When The New York Times announced in January that it had been the target of four months of cyberattacks, the media giant joined a small but growing chorus of big industry names to come forward as hacking victims. Twitter, Facebook, and Apple have all recently admitted to cybersecurity breaches, and both the Washington Post and Wall Street Journal followed The New York Times with hacking announcements of their own. These admissions are a significant break from the standard post-hacking practice of keeping quiet about vulnerabilities to avoid shareholder panic.
But the taboo against going public seems to be lifting. This is important, because the persistence, scale, and breadth of the attacks mean that plenty of companies have already been compromised. The common weak link? Humans.
The New York Times suspects that hackers gained access to its computers through “spear-phishing,” a technique in which a malicious link or attachment is emailed to a specific user. Jeremy Wendt, a researcher at Sandia National Laboratories who focuses on identifying attackers in cyberspace, says spear-phishing “is scary because as long as you have people using computers, they might be fooled into opening something they shouldn’t.” Another Sandia Labs researcher is working to reduce human-caused vulnerabilities by investigating how hackers choose targets for spear-phishing attacks.
But there is a kind of password that a hacker can’t access through a compromised computer. With quantum cryptography–the science of using light rather than bits and bytes to send secure messages between machines–computers communicate coded information to each other in the form of unique patterns of photons. Those patterns are basically unhackable passwords, because photons are weird: If you observe them, they change (as the double slit experiment has famously demonstrated), thus making it impossible for an outsider to break in and take over a connection.
This is especially important for vulnerable but data-rich parts of national infrastructure, like our power grid. Because the power grid depends on a constant and automatic adjusting of feedback, its computers need a way to communicate with each other securely. Quantum cryptography makes that possible. Los Alamos National Laboratory recently tested a quantum device for just this purpose, and other recent demonstrations show that quantum cryptography can be used for both broadband and fiber optic cables.
While quantum cryptography can’t protect against human error, it does offer a way to secure systems that rely more on machine, rather than human, communication.
There are some high-level initiatives to fix the human side of the equation, like the new cyberdefense program proposed by the Obama administration. And then there are some very simple, low-level initiatives, like reminding employees to stop opening all those sketchy email attachments.