1

Over twenty years ago, a friend of mine told me he was going to work for an anti-phishing company to help stop online social engineering, and phishing in particular. I told him that it was a dead-end job because it seemed likely that multiple vendors were creating solutions that were likely to make social engineering and phishing a thing of the past soon. I am glad he ignored my “great” advice because he went on to earn millions of dollars and has retired early. So much for my prognostication abilities.

Since the beginning of networked computers, social engineering and phishing have been involved in the vast majority of successful attacks. Current metrics put them responsible for 70% to 90% of all attacks ( Social Engineering Is the Number One Cybersecurity Problem by Far) . Different vendors give different percentages to social engineering’s responsibility, but they all agree it is the number one problem in cybersecurity, and has been for decades (followed by unpatched software and firmware).
In that same time, I have seen a ton of people and organizations say they will soon end phishing because of some great new technology or focus. I remember one Fortune 10 CSO telling me that phishing would end “by next year” because of his work with a favorite vendor. It did not work. We have seen the most massive cyber companies we know try to tackle the problem (I am talking about Google and Microsoft) and even their focus and incredible resources have not stopped social engineering and phishing. So it’s not a resource or money problem.
Phishing has gotten better in some respects and worse in others. No matter how you measure it, it is still pretty bad and no coming future technology (that I know of) seems likely to diminish it quickly anytime soon. And if we somehow got perfect at preventing email phishing, we still have all of the other channels where social engineering and phishing can be accomplished (e.g., websites, social media, SMS, voice calls, chat products, etc.) that are even harder to tackle. We are surrounded by things trying to socially engineer and phish us.
And it is not just traditional online threats. We also have a problem with physical attacks that use digital technology to accomplish their objectives, like swatting attacks and bomb threats. There are hundreds of these occurring around the world every day. And as long as technological defenses are not perfect, all people and organizations need to do great security awareness training. Everyone needs to be taught how to recognize social engineering, and how to mitigate and appropriately report it.
When will social engineering and phishing finally be defeated?
I have thought about this question for decades. I know the answer.
Online criminals commit crimes because they cannot be identified, arrested, and prosecuted. As long as that is true, we will not get rid of cybercrime. Not that the average person wants to commit a crime, but most of us do not commit significant crimes when tempted, say robbing a bank, at least partially, because we do not want to go to prison and have a prison record. I would like to say that we are all ethical, good people who would never commit a crime, but the thought of prosecution helps keep most of us honest and law-abiding over our lives. We don’t commit crimes in real life because we can be identified, arrested, and prosecuted.
This is not true online. The average cybercriminal can commit significant crimes over and over and over without threat of arrest. Imagine how our real-world society would be if anyone could rob a bank and never be caught. It would be chaos. We would not have banking or least pervasively like we do today. Well, we have a bank-robbing problem in the digital world that is hampering our ability to be more productive and successful.
The answer?
Pervasive, assured identity.
What I mean is that anyone who cares about making sure the person or company they are dealing with is actually that person or company should be able to confirm this single fact before communicating with them. In my future world, I would never communicate with anyone not willing to truthfully identify themselves. I would have my servers and services reject every anonymous email and network connection. I think a lot of people would be that way. For example, over my career, I’ve gotten a lot of hate mail from people who disagree with what I write. I wouldn’t mind getting it from people who don’t mind identifying themselves, but most of it comes from anonymous people with randomly named accounts and that anonymity seems to make them meaner than if I met them in real life.
The Internet is mostly pervasive anonymity right now. Anyone can be anonymous or claim to be anyone far too easily. We need to replace the Internet’s pervasive anonymity with pervasive, verified identity. Now, there is a huge segment of the Internet that wants complete anonymity (or pseudo-anonymity, where at least one mutually trusted source knows the person’s real identity, but not everyone). I get it. There are plenty of scenarios, like addiction counseling, cryptocurrency transactions, protesting, politics, escaping violence, etc., where the parties involved desire anonymity. If you want anonymity you should be able to have it.
But we need an Internet system that guarantees verified identities if we want to confirm who we are connecting to. In that world, we may not be able to arrest someone because they live in a different country and don’t fall under our legal system, but we could block their email, phone call, or text message if they were not willing to identify their true selves. Right now, we are in the Wild, Wild West form of the Internet where anyone can claim to be anyone from anywhere. That’s how cybercrime thrives.
I would like to see the Internet become a civilized, mostly trusted, society with better default manners. Any solution that gives us a better identity is a way to “fix” the Internet. It is not an easy thing to solve. Again, we have all sorts of parties that enjoy anonymity and do not want to make the whole Internet ONLY verified identities. These parties range from privacy advocates and victims to law enforcement. Governments and law enforcement cannot as readily spy on their targets if they are truthfully identified every time.
How do you give verified identities to those who want it (like me) and anonymity to those who want it, and every scenario in between?
My solution, in summary, is to allow anyone on a per-connection basis to decide what minimum level of identity assurance they would like to require in order to begin communications with that person or connection. In many cases, a person would choose a verified, trusted identity. In others, they might want complete anonymity or pseudo-anonymity. My solution allows anyone to choose what level of identity they want for each connection. And if they do not want any change from how things operate today, they can just keep doing what they are doing today without any changes. It is just that they cannot connect with other people and companies who might require a trusted, verified identity.
I do not want to go into the technical details of how my solution accomplishes this, but you can read more about it here: Wanna Fix the Internet? .
My solution can be done by developing a few new protocols using existing technologies, with people, organizations, device manufacturers, software, and cloud vendors opting to participate however they like. Central to this idea of being able to require particular identity levels on a per-connection basis is an operating system, like Cubes OS ( https://www.qubes-os.org/ ), that allows all of this to happen on one seamless desktop. The user is just clicking on an icon or link, and the OS and Internet handle the rest of the behind-the-scenes technical part.
If you do not like my solution, that is alright. I am open to any solution that will solve the problem. I do think any solution will include verified, trusted identities. It’s the only way to defeat most cybercrime. The only solution I do not want to accept is one where we just keep the current status quo, doing what we have always been doing, because it is a world full of unlimited social engineering and phishing.
How Likely Is My Solution To Be Selected to “Fix” The Internet?
Well, I have been promoting my specific “Fix the Internet” solution for at least a decade and a half. It has been shared with top-level universities (e.g., Harvard, Princeton, etc.), industry luminaries (e.g., Bruce Schneier, Loren Kohnfelder, etc.), and Internet authorities (e.g., CISA, etc.) and has not gone anywhere. But I have not seen any possible good solution to fixing social engineering and phishing go anywhere. None of the good solutions go anywhere. So, I think the likelihood of my solution or any other good solution going anywhere anytime soon is very remote to impossible.
What would make a good solution be quickly adopted? Perhaps an Internet “tipping point” event. A 9/11-level event, but on the Internet, might make things happen. What would that look like? I do not know…a disruption of a significant portion of the Internet for a day or days. Maybe some massive online financial threat. The stock market going down? Email not working? DNS down? Airlines and EMS systems down? I do not know.
But I have been thinking that some massive tipping point event was going to happen to the Internet for 20 years and it has not. So, perhaps we are destined to just keep muddling along in this very broken version of the Internet and life where social engineers and scammers just keep on surviving, thriving, and making our lives a living hell…or at least a little less productive than it would otherwise be if we did not all have to be on a constant lookout for scams.
In summary, the Internet is very broken and has been since the beginning. Scammers, social engineers, swatters, and phishers abound. Nothing in the near future is going to significantly diminish the amount of cybercrime we have today. In fact, AI and deepfakes are just going to make it worse. So, until then, make sure you, your family, your friends, and your organizations are getting great security awareness training, because they are all going to need it. But we have solutions that can make the Internet a significantly safer place to compute. We’re just not implementing them.

13 Spice ups
2

Change anyone to a select group and you’re describing Wall Street.

Now that the snark is out of the way, I miss the early days of Usenet back in the late 80’s / early 90’s. I had my phone number in my signature and never worried about it being abused.

2 Spice ups
3

Before they added NAT I thought IPv6 was going to be the ultimate solution. Every device would have a unique address which could be easily traced back to its country & city of origin.

They asked NAT be added for “extra security” but it ultimately makes the protocol less secure (by granting anonymity to bad actors). A shame.

3 Spice ups
4

Agreed. My future solution includes better utilization of IPv6.

5

You know government agencies and military cyber units couldn’t use IPv6 if it was going to be that transparent. :confused:

3 Spice ups
6

We joke, right? But , yeah, that is one of the big reasons why Internet and telephone security does not get significantly better.

1 Spice up
7

Roger, thanks for a post that is both timely and timeless. You have nicely illustrated why America’s founders posited NO “right to privacy”, but a right to be left alone (for example, in the Constitution’s 3rd, 4th and 5th Amendments). They were far better philosophers than we have become, and understood that the foundation for trust is transparency. The truth will protect us if, and only if, we protect the truth.

2 Spice ups
8

Verification usually only goes so far, before you hit trust.

To be assured of someones identity you need to trust people somewhere along the line (doctors, gov. officials, etc…) and that is usually where such systems of verification break down.

If you have a global system like this, somewhere people will abuse it.

You’ll probably end up with agencies with multiple ‘ghost’ accounts pointing to empty companies.

Reminds me of the shell corporations and the like.

Even if you tag people’s DNA (unlikely I would have though, given expense and controversy) it could be altered in records… etc… etc…

Sorry to be negative, I do think it will reduce casual attempt to phish, but it won’t solve it all.

4 Spice ups
9

I agree. My system has a DNS-like service that’s kept up to date on what identities have been permanently or temporarily compromised. Anyone device or person can check on the status of any device, network, or identity, with a single query packet and receive a single packet answer.

I also don’t need or want perfection. I just want Internet cybercrime to be significantly harder to perform. I’ll take that.

1 Spice up
10

That’s great until you have a need for anonymity. Look at the culture wars- in Texas, private citizens are allowed by law to harass and sue anyone who wants reproductive health care. In Iran, protesting the regime is a death sentence. If you demand identity you eliminate a bunch of journalism, political protest, social activism, and personal choices. All your proposal does is put MORE personal information in the hands of those who may or may be able to keep it secure.

6 Spice ups
11

My solution has anonymity built-in, two ways. First, you can just stay on the existing system and have all the same anonymity you enjoy today. Or you can pick anonymity as your identity choice on a per-connection basis. You don’t have to give up your anonymity if you don’t want to.

12

This is how you kill an already dying Internet. Moving away from privacy online is a step backwards and frankly a shameful suggestion. Next you’ll want to ban VPNs outside of government use.

13

It’s not dying by any stretch of the imagination.

But if my solution says you and every other anonymity person can stay the way you are today or even choose anonymity on a per connection basis how does that supposedly kill the Internet? I’m dying to find out.

14

VPNs aren’t really that great, in general, and don’t provide much of the protection users think. I’m not a huge fan of most VPNs.

But if you want a VPN and privacy that really works, as best as it can on today’s Internet, then read my post from two weeks ago:

If you follow the steps you’ll have the best privacy you can get with today’s common tools and techniques, without buying additional hardware and joining random WiFis for a living. Was it shameful for me to tell people how to gain more privacy??

15

Agreed and what will probably NOT be accomplished is the elimination of cybercrimes, but what likely WILL be accomplished is complete state surveillance capabilities over everyone whether or not they are regarded as engaging in criminal activity or not. Remember the Patriot Act? We have parents who attended school board meetings who are now on the terrorist watchlist. Over 1200 people have been arrested who were simply THERE at the Capitol building on Jan 6th, who engaged in NO VIOLENCE AT ALL! Meanwhile we have the faces and the names of people who burned entire city blocks to the ground and no arrests or prosecutions are forthcoming.

No, my friend, absolute transparency will never be applied to all equally. This is a precursor to a police state, and polices states NEVER EVER accomplish the thing for which they were formed. This is a bad, bad, very bad idea.

16

First, I don’t think this would kill the internet.

But It seems like it could go the way of SSL certs. Most non-techies now equate the HTTPS and/or lock icon as “safe,” instead of what it really is, encrypted traffic. Not every website really needs an SSL. And not every website without an SSL is malicious. But now every HTTP address is automatically suspect.

I think the same thing would happen with the proposed verified identities–they would be equated with “safe”, instead of just verified. And, with wide enough adoption, it would make any un-verified/anonymous identities immediately suspect. Which makes it harder for the types of people who legitimately need/want anonymity. Which would have a much greater impact then the simple HTTPS/HTTP difference.