Cybersecurity Assignment: HKS Should Make LastPass Mandatory

Harvard Kennedy School should make LastPass, or at least password managers, mandatory for community members.

Cybersecurity is and will continue to be a threat facing HKS as an institution, but also the community. The facts are that every company is a digital company today, and they therefore need to make adequate protection to support its data. This means users feel more secure knowing their data which, at HKS, could be anything from financial statements to sensitive political documents. Users need to trust that their data is secure in order to trust the organization that houses it. Unfortunately, this means HKS needs to maintain a high standard of cybersecurity practices.

Attacks can come from any type of individual, and the threat needs to be matched with an adequate solution. It’s best to consider the best solution for the problem, but this is where cybersecurity is challenging: HKS’s greater community includes a broad cross-section of people, ranging from those in sensitive positions in military and government who have access to privileged information, to average employees and students with nothing sensitive online beyond their financial data. Making a password manager mandatory seems like an improper solution, but at the same time we can assume that those privy to important data may have the training and resources to protect themselves. Those who haven’t, likely won’t.

This is where password managers are useful. People are people, and will naturally choose the most convenient method to protect themselves when operating their devices. In 2016, nearly half of the 10 million passwords analyzed by Keeper Security were as simple as “qwerty,” “password” or “123456,” which was as high as 17 percent of the total. Password managers prevent people from having to remember complicated passwords, vastly increasing security by making it easier to use and therefore more likely to be used. Usability will usually take priority over difficult security — and a password manager takes advantage of this by keeping secure, random and unique passwords to make break-ins more difficult.

However, simply just using password managers alone as a method to deter threats is insufficient. Modern information security should not be conceived of a gateway to pass through, but should be implemented at all levels of the value chain. To work on this, HKS should institute additional methods such as two-factor authentication and regular password updates if managers like LastPass are to be used. A password manager also won’t solve other common methods of cyberattacks, particularly “phishing,” which a more challenging password to crack won’t fix. This will require greater understanding and knowledge of keeping data secure by everyone involved to be truly effective. In an environment like HKS, where students are only present for a few years, a password manager would be a simple and achievable first step.

Password managers themselves can be hacked and this is true of LastPass. Indeed, the company has been breached several times before: it was revealed that external browser extensions allow hackers to obtain passwords this March; a report was sent regarding a “complete remote compromise” to the company July 2016; and user data was stolen from a massive breach in 2015. Yet these are only the breaches that we can verify. The service admitted to a possible breach in 2011, and there may have been many more that remain unreported or performed by such skillful hackers that they remained undetected. Other companies have also reported serious breaches while even using two-factor authentication, which relies on the security of external factors like SMS to be effective.

Nor can we assume all break-ins will stop afterward. We can’t say that LastPass would prevent any further attacks from occurring. But we shouldn’t expect that because it won’t fix everything, we shouldn’t use it. We drive cars and use the roads, but with the acknowledgement that there may be accidents or break-ins. Cybersecurity is no different: we need to acknowledge that any method is only as strong as a hacker is dedicated. A motivated, skilled attacker with enough time will break through, with no exceptions. State-sponsored attackers or miscreant kids attacking just for the fun of it will find a way. But just as we still buckle our seatbelt and make sure our brakes are functional when we use the roads, keeping good IT security hygiene throughout all levels of the network is just as important.

We know there will be accidents and break-ins down the line, and instituting a password manager is better than simply trusting that nothing will happen. But trusting in a security company, which is dedicated to maintaining security to maintain a reputation, is better than a fatalistic claim that nothing can be done. HKS owes it to the community to make sure that their data is safe, and password managers are a good first step towards getting there.