This summer has seen a series of IT security breaches in the government.
On July 18, hacker collective Anonymous leaked a list of congressional staffers’ emails and passwords in an online message board, revealing more than 2,100 logins. Although a memo later revealed those emails were connected to past Hill employees, current users of the compromised email contact systems were urged to change their information.
As recent as last week, three White House employees on the president’s social media outreach team had their personal emails hacked. The hackers sent malicious emails from these compromised accounts with fraudulent links, and more than 12 people were targeted in this attack.
And to add to the headaches: There have been weekly headlines about China spying on U.S. intelligence and in June, former Booz Allen Hamilton contractor Edward Snowden revealed secrets about widespread U.S. surveillance programs.
So, what gives: Are passwords with symbols, uppercase letters and seven-digit minimum standards a thing of the past?
It seems so. This evolution stems from the convergence of several factors, said Charles Romine, director of the Information Technology Laboratory of the National Institute of Standards and Technology. For example, there has been a substantial increase in the number of actors seeking to compromise U.S. cybersecurity, and these adversaries also have more computing power than ever available to them.
To keep up, passwords need to evolve to become more complex, Romine said.
“Government has been moving toward longer and longer passwords, with more distributions of different characters,” he said. “By introducing passwords with higher levels of complexity, it is some assurance that a brute force attack will take a bit longer.”
However, the human mind is only capable of so much. Most federal employees have up to 10 systems they log into, which can mean keeping track of multiple complex passwords. Or more so, if someone is using the same password for all system logins, they become even more vulnerable to attack.
“There’s a human limitation you simply cannot overcome; it exceeds workers’ cognitive abilities,” Romine said.
Some federal agencies have already started to think beyond traditional passwords to further secure their information. Paving the way, the Defense Department began using common access cards in 2001 for physical access into buildings. CACs are very small and very secure micro computer chips inserted onto a card. By 2006, CACs were used to access any computer in any DOD facility, which helped reduce the number of compromised accounts and computer intrusions by 46 percent.
Currently, all federal employees have a personal identity verification card that grants them physical access to buildings.
Neville Pattinson, who manages government programs and affairs at Gemalto, said the next move in password security will be on mobile devices.
“There’s a strong case to protect all mobile devices, and the bigger question of how to do it,” he said. “One method is tucking it away on the SIM cards of phones. That will protect government employees emails on their on phones and mobile devices.”
Substantial support has been thrown toward biometric password security, which has had a significant upswing in the past five years. However, according to Pattinson, biometric technology isn’t always reliable, and it’s very expensive to implement. Everyone can recall examples of biometrics passwords in action or sci-fi movies, and also how easily a villain can compromise them by forcing someone to scan their finger or eye to open a door or access a device. Pattinson said biometrics can be just as vulnerable as traditional passwords, and other technologies such as CAC can provide secure passwords.
“The issue of password security is perfectly solvable if people are ready,” he said. “But people are more about ease of use than security of use.”
NIST research has also shown high user dissatisfaction with complex passwords. Romine suggests there will soon be passwords using a combination of actors, possibly a biometric feature paired with a traditional password.
At NIST, biometric research has been going on for decades. Romine said the lab has made considerable progress in helping the community advance biometric technology. As an example, he cited contactless fingerprint-recognizing technology: Instead of pressing your finger down on glass or a screen, you can simply wave your hand in front of the recognizer. Iris and facial recognition have also evolved considerably.
Until that technology is available to agencies, the administration is doing what it can to keep up with the rapidly evolving threats. In February, President Barack Obama signed a cybersecurity executive order that aims to strengthen U.S. cyber defenses by increasing information sharing and developing security standards. The ball is now in Congress’ court.
“Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks,” Obama said in his State of the Union address.