Locking Harvard’s Gates with LastPass
Behind Harvard’s gates lie a bounty of information, ripe for adversaries’ picking. In order to protect its community from countless cybersecurity crises, HKS should invest in making LastPass mandatory for all affiliates. While a universal password manager would go a long way to secure HKS virtual campus, it should represent only one piece of a broader cybersecurity strategy, including training and vendor auditing.
Isn’t Harvard secure enough?
In 2015, a data breach in Harvard’s central administrative systems granted attackers access to passwords to a host of Harvard systems. As recently as early 2020, hackers accessed the servers of a Harvard software vendor, taking demographic data of some Harvard affiliates and threatening to take the system for a ransom. These cybersecurity breaches are inexcusable for an institution of Harvard’s resources and stature, and demonstrate a need for additional security measures.
Why would adversaries bother to hack us nerds?
What might seem like a simple dataset for an economics project, or a niche departmental Twitter account with a couple hundred followers, could be weaponized for foul purposes. Some of the most likely adversarial motivations to access HKS affiliates’ data include:
- Self-promotion/politics/world view: HKS attracts a large global audience with its dozens of affiliated websites and social media accounts. Adversaries could co-opt one of these platforms to spread false information, political ads, or self-promoting messages, and public audiences would probably interpret them as credible. This has already happened: in 2015, a pro-Palestinian Anonymous group took over the Institute of Politics’ website and posted political messages.
- Money: Harvard’s endowment is the largest in the world, and is spread amongst a vast array of bank accounts (academic departments, student clubs, etc.) Accessing just one of these accounts could mean access to a massive credit line.
- Access: HKS hosts countless research projects, many of which handle sensitive information with personal data. Obtaining any piece of sensitive information could enable wrongful activities, such as fraud at banks, pharmacies, or even voting booths.
These are just a selection of motivations that play to the unique features of HKS. More traditional motivations for stealing passwords, such as identity theft, are just as likely and should not be overlooked.
How would LastPass stop motivated adversaries?
LastPass (and other password managers) can store user passwords and other sensitive information into a secure, encrypted “Vault.” Users need only remember one master password to access all of their online accounts. This system facilitates the use of stronger passwords, ensures every log-in credential is different, and reduces the need to store passwords in less safe locations (like a diary). The software blocks typical hacking channels with its robust security measures, including:
- Multi-factor authentication, to multiply the amount of information and devices needed to log in
- Master password hashing, to slow down brute-force password guessing
- End-to-end encryption, to limit information exposure as it travels
- Zero-knowledge policy, to prevent collaborating insiders from accessing user data
All in all, a mandatory LastPass system significantly decreases the chances that adversaries “walk in” to a HKS system by stealing login information.
Is that all LastPass can do?
LastPass offers user experience benefits. Time and frustration can be saved by having the plug-in autofill passwords, credit card numbers, and other personal information.
Using LastPass could also heighten overall awareness of cybersecurity issues. Users who interface with LastPass daily are more likely to consider their general digital privacy more carefully, thus presenting knock-on security benefits.
What if LastPass is hacked?
Password management systems raise an intuitive question: what if the system itself gets hacked? Centralizing data incurs the tradeoff between control over security, and higher stakes in the event of a breach. Fortunately, the aforementioned security measures make a direct security breach highly unlikely.
Given these measures, the most likely way an HKS affiliate’s passwords would be accessed is through more traditional theft of the master password — through phishing, malware, or even stealing a notebook the password is written in. While less technologically advanced, these threats cannot be written off. HKS needs to upgrade its cybersecurity training to mitigate such risks. The current system requires affiliates to watch a short training video every year, but one touchpoint is simply too few to ensure real learning and compliance. My previous company made cybersecurity training fun — they gamified the identification of phishing emails, and postered the office with quotes like, “Would Tom Brady leave his playbook on the T?” Low-cost initiatives like these could add as much to securing Harvard as LastPass itself can. HKS should also continue auditing vendors’ security standards, to ensure adjacent organizations aren’t used as backdoors into Harvard’s systems.
Isn’t LastPass expensive?
Arguably the largest barrier to this initiative is the cost. Setting up an enforcement system will require significant resources: for example, HKS would need to procure software that would block CrimsonKey or Knet login if users do not comply. Furthermore, LastPass prices its enterprise services on a per-user basis. This raises the opportunity cost of making the program mandatory for all users (rather than selected segments). While the financial considerations are significant, the potential costs of a large data breach could be far greater. Seeing as HKS’s system is only as strong as its weakest link, making the investment to secure the passwords of its full user base is well worth it. To this end, HKS should encourage all schools within Harvard to adopt a similar policy. Because Harvard’s systems are so inter-linked, vulnerabilities at other schools are vulnerabilities of HKS as well.
HKS should take advantage of its platform and resources to offer affiliates a practical lesson in cybersecurity. This would entail making LastPass mandatory, auditing vendors’ cybersecurity measures, encouraging other schools to adopt password managers, and building out accompanying cybersecurity training programs. Harvard’s mission is to “educate the citizens and citizen-leaders for our society.” In this age of increasing digitization, the inclusion of data privacy in a modern education is non-negotiable.