Though 1Password and LastPass are handy tools for students, faculty, and staff to keep the record of their passwords of various websites, these tools will expose the core assets of Harvard Kennedy School to significant cybersecurity risks, if the school mandates all employees and students to use these tools.
Let me begin by saying that these are great tools if you always have a hard time remembering your passwords of different websites, particularly if you have unique passwords for different websites. Keeping all passwords recorded in an online or offline document is tedious and time-consuming, and we all know that it is a very risky approach. These tools, however, will ask you if they can remember your passwords the first time you type them when logging in the websites. If you opt in, next time when you log in the same website, both username and password will automatically pop up right there. All you need to do is to click “log in” and you are all set. You can “name” and “categorize” websites in the setting page of these tools and, of course, delete any certain website password memory from these tools anytime you want. To be honest, they are time-saving and making the whole log-in process hassle-free.
Mandating all employees and students to use these tools, however, is a totally different story. The potential exposure to cybersecurity risks and compromise of the safety of HKS’s assets outweigh the benefit and convenience for individual users.
Mandatory adoption of these tools would centralize the access keys to these tools’ platforms and servers, which actually provides much more “convenience” to any adversary. And multiple motivations might drive adversary to hack these tools’ platforms and servers. For example, the adversary might be driven by “Access or Convenience” and “Money”, and wants to get access to students’ and faculty’s banking accounts. Also, as a public policy school that has a tremendous influence on both domestic and international policy and politics, HKS possesses many intellectual assets that could shape the policy and diplomacy. Losing the control of these assets as the result of any breach of these tools is unacceptable for the school and even for the public policy community. In addition, we should bear in mind that HKS is an extremely diverse community with people from all over the world, with the distinctive background, and from various walks of life. With that said, adversary’s motivations, whether it’s about money (some motivation that is comparatively easy to predict) or about religion (some motivation that might be a bit more difficult to convince ourselves in the first place), are simply hard to prioritize by us. The adversary might even emerge internally within the school and might just want to hack to change some academic records (slightly less negative impact to the whole school’s operation). What I am trying to say is that adversary could hack or attack with “reasonable and legit” motivations AND what-we-might-think ridiculous reasons. However, whether the reasons or motivations are ridiculous or not is irrelevant. The risk exists whatsoever after the adoption of these tools and it can be enormous.
With my analysis and position above, I would recommend against the mandatory adoption of 1Password or LastPass to all employees and students at Harvard Kennedy School.
[Note: this post is the assignment submitted for the course, DPI-662 Digital Government (Fall 2018), at Harvard Kennedy School.]
No comments:
Post a Comment