NSA Releases Cybersecurity Report

Earlier this month, the National Security Agency (NSA) released their latest Cybersecurity Report.  The report focuses on how to respond to national-level threats, including multiple ransomware attacks on U.S. critical infrastructure, such as the Solar Winds attack. Such “systems control” attacks can wreak nationwide havoc if attackers are able to take control of critical facilities such as power plants and air-traffic control. For the first time, this report shows that Cybersecurity has become a top priority for the US Government as an aspect of National Security. But ransomware attacks are only one part of the problem.

The NSA report validates the fact that static passwords – the classic form of user authentication – is the “weakest link” for ransomware attacks. In the past few years, the single highest cause for ransom attacks is the breach of user credentials. In the Colonial Pipeline attack from last year, hackers breached Colonial’s servers by stealing a simple static password. The same thing happened with the recent data theft on Planned Parenthood. In fact, a data breach report  released by Verizon recently found that credentials are the most sought-after form of data, which is not surprising since a single compromised user credential can be enough to infiltrate an organization and gain control of its network.

It has now become crystal clear where the problem lies –access to these credentials!

Ironically, this is one area where the industry or private enterprise is lagging behind.  Most cybersecurity strategies in the private sector are reactive, rather than proactive or defensive. The traditional approach has been to set up as many layers of security as possible and hope that it is enough to stop an attacker or, at least, slow them down long enough to catch them before they cause too much damage. In other words, “make it harder for the hacker to get user credentials.”  Yet, since the inception of the internet, the underlying foundation of static and reusable credentials has not changed.  Companies are using “band-aid” fixes to plug a gaping hole in a forty-year-old dam, instead of simply getting rid of the dam and building a new one.

And the costs because of these band-aid fixes are increasing every year. According to the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), over 450 ransomware attacks were reported in the first half of Y2021 with over $590 billion paid by victims, compared to $419 million in Y2020. This was an increase of 282% in a single year!

With the rising volume and cost of breaches, it is clear that band-aids will not hold back the water any longer and this reactive approach is simply not sufficient. Attackers are consistently able to exploit user identities to reach deep within the network and execute their strike at the time and place of their choosing.  Industry trying to prevent hackers from stealing user credentials is a losing battle.  We should simply be moving away from maintaining static credentials in the first place, so if a user is hacked, their credential will not be valid any longer – in other words, render credentials useless to hackers.

Which leads to a paradox—how can we make sure that user authentication doesn’t work for hackers while still letting users into their accounts?

One solution lies in “dynamic” credentials – credentials that change at every instance of a user logging in.   Dynamic credentials, can be implemented in several ways, but the key aspects of the “dynamism” is that they must be entirely unpredictable, easily available to the user, and not have the capability of being stored in any server. One solution is to base the dynamic credentials on factors that constantly change, such as stock price, weather temperature in a city, air-quality index (AQI) in a certain city, etc.  Other methods, such as complex, unpredictable, computer-generated passwords are being tried by some websites as a solution; however, this lacks the ease of accessibility and remembering to users.  Whatever the answer may be to prevent user authentication credential thefts in future, one thing is certain: the use of static and reusable passwords must be ended in order to solve this problem.

Janani Mohan

Note: The author welcomes feedback on this article.