Hacking Trump Might Not Be So Easy
President-elect Donald Trump has attracted ridicule for his solution to computer hacking: Write stuff down and send it by courier. Actually, given what we've seen in 2016, that might not be such a bad idea.
Some of the biggest security breaches in history came to light in the past year. Hackers compromised 68 million accounts at Dropbox, 100 million at LinkedIn, 400 million at AdultFriendFinder, 427 million at Myspace, and more than a billion at Yahoo. And then there were the hacks of the Democratic National Committee and the email server of Hillary Clinton’s campaign chairman.
People tend to size up assailants by the amount of damage they do: The bigger the data breach, the bigger the attacker. Targets embarrassed by hacks encourage this perception. Yahoo attributed its intrusion to a state-sponsored actor. U.S. intelligence officials insist that “only Russia's senior-most officials could have authorized” a hack significant enough to influence the outcome of the presidential election.
This logic made sense a century ago, when only powerful nation-states commanded enough resources to launch big military attacks. But technology has leveled the playing field. The DNC hackers employed cheap phishing emails and commodity malware. As President Barack Obama noted, "this was not some elaborate, complicated espionage scheme.”
Hacking takes advantage of vulnerabilities or loopholes. Breaches tend to reflect the target's fragility more than the hacker’s strength. Suggesting that only formidable opponents are capable of big attacks is dangerous, because it distracts attention from the flaws of the underlying system.
Consider the 2014 breach at Sony Pictures, which exposed terabytes of sensitive data including a lot of embarrassing emails. The overwhelming focus on North Korea as the purported attacker obscured the fact that thousands of company passwords were stored in an unencrypted file directory labeled “Password.” And at Yahoo, concerns about Russian government involvement helped draw eyes away from reports that Yahoo's own abetting of U.S. government surveillance may have made its customers' emails more vulnerable.
Yes, it’s unfortunate that bad people are out there getting into private email servers. But acting like a victim is unproductive. If a low-grade email breach can really lead to the installation of a Siberian puppet regime, this playbook has now been observed by China, North Korea, Iran, and everyone else on the planet. The tools and instructions are available on the internet for the next election. The correct response is to close the exploit and prevent future attacks.
Even with new technology, old defense strategies can be useful. If the DNC hack was a “cyber Pearl Harbor,” then perhaps we can gain some insight from that experience. One important lesson: Don't park the entire Pacific fleet in one place. After World War II, President Truman applied this to a possible atomic-bomb attack, establishing the National Industrial Dispersion Policy to spread industrial sites out of city centers.
These days, companies and organizations tend to park all their data in the same place. Back when information was stored on paper, breaches were limited to what a person could get out of a locked filing cabinet. Now that digital files are free to replicate, a single email account can contain the equivalent of dozens of filing cabinets secured at a single point of entry. Encryption helps, but a better strategy is to avoid concentrating data in digitally accessible form in the first place.
Which brings us to Trump's couriers. It's not a solution for everyone, but it’s not a bad idea for the president. It’s pretty safe to assume that foreign intelligence services read the electronic communications of all our government leaders. Those aren’t my words; that’s according to former NSA Director Michael Hayden.
As long as digital information exists on computers, hackers will try to steal it. A courier can be intercepted, but one messenger is unlikely to release a decade’s worth of emails, much less allow access to the contents of other people’s inboxes as well. Sometimes the rejection of technology is prudent. If only Trump applied that to Twitter, too.
Security researchers at ESET have documented the source code for the malware found on DNC servers. The malware could very well have been written by a foreign government, but it also exists in the wild, meaning it can be reused by anyone.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
Elaine Ou at firstname.lastname@example.org
To contact the editor responsible for this story:
Mark Whitehouse at email@example.com