In cybersecurity, we always live with a fog of threat surrounding us. Each day we learn of a new vulnerability or perhaps a successful attack. And some of these, for example, the recent SolarWinds attack, have a deep and lasting impact that can shake the foundation of our cybersecurity posture to the core.
Too often we get consumed and sidetracked by false narratives around risk. After more than a decade in cybersecurity, there is one thing I know: not all threats are created equal, but unfortunately, they are often treated that way.
A few weeks ago there was an announcement of a potential vulnerability in one of the core protections that many of us promote for all users: security keys or tokens. These small pieces of hardware offered by two of our partners, Google and Yubico, are critical for primary account protection. So critical that DDC strongly recommends security keys to be the first thing every campaign should implement as soon as they launch. In the 2020 election cycle, DDC gave away more than 10,000 keys to campaigns.
So when I read the headline in The Hacker News: New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys, it quickly got my attention and sent a shiver down my spine.
Upon reading the article, I saw an egregious example of what I call cybersecurity theater. It’s the way the cybersecurity community spins information to create drama around a potential threat. Unfortunately, it’s a common practice in the cybersecurity space.
To my mind, these do more harm than good and in this case, verges on malpractice. These are strong words, I know, so let’s take a closer look.
The headline is misleading. If you just based your reaction on the headline, and for many people that is all they will read, your takeaway might be that security keys are not effective. The risk is that some people might not adopt security keys since they read somewhere they can be hacked. Hopefully, this won’t be the case since what the researchers found is that keys are an effective security precaution. They create real obstacles to incursions when being used.
Reading more deeply into the article--seven paragraphs down assuming you have made it this far-- you finally come to this:
“The key-recovery attack, while doubtless severe, needs to meet a number of prerequisites in order to be successful. An actor will have first to steal the target's login and password of an account secured by the physical key, then stealthily gain access to Titan Security Key in question, not to mention acquire expensive equipment costing north of $12,000, and have enough expertise to build custom software to extract the key linked to the account.”
And finally in the second to last paragraph:
“Although the security of a hardware security key isn't diminished by the above attack due to the limitations involved, a potential exploitation in the wild is not inconceivable.”
It’s not inconceivable that someone would come into my driveway one night, pop the hood on my car, disassemble my engine, remove a bearing from the driveshaft, put it all back together again, and depart before dawn. As we all know, anything is possible.
It took a long time for the idea that cybersecurity is about risk management to become a paradigm. The fact is through a risk management lens, 99.9% of computer users are not vulnerable to be exploited by the vulnerabilities researchers describe in this article. Don’t forget the headline that called this a “New Attack” when in reality the article describes a theoretical possibility, not a known event. Yes, a determined nation-state might make a go of it, although they would have to have boots on the ground around the target.
I fully support the role of cybersecurity researchers that probe networks, hardware, and software for soft spots as well the media that help spread important news in the field. Their role is critical. I think we need to hold ourselves and the way we present issues to the public to a higher standard. The researchers could have gotten just as much credit for reframing their findings in a positive way.
It is difficult enough to get most people to follow basic cybersecurity advice. Why would we shoot ourselves in the foot and make it even harder for the public to adopt one of the most significant actions they could take to be safer and more secure online?
Author: Michael Kaiser is the President and CEO of Defending Digital Campaigns. You can follow him on Twitter at @MKaiserDDC.