March 19, 2021 · 8m read
Email is too important to protect like a TSA checkpoint
A version of this post appeared in SC Magazine.
Picture this: You’re holding a plastic tub filled with your laptop and smartphone accessories when you realize there’s a full bottle of water in your backpack disappearing into the X-ray machine. You’ve just accidentally become a security risk, according to Transportation Security Administration (TSA) regulations.
Airport security is designed (in theory) to detect threats to air travel before a malicious person or item makes it to the plane. As anyone who’s ever been frisked because of their shampoo bottle can tell you, the system can be frustrating and surreal. For security luminary Bruce Schneier, TSA checkpoints were the classic example of “security theater” when he coined the term. Such “impenetrable” perimeters are a classic tool for defenders throughout human history, but when it comes to airports, many argue that we’re misallocating our resources—and that we over-rely on these checkpoints to prevent the next 9/11. We all know that despite these protective gateways, dangerous people and items pass through uncontested every day.
Email is incredibly important to billions of internet users and its abysmal security plagues each of us because we’ve always protected it just like a TSA checkpoint. Billions of dollars are spent every year on old security software that funnels, blocks, and mangles email messages through brittle checkpoints in an imaginary perimeter. New attacks (including the 2016 Election Hacks as well as the recent catastrophic SolarWinds and Hafnium hacks) successfully target email data and accounts at thousands of organizations simultaneously and, without much difficulty, manage to bypass even the “cutting edge” of the entire email security industry. Outside the fearsome headlines, ordinary people regularly have their life hijacked through scams, account takeover, and the leaked contents of their email archive. Email (as both an identity and an archive) is foundational to the internet yet as a technology it remains one of the Four Horsemen of the cybersecurity apocalypse. If you read the news it’s clear the situation is not heading in the right direction.
How did we get here? How can we do better? If we want to answer these questions, we need to zoom out.
Outside-in security: classic, simple, and seductive
The “guide incoming traffic into a single checkpoint and strip search it” approach used by both the TSA and email security software is an example of “outside-in security.” So are castles, moats, drawbridges, trench warfare, and most of the other classic images in our popular conception of “defense.” In this paradigm, the defender exploits (or engineers) favorable terrain (like mountains, walls, checkpoints, or SMTP servers) to make costly obstacles for distant attackers trying to get themselves (or their phishing messages) inside. By directing all traffic through choke points, defenders can concentrate all of their resources, attention, and intelligence at the fewest number of decisive locations. A famously effective example in history is when 300 Spartans used geography to forestall a Persian army nearly one thousand times larger at Thermopylae. While conceptually seductive, the effectiveness of the strategy revolves around having good answers to key questions like “where is the attacker coming from?”, “what does the attacker look like?”, and “how well do I know (and control) the terrain?”
When it comes to protecting email and data, the hard truth is that the terrain now favors the attacker. The ground has shifted: in our personal and professional lives email is now our largest collection of sensitive information and the de facto identity layer of the internet with which we sign into other accounts. Many attackers have become hopelessly sophisticated at sending malicious messages that bypass “state-of-the-art” email delivery gateways and evade automated detection. Everyone from the would-be leader of a country (or her campaign chairman) to a school-age kid can be compromised with devastating results for them (and potentially anyone who’s ever emailed them something sensitive).
Would you skip installing a sprinkler system in a crowded building just because the doorman was trained to look for lighters and matchbooks? Welcome to the sad world of email security.
Inside-out security: introspection, depth, and agility
How would our defensive strategy change if we assumed the attacker was already inside or that no walls could possibly keep them out? The result, “inside-out security”, is security for a world where chokepoints are impossible, insufficient, or impractical. Without dominating territory, inside-out defenders seek to understand the attacker’s goals and, if possible, neutralize their capabilities. Instead of TSA checkpoints, think of reinforced cockpit doors and strategically placed air marshals. Instead of castle walls, think of the clockwise staircases within, designed to disadvantage the right-handed swordsmen climbing them during an attack. Think of the Mongols and other steppe peoples, born to open plains without the geography for Thermopylae, compensating with deadly mobility and versatility. Inside-out security underpins the usefulness of sprinkler systems but also tripwires, shibboleths, and combat patrols. As a generalization of “defense in depth”, the key questions in this paradigm are “what does the attacker want?” and “what can the attacker do?”
In information security, “inside-out” security is almost always an afterthought. Computer networks are built and maintained by humans which tends to give defenders an undeserved sense of control over the territory we’re supposed to protect. This naturally biases us towards outside-in approaches to secure them—who doesn’t love a good firewall? The reality is that the contours of our map are not just the digital links between servers but the ever-evolving relationships between users, their data, and the applications that power our world. Given this we should not be surprised that traditional choke points like blocking, filtering, and mangling incoming email are not effective. In a recent example, a high-profile employee was signed into their personal email on their work laptop and detonated malware sent to it. This allowed the attacker to then compromise their work email and bypass their company’s entire email security perimeter.
We need to invest more in inside-out security and extend “zero trust” to protect mailboxes.
Some of the best ideas in information security in recent years are conceptually inside-out. Pervasive multi-factor authentication (popularized by companies like Duo, Okta, and Yubico) is designed with the inside-out assumption that an attacker already has your password. Security awareness training and phishing triage systems (like the “if you see suspicious luggage” announcements at airports) assume that malicious emails will always slip past the guards to unsuspecting people scrolling through their email. “Zero trust” network security solutions were conceived for a world without firewalls and that term has become a mantra for massive architectural changes undertaken by organizations during the pandemic.
We need to go further with email. Email as a technology is so old—and its traditional “spam blocker” chokepoint is so seductive—that we’re misallocating scarce resources. Worse, we’re ignoring real opportunities to apply what we’ve learned elsewhere and approach the problem with new strategies beyond email firewalls. The best opportunity we have comes downstream from the reality that most people and organizations have recently migrated to cloud-hosted email from the twin titans of Microsoft and Google.
The importance for security of the society-wide shift to cloud-hosted email can’t be overstated, but it’s not obvious: email is now a development platform. Email is 40 years old, but under the surface new Google and Microsoft developer APIs enable “inside-out” security techniques that simply weren’t possible even five years ago. The massive scale and integration speed of these platforms is also unprecedented. For the first time ever apps can protect billions of work and personal accounts with the press of a button in less than fifteen minutes. Sometimes big technological shifts have positive unintended consequences.
It takes at least as much creativity to make a technology safe as it does to invent it. Lucky for us, creative humans have been defending themselves throughout history and we can learn from them. Technologies like email are too important to protect them (and ourselves) with digital walls we’ve long outgrown. These hacks will continue to plague us until we remember the more fundamental question of “what does the attacker want?” and work to apply it on whatever platforms we can. Protecting our online accounts has never been more urgent: chaos and theft at this scale imperil the privacy and material well-being of ordinary people and reduce our competitiveness as an open society. We need to innovate, and we need to act.
Now, please empty your water bottle and remove your shoes. You’re holding up the line.