We’re all well-familiar with the age-old claim that it is permissible to leave class if the professor is 15 minutes late. But, as we ditch the 8:30 schlep to Gross Hall for online class, we must prepare for a new scenario: What happens if the class video link is a road to nowhere?
Last Monday, this premise became a reality. Zoom, the video conferencing tool and Duke platform-of-choice, crashed. Businesses, schools, and individuals found themselves in a crazed scramble to gain access to scheduled meetings. Luckily, Zoom had most systems back up and running in four hours.
In the meantime, however, we had our first taste of a digital armageddon—and it was unnerving. As the lifeline of our day-to-day communications during a global pandemic, our video conferencing software is as integral to our economy and national security as electricity and broadband connectivity—both of which are protected as critical infrastructure. It’s time for Zoom (and others) to join the ranks of America’s critical infrastructure.
When quarantine hit, our world scrambled to move day-to-day gatherings, classes, and meetings to the remote world. As college students moved belongings home in a rush, universities scrambled to move the on-campus experience—complete with classes, extracurriculars, and social events—to an online platform. For many, including Duke, “Zoom University” became the platform of choice for the rest of the spring semester.
Zoom’s stock price soared and the company began to make headlines—but not just because the British Parliament started using it for meetings. Reports emerged in March that Zoom was sending data to Facebook. Cryptographers identified that not all Zoom features were end-to-end encrypted as marketed. While the company says they have never built a mechanism to decrypt live meetings, they don’t seem to rule it out either.
Over the months, we’ve learned to keep links private, to enable the waiting room, and most importantly, to include passwords for each of our meetings. But just a month ago, there were fatal flaws in Zoom’s authentication process. One security researcher found that it was possible to test all the six-digit passwords for any password-protected meeting in just 25 minutes, which was later fixed by Zoom.
When Zoom was developed as a platform, it was built for enterprise customers, like Duke, with their own IT support teams to customize and secure functionality. It was not built for everyday users to enjoy at-home wine tastings, or as an emergency production tool for established late-night talk shows. Most of all, it was certainly not built to support 300 million daily participants, many of whom are spending entire schooldays and workdays plopped in front of a screen.
In fact, in a message to Zoom users, founder and CEO Eric Yuan wrote that Zoom wasn’t designed “with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.”
“Can we hop on a Zoom tomorrow? I’m Zooming with my study group. Let’s Zoom with Grandma and Grandpa this weekend!” Nobody had anticipated Zoom, one of many video conferencing tools, to become its own verb. For better or for worse, Zoom is now a part of our discourse, a piece of quarantine lingo that will remain embedded in our schools, workplaces and homes. And while the ubiquity of the platform is impressive, it also may make Zoom the Achilles’ heel of America’s economy.
Zoom isn’t the only platform that does videoconferencing. Members of Congress use WebEX for hearings, some corporations have shifted to Microsoft Teams, and perhaps a few individuals are still hanging on to the pipedream that is Skype. But Zoom has thrived on a network effect that none of these platforms have been able to capture. It’s so damn easy to start a Zoom call. Start the meeting, copy the link, and drop it into whatever group chat, email thread, or family reunion invite. That’s pretty much it.
Even if you’re on Teams within your company, chances are you’ve been using Zoom for external client meetings or webinars. Public meetings may be conducted on WebEX, but our officials might still communicate with constituents over Zoom. And little by little, Zoom—with no login needed and forty free minutes—has emerged as the sole provider connecting all of us in one way or another.
The onus should not be on the millions of people using popular platforms like Zoom to ensure our calls still happen or that the invite links still work. Pamphlets with best user practices will not protect users from large-scale cyber attacks, especially when those recommendations do not include measures for mobile or Internet of Things devices. Organizations such as the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) should not expect all parents to understand how to use patch management software while helping their six year olds read “Fun with Dick & Jane” in virtual class.
A recent Brookings post acknowledged that the videoconferencing sector, unlike financial or mobile phone services, is dominated by only a select few companies, notably Zoom. While we all may be encouraged to regularly change our passwords, no singular efforts will save us when the systems crash one day and there is no backup plan in place. The ramifications will be far worse than just some college students not showing up for class.
Video conferencing platforms should receive the support of a public-private partnership to build a more robust encryption system, bolster cybersecurity, and prevent significant downtime. While these tools are privately-owned, they form a critical component of day-to-day governance and commerce, and support from CISA could lead to an increased focus on cybersecurity for Zoom. The continued collaboration and information sharing between public and private sector entities in our communications infrastructure is critical to keeping our businesses, our schools, and our institutions running.
Also, we’d ditch class if the Zoom link is not working in 15 minutes. But, hey, we didn’t tell you that.
Jessica Edelson and Niharika Vattikonda would like to take a moment of silence for Skype. RIP—you blew a seventeen year lead, maybe it’s for the best. Their column, “on tech,” runs on alternate Thursdays.
Get The Chronicle straight to your inbox
Signup for our weekly newsletter. Cancel at any time.