A common adage in the world of cybersecurity is that the human is always “the weakest link:” that no matter what new technologies we come up with, we will never be able to “fix” humans, who will always be prone to mistakes that can compromise otherwise secure systems.
Unfortunately, whoever uses this stock phrase is often thinking the end user—that is, the victim of the hack—is “the weakest link.”
Woman who are stalked by abusive partners with cheap Android spyware apps are blamed and told to get an iPhone. Human rights defenders who get pwned by a $1 million dollar iPhone jailbreak are blamed for clicking on phishing links. If you’re among the 50 or more million Facebook users whose profiles were hacked, well that’s what you get for using Facebook!
As the internet, our devices, and our digital identities become more complex, we have less control over them as users. And the more the phrase “the human is the weakest link” sounds a lot like victim blaming.
Take SIM hijacking for example, the increasingly common scam where criminals impersonate victims and steal their phone numbers. There is not much—if anything—a person can do to stop this from happening. This exploits the cellphone providers themselves, who, by the way, want even more control over your data.
Another adage in cybersecurity is that if you’re targeted by a powerful adversary—when infosec pros use this phrase they’re thinking the NSA or Russia’s Fancy Bear—there’s nothing you can do. But as it turns out, there’s not much you can do even if your adversary is a 15-year-old who wants to spy on you through your Mac webcam. As incredible as that sounds, this is a real story. 28-year-old Phillip Durachinsky is accused of spying on hundreds or strangers for 14 years. His Mac malware went completely undetected for all those years.
We’re increasingly giving big and small corporations full control over our data, our security, and privacy. Thousands of companies, for example, entrust all their most precious information—not only emails but also internal documents and communications—to Google, Microsoft, or Slack. Many of these companies take security incredibly seriously, and have plans in place in case those other companies get pwned, but many others do not care or don’t have the resources to care. Even those companies that do have good security teams still outsource some of their security to others—just like the rest of us.
That’s how incidents like the SIM swapping of thousands of T-Mobile customers, the hack of a million people who use Google Documents, and the data breach that hit more than 50 million Facebook users, can be seen as relatively “small.”
So much for us, the users, being “the weakest link.”
The weakest link is often no longer the human, at least not the human at the end of the tech food chain. In other words, it’s the infrastructure that increasingly controls our data without giving us a chance to do anything about it.
In this brave new digital world, what can you really do to protect yourself? And where are technologies failing us?
This is the theme of this year’s Motherboard’s hacking week, “The Weakest Link,” which we’ll be rolling out later this fall.
Do you have a story that shows how untrustworthy our digital infrastructure is? Or that underlines how so-called minorities are unfairly forgotten by the cybersecurity industry?
If you have any stories related to these ideas, please pitch me directly at firstname.lastname@example.org, or at email@example.com.
Please send your pitches with a proposed headline,three to four sentence description, word count, and deadline, as we suggest you do in our guide to pitch to Motherboard.