This past August, the Toronto Star reported that in the four months prior, the Canadian federal government had incurred 101 privacy breaches – an average of almost one a day. The same summer, the National Research Council was forced to isolate its IT systems due to an attack from a “highly sophisticated Chinese state-sponsored actor.”
News like this, while troubling, is unfortunately not surprising. In the modern digital age, the threat of the next cyberattack is constantly looming, and the numbers are startling. There are 10 million daily hack attempts against the Pentagon alone, according to media sources. And a Ponemon Institute report estimates that recovering from a breach costs U.S. companies $3.5 million each on average.
The conclusion is clear. If governments want to avoid vulnerabilities that can lead to espionage, sabotage and terrorism, they need to protect their digital assets and resources. Canada is no exception. In fact, the Star also reported that federal public servants have been urging Ottawa to adopt a more coherent plan to address large-scale cyberattacks like the Heartbleed bug.
But the question is not whether the government of Canada should do something to combat online crime. It’s: what should they do?
My answer won’t shock anyone. After 25 years in the IT industry, managing security teams at leading tech and telecommunications companies such as Bell, I recently transitioned to a field that I believe embodies the future of cybersecurity: two-factor authentication (2FA) for access to online assets. And 2FA, of course, is my proposed response. However, it’s not so simple.
The government already knows that password-only protection is not enough. Its departments and agencies have already implemented 2FA. The problem is the methods of 2FA deployment currently in use – hard tokens and public key infrastructure (PKI) certificates – are legacy methods. They no longer hold up in terms of security, scalability and cost.
That’s why Ottawa must embrace not only the future of cybersecurity but also of 2FA: a phone/desktop-as-token solution. I’ll explain more about what that means later.
For those who don’t know, 2FA is a cybersecurity system which requires that users attempting to access corporate resources (e.g., Virtual Private Networks known as VPNs) possess two independent factors: something they know (traditional password) and something they have (a randomized code or token).
There are various types of 2FA solutions. Some involve sending one-time passwords (OTPs) or randomized codes through out-of-band SMS channels, which I would like to stress are not necessarily secure. With hard tokens, such as RSA’s SecurID, OTPs are displayed on key fobs.
But supplying a physical token to thousands (if not more) people is inconvenient and expensive. Tokens are easily lost resulting in the need to keep extra inventory in stock. Plus, if intercepted, OTPs can be copied onto other devices. RSA itself was the victim of a security breach in 2011 proving that attackers would have the means to generate certain valid token values.
PKI certificates, which can be thought of as virtual ID cards, are also used extensively by the government. When first implemented, they provided the security and the cryptography necessary to protect networks and online applications. However, due to costs, ongoing administration and difficulties with end-user adoption and acceptance, they have turned out to be a prohibitive solution.
Instead, the government should adopt a mobile-as-token alternative, some of which are available for desktops as well, in order to achieve the highest level of two-factor protection at the lowest possible costs.
The best of these types of 2FA systems are cloud-based (either in public or private clouds) and work by leveraging existing virtualization and mobile investments in order to send access requests to users’ smartphones, laptops or desktops via push notifications (not SMS or OTPs), essentially turning the device into a strong second factor token or credential. This is especially advantageous in a BYOD (bring your own device) context.
There are a host of other advantages that would come into play in a government setting. I’ll just mention a few of them here:
Scalable: Federal departments and agencies are large and far-reaching, meaning 2FA must be provisioned in mass quantities to thousands or millions of users. Without hardware (such as hard tokens) to supply, and by optimizing the smartphones, tablets and desktops already at employees’ disposal, the government would save time and money. Since these devices are second nature, user adoption would improve and, in turn, so would security while simultaneously eliminating training and saving administrators’ time for more important tasks.
Secure: While OTPs can be transferred to other devices and cracked, the best phone-as-token solutions create a 1:1 correlation between the service and the device, essentially fingerprinting it. This means a digital asset cannot be accessed unless the user has the specific device at hand.
Global: Public service employees often travel and work remotely. Through its use of wireless push notifications rather than SMS, this form of 2FA protection is borderless.
Contextual: Unlike other methods of 2FA, this feature provides real-time contextual information that would complement government fraud detection systems. For example, an illegitimate access request might pop up specifying it is coming from Russia, which would be beneficial for locating the source of the threat.
Cost-effective: No additional infrastructure eliminates overhead expenses. With no expiry fees, license renewals or extra inventory, this method reduces the cost of issuing, managing, replacing and administering two-factor authentication systems, and of supporting users, by up to 75 percent compared to hard tokens and PKI certificates.
It is not unfathomable why Ottawa would opt to rely on traditional and therefore trusted legacy methods of 2FA as opposed to taking a risk on cutting-edge solutions. But, in that case, we must ask ourselves: What is the real risk? Does the risk lie in embracing new top-of-the-line technologies for government and public protection or does it lie in sticking to predictable methods of 2FA that, in a rapidly shifting digital landscape, fall utterly short.
The future of 2FA isn’t far off. In fact, it’s here right now, and it’s totally secure. It’s high time the government upgraded to a system that meets the needs of the modern day.
Cyphercor’s two-factor authentication solution LoginTC is pre-approved for federal procurement through a PWGSC Software Licensing Supply Arrangement. Cyphercor has also pre-qualified to participate in the Build in Canada Innovation Program (www.logintc.com).