Data Threats: Hackers, Government Agencies, and Defending Data Online

JULIA TAYLOR KENNEDY: You're listening to Impact from the Carnegie Council.

I'm Julia Taylor Kennedy and this podcast is the second of three installments we're doing on data, privacy, business, and society. This time we're focusing on unauthorized uses of data.

JEREMY GILLULA: My name is Jeremy Gillula and I'm a staff technologist here at the Electronic Frontier Foundation.

JULIA TAYLOR KENNEDY: I found that Gillula is ready with an explanation to pretty much anything. In fact, that's kind of his job:

JEREMY GILLULA: Explaining technology to the attorneys when they've got a question. And sometimes, explaining attorneys to the technology when there are other technologists out there who don't understand how the law works.

JULIA TAYLOR KENNEDY: So you're a translator.

JEREMY GILLULA: That's definitely a decent part of the job.

JULIA TAYLOR KENNEDY: He also creates software for the Electronic Frontier Foundation.

JEREMY GILLULA: It's an Internet privacy and civil liberties group, although even that is a somewhat narrow explanation. When people have no idea what that means, I tell them it's like the ACLU (American Civil Liberties Union) of the Internet.

JULIA TAYLOR KENNEDY: Gillula spent most of our conversation explaining how things work online—and why it's so easy to spy on the web. Let's start with email on sites like Google and Yahoo.

JEREMY GILLULA: If you think about when you were connecting to a website, it can either be a secure connection, a little https with a little lock icon, or it could be insecure.

JULIA TAYLOR KENNEDY: Today, when you log onto Gmail, you see that lock icon. That means it's a secure connection—that it's encrypted.

JEREMY GILLULA: That means that someone just listening on the wire, all they're going to get is a bunch of encrypted gobbledygook. They'll be able to tell what website you visited and when, but not what was on the page. Fortunately, a lot of sites now use encryption and secure connections by default.

JULIA TAYLOR KENNEDY: The protection is limited, though.

JEREMY GILLULA: When you actually sent out that email, the email itself was not necessarily encrypted. If you're sending it to someone, say, I don't know, on some fly-by-night ISP—

JULIA TAYLOR KENNEDY: That's an Internet service provider, or the company that provides Internet to the person receiving your e-mail. There could also be one or more Internet service providers between you and your email's recipient.

JEREMY GILLULA: Once it leaves Yahoo's servers the email is unencrypted, and again, anyone who's tapped into the Internet would be able to read it.

JULIA TAYLOR KENNEDY: Your email isn't encrypted, and the Internet service provider isn't secure, so a hacker could get in more easily and read your correspondence. If you do go to the trouble of truly encrypting your email itself with an external software, the person receiving the email also has to have decryption software. It's pretty clunky. But given the way email was developed decades ago, it's understandable.

JEREMY GILLULA: In the beginning nobody was thinking about this sort of thing and it was, "Oh, man, wouldn't it be cool if I could send an email to my colleague across the country at the other university?"

JULIA TAYLOR KENNEDY: So who wants to read your email, besides your colleague across the country?

GEORGE KURTZ: If there's information to be gleaned, someone wants it.

This is George Kurtz, president, CEO, and co-founder of CrowdStrike.

JULIA TAYLOR KENNEDY: CrowdStrike is an information security firm that works for Fortune 1000 companies, governments, even think tanks who are worried about malware. Kurtz's motto might as well be "know thy enemy."

GEORGE KURTZ: In the physical world, you're not focused on somebody shooting at you, asking what caliber bullet it is. You want to get out of the way, and you want to know who's shooting at you, and protect yourself.

In the electronic world, I saw this problem, which was adversary activity—folks trying to detect malware when really they needed to look at adversary activity, as well as malware.

JULIA TAYLOR KENNEDY: He's trying to figure out who sends that malware in the first place.

GEORGE KURTZ: Today, we track near 80 groups around the globe. We break it down by theater. For example, China would be a theater, Russia, the Middle East, and then, we have a specific crypto name for each one of those groups.

JULIA TAYLOR KENNEDY: Get ready for some serious cyber-geek names.

GEORGE KURTZ: In China, it would be a Panda. Several of the group names would be D-Panda, Aurora Panda, Hurricane Panda. These are all individual groups that we track, and we even track the campaigns that they're actually running.

JULIA TAYLOR KENNEDY: This tracking helps CrowdStrike tell its customers when and how they're being targeted.

GEORGE KURTZ: They certainly want to know if it's a targeted attack, which really dictates the response, or whether it's a commodity piece of malware that somebody just happened to be in the wrong place at the wrong time, and that's been very beneficial to help prioritize what the response is.

JULIA TAYLOR KENNEDY: As Kurtz sees it, his job is to combat the most serious threats in cybersecurity: hackers and geopolitical enemies.

GEORGE KURTZ: I personally think the average person who isn't doing anything wrong has a greater risk in having their data stolen from a data breach or being phished and having their account passwords compromised.

JULIA TAYLOR KENNEDY: But is the greatest threat to invasions of security online coming from the criminals, or from the cops?

BRUCE SCHNEIER: Well, the illegal risk is something that doesn't happen very much.

I'm Bruce Schneier, and I'm not sure what title you want. Me, I go by, normally. I'm a fellow at the Berkman Center for Internet and Society at Harvard Law School. I'm with the New America Foundation. I'm a board member at Electronic Frontier Foundation. I have a company called Co3 Systems. I write. I speak. I do lots of things.

JULIA TAYLOR KENNEDY: Bruce Schneier is known as a preeminent expert on cybersecurity, and he's published widely on many thorny issues that face the industry. He thinks we're too worried about hackers and not worried enough about the government.

BRUCE SCHNEIER: This use of data for manipulation, for control—depending on the country—to arrest people, and convict them, and sometimes kill them, is a much greater danger than hackers stealing data, which is just used for financial fraud, and not very much of it, at that.

JULIA TAYLOR KENNEDY: Whereas the government's access is kind of unlimited.

BRUCE SCHNEIER: Government surveillance is surprisingly robust. It uses a variety of different methods, and technologies, and authorities. The NSA (National Security Administration), for example, taps the Internet backbone, and collects all the data that Google is sending between its data centers.

JULIA TAYLOR KENNEDY: So that Internet service provider protection we were talking about earlier? It doesn't apply to the government. And the government isn't just collecting our data through this "Internet backbone." There are other ways it has of seeking information online.

BRUCE SCHNEIER: There are hundreds, thousands of vulnerabilities in your software right now. They are discovered at some rate.

JULIA TAYLOR KENNEDY: Think of these vulnerabilities as holes in software. The software updates that we all download each month often patch up those holes. But if an agency like the NSA spots a vulnerability in a piece of software, it may not notify the software company. Instead, the NSA may keep that hole open to watch the online activity, say, of government officials from other countries.

BRUCE SCHNEIER: These vulnerabilities are used by criminals to hack into computers. They're used by governments hacking into computers. They're actually occasionally even used by corporations to hack into computers.

JULIA TAYLOR KENNEDY: The government and George Kurtz of CrowdStrike would say that vulnerabilities can provide great opportunities to watch, and identify, adversaries. But Schneier says that's risky behavior and it means the government values its own information-gathering more than security online.

BRUCE SCHNEIER: In general, we're all safer when our infrastructure is safer. Infrastructure is used by good guys and bad guys. Bank robbers travel on the roads, just like we all do. In general, our government should err on making our infrastructure safer for everybody, even though it often helps the bad guys, because there are more good guys than bad guys.

JULIA TAYLOR KENNEDY: The government can watch your every move and keep vulnerabilities alive. Hackers can steal data from your inbox or from a company that has collected your information.

The picture is pretty bleak. But as public awareness picks up about the lack of security online, things are starting to change. Let's start with glimmers of government reform.

BRUCE SCHNEIER: There's a law in California. If you have California customers, you have to report your data breaches. Pretty much, everyone has California customers, so that turns out to end up being, kind of, a nationwide law.

JULIA TAYLOR KENNEDY: When companies report on data breaches, more and more media outlets are sharing which companies have been hacked, leading to public outrage. This places more reputational risk on the companies themselves, who may expect certain consumers to defect for fear of a security breach. Companies are responding by hiring firms like CrowdStrike, and in other ways.

Remember Jeremy Gillula, and his description of encryption? How email isn't always encrypted? Well, that could change.

JEREMEY GILLULA: Now the idea is that the email will be encrypted from the start so that not even Google or Yahoo will know what's in it. You'll write the email, the email itself will be encrypted. Then once it gets transitioned out of Google's server or data center or Yahoo's data center and goes out, as it travels along the Internet backbone it'll still be encrypted.

JULIA TAYLOR KENNEDY: No more NSA eavesdropping through the Internet backbone.

JEREMY GILLULA: Even the ISP that receives it won't be able to tell what it says. Only the person you're sending it to will be able to decrypt it.

JULIA TAYLOR KENNEDY: That's a huge change.

JEREMY GILLULA: Oh absolutely. It'll definitely be huge. The biggest part of it is that even if the NSA or other law enforcement agencies—FBI or whatever—goes to Google and says, "Okay, hand over all of that user's email," depending on how Google and Yahoo implement this, it may be the case that even they cannot read that email. Instead of getting a warrant without your knowledge, law enforcement will have to come to you to get your email.

I think that's a good thing, because you should know if the government is demanding your information.

JULIA TAYLOR KENNEDY: Of course, Yahoo and Google have announced they're working on developing this encryption. The details, and the timeline, remain fuzzy.

As you've heard already, both hackers and governments threaten security online. There are debates about the proper role of government. But all of the experts I interviewed agree it's not enough to heap the responsibility of cybersecurity onto the government or onto corporations. We have to take responsibility as individuals as well

JEREMY GILLULA: I would think that in a couple of years, you'd tell someone, "Oh, I got hacked." "Well, it's your fault."

JULIA TAYLOR KENNEDY: So how do we fend off those hackers?

LORRIE CRANOR: It's a difficult thing to do because you don't need just one good password. You need 10 of them, or maybe dozens of them, depending on how many accounts you have, and that's where it gets tricky.

My name is Lorrie Cranor, and I'm a professor of computer science and of engineering and public policy at Carnegie Mellon University.

JULIA TAYLOR KENNEDY: Cranor studies usable privacy and security. She tries to understand what barriers exist to secure behavior online.

LORRIE CRANOR: Nobody buys a computer to do security. They buy their computer so that they can do work on it, or play games, or communicate. So in some ways I don't really blame people for not wanting to spend time thinking about security

I think companies really need to figure out how to change their software to minimize what it is that we're asking end-users to do in order to protect security.

JULIA TAYLOR KENNEDY: In the meantime, Cranor has researched what passwords people use.

LORRIE CRANOR: People tend to use passwords that are going to be really easy for them to remember, so things like their name and the names of their spouse, their children, their friends, are extremely popular.

JULIA TAYLOR KENNEDY: Of course, those are also the least secure. Along with other popular password trends—

LORRIE CRANOR: People also like strings of numbers—one, two, three, four, five, six—or patterns on the keyboards—Q, W, E, R,T, Y are the letters all next to each other on a keyboard.

JULIA TAYLOR KENNEDY: One of the worst offenses? Pet names.

LORRIE CRANOR: Just to be clear, your pet's name is not a good idea for what to put in your password. It turns out actually people are actually not that creative in how they name their pets. There's a lot of really common pet names that everybody keeps using, and those names are all on the list of things that the attackers guess.

JULIA TAYLOR KENNEDY: You want a unique password—one that's easy for you to remember, but something that would be hard for someone else to guess; something no one else would think of.

LORRIE CRANOR: It should probably be at least 12 characters long and it should be a mixture of lowercase letters as well as some digits, and symbols, or uppercase letters. You shouldn't just put all your digits and symbols at the beginning or the end. You want them spread out in the middle of your password

JULIA TAYLOR KENNEDY: Once you have this ultra-complicated password, you have to remember it.

LORRIE CRANOR: Some people have good memories and just practice and learn them. Other people resort to writing them down. I think we've been told for years that that's terrible, you should never write your password down, but that's not entirely true. If you can write your password down and store it somewhere safe—not on a Post-it note on your desk—then writing it down may not be a bad idea, and in fact it's better than just using the same password everywhere.

JULIA TAYLOR KENNEDY: What a relief. Of course, there are also some reliable password-storage software products—just be sure to research them and make sure they are secure.

Beyond passwords themselves, Cranor predicts in the aftermath of the attack on actress Jennifer Lawrence's and other celebrities' iCloud accounts, more companies will use a stronger security method called two-factor authentication.

LORRIE CRANOR: Two-factor authentication refers to any system where you have two different ways of protecting your information, and in order to get into the account you have to use both of them. So typically, one factor is a password. The second factor can be many different things. There are some services that will actually give you a physical object, usually a keychain that you can use as a physical access control mechanism, kind of like a key.

There are others that will set up a system where you provide your cell phone number, and in order to authenticate, you not only have to type in your password, but they will text a secret code to your cell phone, and you have to type in that code that you received on your cell phone. So there's different ways that it works.

JULIA TAYLOR KENNEDY: This is a much more secure option.

LORRIE CRANOR: If you set up a two-factor authentication then it's not enough to guess your password. So if you have a cell phone system and an attacker gets your password, types it in, the company will then text your cell phone. Unless the attacker has also stolen your cell phone, the attacker won't see that secret number and won't be able to get into your account. That's why it provides you that extra level of protection.

JULIA TAYLOR KENNEDY: But Cranor says two-factor authentication isn't exactly user friendly.

LORRIE CRANOR: I would like to see that companies devote some more effort to making two-factor authentication easy and to deploy it more widely. I'd also like them to do things that will happen automatically to protect you.

For example, when you're using a web browser to connect to websites, your traffic to websites should just be encrypted automatically. You shouldn't have to think about, "Oh, is there a lock icon?" or any of that kind of stuff. They should just take care of making sure that all of your information is encrypted so that an attacker who is eavesdropping on the connection isn't able to grab all your data. That's something that increasingly companies are starting to do, but it's not done all the time.

JULIA TAYLOR KENNEDY: If companies don't start making more usable privacy tools online, Cranor thinks they'll lose revenue.

LORRIE CRANOR: I don't think people will be willing to continue doing all of their commerce online, and doing all of their interactions with schools, and government, and whatever online if it's not made secure. So I think that kind of has to happen. How it's going to happen, I don't entirely know. But I think we're going to move in that direction.

JULIA TAYLOR KENNEDY: Security expert Bruce Schneier worries many people may start censoring their behavior online out of fear of government spies or hackers. He says it all leads to a lack of trust.

BRUCE SCHNEIER: When we learn that our data is being sold to marketers, or collected by the NSA, we are more likely to self-censor, we're less likely to use the systems, maybe we're less likely to buy something online, because we're afraid of criminals. This will really poison the Internet, and poison society's relationship with it.

JULIA TAYLOR KENNEDY: But regaining society's trust is complicated:

BRUCE SCHNEIER:—Because it's been lost through a variety of mechanisms. Now, to be fair, a lot of people still trust the 'net. Either they're not aware, or they don't care, and they're just using it anyway. But the more we can trust the Internet for everything, the more it becomes used for everything.

Just like when you turn the tap on, you trust that the water won't poison you. You don't even think about it. That's the level of trust you need on the Internet.

JULIA TAYLOR KENNEDY: How to get it back? Schneier's not sure.

BRUCE SCHNEIER: I'm going to make stuff up that will sound crazy. I can talk about things that are extreme. If we just disbanded the NSA, that would increase the trust. If we passed a law saying that data cannot be resold to third parties, that would increase the trust.

You could think of all these extreme things, and then there are a million little things from here to there. But anything that can be done to be sure that the Internet behaves in the way people expect it to behave will increase the amount of trust on the Internet.

JULIA TAYLOR KENNEDY: Thanks for listening to Impact from the Carnegie Council. Join us next time for a look at some of the ways big data is being used to improve our lives.

A special thanks to our production team, Mel Sebastiani, Terence Hurley, Deborah Carroll, and Amber Kiwan. I'm Julia Taylor Kennedy.