President Trump's 100th day in office, which came on Saturday, is a good time to revisit the conversation begun when he signaled he would sign an executive order (EO) outlining cyber defense priorities and remedies. The draft EO bandied about was solid in its observation and scope, but even with all the media attention, it has yet to be released. However, I'll leave it to others to determine whether the passing of Trump's 90-day deadline for the EO is material enough to question the administration's seriousness.
Outside the beltway, in New York, innovation in cybersecurity moves at the speed of private sector demand. It isn't pinned to political wins, the 24-hour news cycle, or to mere expectations. Here real cyber threats are met with the world's top proposed solutions by the best startups and enterprises. Living in a literal grid under the constant threat of cyberattack has created a sense of urgency not seen since the dot com era. Innovators do work, deadlines are met, and there's great success across the board.
Fortunately, security leaders have reached some level of consensus on much of what's expected in the coming EO. Talking about cybersecurity at the executive level is a net positive, except when strong encryption is roundly dismissed. End-to-end encryption is the fundamental element that makes cyber defense possible and it's remarkable to see that legislators think "the jury is still out" on this issue. Undoubtedly, newsmakers should revisit the way encryption is discussed. There needs to be a sense of ongoing urgency around adoption of strong encryption from the private sector to the general public.
Government discussion around strong encryption almost always leads to backdoors. Backdoors are double-edged swords that already have, and almost certainly will, backfire catastrophically once a third-party gains access to them. They create a false sense of control that melts away nature's game face. It's often been said that reliance on false security is worse than no security. If users feel secure they'll behave as if they are protected, rather than being vigilant in the absence of any security. We've seen just how bad this concept can backfire when it was revealed that the Juniper backdoor could have left government communications open for years.
The encryption dialogue raises a good point. In general, we should commit to distinguishing between security that's "good enough" and security that’s great, and always default to the latter. Several truths that we see in the startup arena have failed to penetrate the legacy enterprise, legacy IT, and government spheres. From Yahoo! to the OPM breach, we get hit with an almost comedic number of "told you so" moments in the cyber game.
The username-password login scheme is a prime example of "good enough" security that fails time and time again. Two-thirds of data breaches are credentials-based and for some reason, we think repeated reliance on passwords doesn't meet the definition of crazy. Even two-factor authentication and password managers have been proven ineffective against low-grade hackers and script kiddies. Now with the SMS soft token being deprecated by the Department of Commerce's National Institute of Standards and Technology, we’re seeing a paradigm shift in authentication.
In an effort to move away from the single point of failure, Fortune 500 enterprises are deploying biometric security for password-less authentication. We're seeing accelerated adoption of open standards such as FIDO authentication promulgated by the Fast IDentity Online (FIDO) Alliance, a consortium of our best and brightest. FIDO-based solutions marry two existing technologies, public key cryptography and biometrics, in an effort to replace passwords with next-gen authentication. Enterprises are learning from the mistakes of the OPM breach and are now ensuring that biometrics are never held by the service provider or the security vendor. Instead, the end user maintains control of their biometric data on a mobile device or laptop through a concept known as biometric tokenization. We're seeing Windows 10, Samsung devices, and the iPhone all leverage some type of decentralized authentication to achieve this goal of next-gen security. It's time to ask, “What could go right?”
That brings us to the government, which, as the private sector, should adopt the same policies to phase out passwords. Government agencies may always have an appetite for storing biometric data, but adopting the decentralized approach to authentication will tighten security, reduce friction and costs.
The stakes are high for all mentioned in Trump's draft cybersecurity EO because inside and outside the beltway, our world is growing more connected. Stakes are also higher than ever because an astounding 90 percent of all available data has been produced in the last two years. Tomorrow's partial losses will make yesterday's total losses seem tiny. If we're using the 100-day mark to talk and work on cybersecurity, let's support the tools that work—and abandon ones with the most obvious, fatal flaws.
George Avetisov is the CEO of HYPR, an innovator in the industry of biometric authentication.
The views expressed by contributors are their own and are not the views of The Hill.