Recently, I asked Harvard PhD and ProtonMail co-founder and CEO Andy Yen his thoughts on how to prevent government cybersecurity attacks. A physicist and economist by training, Andy was part of the ATLAS experiment at CERN, where his research focused on searches for supersymmetric particles. He is translating his experience in large-scale computing to build the infrastructure that is used to run ProtonMail. With two colleagues, Wei Sun and Jason Stockman, he co-founded ProtonMail, an encrypted email startup based in Geneva, Switzerland, that seeks to make secure email accessible. The group aims to advance internet security and protect online privacy rights by making it possible for everyone to incorporate encryption into their everyday communication. Check out Andy’s TED talk on email privacy. See his thoughts below:
Why do you believe governments are susceptible to cyber–attacks?
Yen: Depending on the size of the governmental institution and the amount of sensitive data it holds, the risk of a cyber-attack occurring varies. The biggest challenges governments face are usually network infrastructure security, malware infections, and as we’ve witnessed the past week, software patching. Some, like the federal agencies, have larger budgets and trained security personal. However, this is not always spread across the institution and vulnerabilities may still exist. Quite often budgets for software updates are not present, which is a common practice in state agencies around the globe. This extends further to sensitive institutions like hospitals, prisons, schools, national archives and more.
Unfortunately, the WannaCry event revealed a grim truth in regard to how intelligence agencies can jeopardize the world by taking advantage of software vulnerabilities, instead of collaborating with manufacturers to keep digital products secure. The ransomware attack relied on a Windows exploit called EternalBlue, which was originally written by the NSA. Ironically, WannaCry has also attacked U.S. government systems.
In your experience, what are the most common cyber–attack methods use by hackers?
Yen: The easiest to implement and at the same time most widespread form of cyber-attack is phishing. It doesn’t require complicated technical skills, and it has a very decent success rate. Depending on the end goal, it could develop into ransomware or malware for data theft. Its effectiveness comes from the down up strategy, always going after the individual user, luring him into the trap with various levels of personalized gimmicks. To put it into perspective, studies approximate 50% of spear-phishing (a very personalized social engineering tactic) targets become victims because they click. As we’ve seen in the DNC case before the U.S. elections, even trained personnel can be tricked when the attacks are sophisticated.
Beyond the DDoS cyber–attacks, which brought down the Amazon platform and affected anyone who had a dependency, and the NHS attacks in the U.K., what are the cybersecurity trends to note? Where do you see potential vulnerabilities for governments now and in the future?
Yen: It’s difficult to determine how will cyber-attacks develop and morph in time. We will see more creative strategies of phishing techniques and more undetected possible software vulnerabilities surfacing. Social engineering techniques have been spreading beyond email to social media and mobile; however, in the case of official entities, email will still be the number one vector for cyber-attack delivery. Email has been the focal point of many of the damaging compromises recently, so encrypted email solutions, like ProtonMail, will do a lot to secure organizations. Going forward, I believe we will see more and more enterprises adopting strong encryption.
Given the nature of the attacks and having to turn on the kill switch to stop the most recent attack, what can global governments do to prevent, curb, or stop cybersecurity hacks?
Yen: There are many things governments could and should do to increase their protection against cyber-attacks. Preventing data breaches by using secure and encrypted ways of communicating and storing information, keeping software up to date, training personal on cybersecurity best practices, keeping secure backups, and investing in better equipment are common sense. In times of intense digitalization, budgets should shift to high-performing security teams, systems and infrastructures. Because of technological advancement, cyber weapons are becoming increasingly easier to create or purchase from the dark market, and state institutions don’t seem to be currently able to keep up with it. Allocating more budget and investment in this area is necessary. Overall, though, the best way to protect data is to encrypt it, and that’s the direction governments need to go in.
With the recent international cyber–attacks at NHS in the U.K., any thoughts on how governments can thwart cybersecurity hacks in the future? Do you have any suggested ways to increase protections?
Yen: There is an adage in the cybersecurity space stating that data breachers are a matter of when, not if. What ProtonMail is doing, and we cannot stress the importance more, is encrypting data. The most efficient way of preventing a data theft is to have nothing to steal. End-to-end encryption achieves this because the servers only store encrypted data, so breaking into a server doesn’t lead to a massive data leak.
Finally, governments need to stop pushing for the idea of an encryption back door. If we have learned anything from the recent WannaCry ransomware, it is that there is no such thing as a back door that only lets the good guys in. If there is a back door or vulnerability, it is only a matter of time before criminals find and exploit it. So the best way is to not have a back door in the first place, and to responsibly disclose all vulnerabilities the instant they are found.
To this end, we met at the Consul General of San Francisco’s residence. Switzerland would like to become the cybersecurity hub of the world. How are you and your company helping to advance their agenda?
Yen: Switzerland has always been forward thinking and active in protecting privacy and security. Having a strong private banking sector means that privacy has always been at the forefront of Switzerland’s economy. However, the global economy is rapidly going digital, and in fact, data is the currency of the future and much more valuable than gold. Thus, data security is a fast growing economic sector, which, given sufficient support and critical mass, could eventually eclipse the banking sector in terms of economic significance in Switzerland. By supporting companies like ProtonMail, Switzerland is actively promoting and supporting a growing tech ecosystem, which will be essential for establishing Switzerland as a global digital security hub.