COVID-19 and Cybersecurity

What you need to know today and how we can create resilient cybersecurity for tomorrow

Covid19 has created new revelations about the dearth of cybersecurity within many video conferencing tools. This isn’t news to cybersecurity professionals who have been concerned about these vulnerabilities for years. 

I am a cryptographer by training. My graduate work at Johns Hopkins was incorporated into the encryption protocols in apps like Whatsapp and Signal. I work on the Google security team and collaborate on cyber security across the Silicon Valley. I’m very familiar with the fact that deprioritizing privacy is tempting for resource constrained product managers and inviting for hackers. 

Cybersecurity is on our all minds now that we must work from home for the foreseeable future. Previously confidential conversations will all be happening over the internet - an exciting opportunity for intelligence agencies and hackers alike if we are not careful.

But how can we know which products to trust? Looking back, why do we continue to rely on products that essentially ignore the privacy needs of users until a crisis hits? Zoom may be on the receiving end of public pressure in COVID 19, but the cycle of ignoring privacy at the expense of other features is an old story.

This blog post: 

  1. Breaks down the subcomponents of cybersecurity and usability, using this framework to rank the most popular messaging tools out here 
  2. Using this data, I recommend platforms for personal and business use (Hint: use WhatsApp and Skype)
  3. For those that must Zoom, I set out some actionable steps that can be taken to reduce risk.
  4. I review how we ended up here (again), identifying perennial disincentives to invest in cybersecurity that have produced a scenario where the market leaders are providing substandard security to users.

A Data Based Comparison of Video Chat Apps

Cybersecurity is referred to as a single input, but we all know it is made up of many features. I break down the most important features and use them to rank popular apps:

Security

Privacy

User Experience

Video Chat Comparison

Recommendations

It should be apparent now that there isn’t one clear winner when we look at the many features that together make a product secure and usable. The data still points to some front runners when we think about which products to rely on. 

For Personal Use

All three offer excellent security, respectful privacy policies, a broad user base, and even work well when the internet is slow. Why settle for a worse experience and worse privacy if you don’t need screen sharing or calendar integration?

For Business Use

These three offer respectful privacy policies, high numbers of simultaneous video participants, and screen sharing. 

If you can’t help but use Zoom

Zoom’s shockingly poor security has been well documented. A recent surge in use has surfaced long standing vulnerabilities, not least the potential for “zoombombing.“ 

But what can you do to take care of your own privacy and security if someone adds you to a call? 

Can we use the same apps for work and play?

Probably not. Enterprise environments often need features that are incompatible with the needs of at-home users. For example:

Learning from the COVID19 Cybersecurity Crisis

The Privacy vs. Features Paradox

It is not a mistake that the products with the most features offer the least amount of privacy. Engineering resources are finite and time spent building security is time lost developing features that promote user adoption and business growth.

Security vs. Features

This is a pernicious incentive structure where features get rolled out quickly to promote business growth, while the hidden costs of under investing in safety puts users at risk without their knowledge. Users don’t understand or prioritize security which disincentivizes companies from prioritizing online safety. It is only when disaster strikes that companies make the privacy investments we deserved from the start.

Market Failure for User Safety

Users deserve a minimum standard of digital safety from all products in the marketplace, even fledgling startups without the resources to hire privacy engineers. COVID 19 has highlighted this gap. 

In a world of work from home, it is clear that users deserve some form of third party verification that goes beyond asking lay users to individually assess the highly technical safety components of evolving products. Let’s not forget that regulatory bodies vet and certify other safety critical components of our lives from health technology to electricity before these technologies go to market.

Why does our online life lack these protections?

A Cyber Underwriters Laboratory that vouches for the digital safety of products could have independently certified the security of popular products and made up for some of the missing incentives that have landed us in this mess in the first place.