The Presidential Commission on Cybersecurity Overlooked the Biggest Attack Vector
Facepalm. Photo credit: mrhong42/Flickr
The U.S. Presidential Commission on Enhancing National Cybersecurity recently delivered a 90-page report to the President, the result of 10 months of work by 12 distinguished commissioners. It contains six major imperatives, 16 more specific recommendations, and 53 action items, “with many meriting action within the first 100 days of the new Administration.”
There’s just one problem: The Commission completely overlooked the primary vector through which most cyberattacks happen: Email.
In fact, if you search through the report, you won’t find the word email (or e-mail) mentioned at all — not one single time. That seems like a serious oversight.
The oversight is surprising because email servers and their security (or lack of security) have been a major topic of discussion in the American political and news landscape for the past year.
But the omission is also a problem because email is, in fact, the route through which a huge number of attacks happen. As Verizon’s recent Data Breach Investigations Report noted, hackers often start their attacks with phishing, “which leads to other events that are not going to make your day.”
Yet the Presidential Commission located the primary problem elsewhere: “Identity, especially the use of passwords, has been the primary vector for cyber breaches — and the trend is not improving despite our increased knowledge and awareness of this risk.”
To say that identity theft (via stolen usernames and passwords) is the primary vector for attacks is to miss an important step: How attackers actually get those passwords. As Verizon correctly notes, it is generally through phishing emails aimed at either delivering malicious attachments, getting you to click on a link that leads to a malicious site, or simply convincing you to reply to the email with private information. In all three cases, the phisher’s game is to pretend to be someone you know and/or trust (a friend, a trusted company, or your boss) in order to get you to lower your guard and do something that will give them access.
Verizon’s report is hardly the only source to identify email as a major vector. Email was involved in every major cyberattack in 2014, and according to Cloudmark, spear phishing played a role in 38% of all attacks in 2016, including all of the largest. Phishing is also how the hacks on the Democratic National Committee likely began, according to the cybersecurity firm that analyzed that breach.
Since the data point to the fact that phishing is such an important vector, it’s a mystery why the the Presidential report doesn’t mention it.
Fortunately, the risk of phishing can be greatly reduced using open email authentication standards that exist today. DMARC, SPF, and DKIM have been around for years and are widely supported by the majority of consumer email providers (Gmail, AOL, Microsoft, and Yahoo, to name a few). Corporations and government organizations that set up email authentication can reduce their own risk of being phished, and can all but eliminate the chances of phishers pretending to be from those organizations.
If you want to stop cyberattacks, you need to go to their point of entry: phishing emails. And the most effective way to slash the effectiveness of phishing is with email authentication. (Read our white paper on email authentication for more details.) That’s why we believe email authentication belongs on the top of the commission’s list of recommendations.