impossible to implement in that environment, much less in one where there are tens, if not thousands of employees, with huge turnover, long and irregular hours, lots of travel, high pressure, and where almost all employees will be, at best, skilled but ignorant end-users, and at worst, tech-illiterate. Take getting rid of email, for example. When the people who answer to you can be in six different cities over the course of a week and have to communicate large amounts of information across different time zones, how exactly do you suggest they do that except using email? For too long, the InfoSec community’s answer to users’ needs has been “suffer”, but even that isn’t enough in this situation.

Or take switching operating systems. Switch to what? Do we think that tens of thousands of mostly non-techie users are going to switch to Linux, a system that is famously opaque and unfriendly to new users? Or do we think they’ll do what users always do when IT forces them to go out of their comfort zone and there’s work to be done – find workarounds that actually decrease the overall level of security in the organization?

Which brings us to the whole issue of IT in political organizations, and I agree that there’s work to be done there. The DNC and organizations like it need to hire a CTO who will formulate best practices for security, and be in charge of setting up on the ground infrastructure and hiring local people to support it (though that’s assuming there isn’t already someone like that, which I would find surprising). But that ignores the fact that most IT tends to treat users, not hackers, as the enemy, has little or no sense of how to design a system so that users will want to use it correctly, and frequently mistakes making a system unusuable for making it secure (which, again, leads only to insecure workarounds). Not to mention that “we need to hire the best” is not actually a viable strategy, especially when you need so many people to do the work under not-great conditions, and especially in tech, where there are a lot of people who will tell you that they’re geniuses at something when really they’re only adequate at it (and which the person doing the hiring has no way of distinguishing). As a solution to problems of organizational security, “get a genius IT guy” is not a viable alternative to “come up with systemic solutions that even an OK IT guy can implement well”.

The fact is, as far as end-user solutions are concerned, the InfoSec community has been sitting on its hands for twenty years – literally the biggest things they’ve come up with in all that time is two-factor identification. And because until a few years ago, hacking was mainly a retail business – this person’s accounts drained, that person’s nudes leaked – they were able to get away with that, along with a hefty dose of victim-blaming. But now that hacking is being used a major geopolitical weapon, that approach simply won’t cut it anymore, and the community needs to come up with actual tools that will still leave the internet usable for everyone, no matter their age or level of tech-savviness. That’s not an easy problem, and it may be insurmountable, but continuing to approach it as if the solution is “get better users” is not going to work.

…I’ll do a separate post on it later, but on a related point Zeynep Tufekci’s piece on the Macron hack is really good.