I think "power distance" (a cultural thing - both national culture and corporate culture) might play a role here. In some cultures, you do whatever the big boss asks you to do, regardless of procedure.
(Media reporting suggests this can also be true at some US hardware tech companies).
Having worked with Chinese people, let me tell you this is 100% accurate. It may (and probably will) happen in western countries as well, but the culture makes China, South Korea, Taiwan and Japan extremely vulnerable to this. No one I worked with was willing to refute, question or even raise any doubts if someone they perceive not at their level or, even better, below, was in the call.
Other countries are known for a culture of nothing ever happening without a piece of paper carrying an official-looking stamp. Those are laughably insecure, but the culture could easily be ported to public key signature. "Boss voice is only boss voice when it comes with a digitally signed transcript" shouldn't be too hard to introduce in "don't ever question your boss" cultures I think? Bosses might even enjoy the grandeur of showing off their status with an insignia-device. "Orders without proof of identity are irresponsibly bad form" could be surprisingly easy to establish.
I think that you are unfamiliar with these cultures. In Japan, you would never ask the voice that sounds like the boss to prove his identity with a digitally signed transcript - even if that's a fireable offense. It is so culturally alien to them that it would never get through.
That's not true though because most decision and execution processes in Japan are daisy chained. One person can't just make you send a tonne of money because you'd normally have to forward it onto someone else, who clears it with someone else, and then we all sign a ringisho.
The daisy chaining prevents single responsibility stuff like this.
Also for what it's worth I've done verification callbacks to every single one of my bosses at some point during my career here and no-one's ever questioned it.
> The term of "ringi" has two meanings. The first meaning being of "rin", 'submitting a proposal to one's supervisors and receiving their approval,' and "gi" meaning 'deliberations and decisions.' Corporate policy is not clearly defined by the executive leadership of a Japanese company. Rather, the managers at all levels below executives must raise decisions to the next level except for routine decisions. The process of "ringi decision-making" is conducted through a document called a "ringisho".
I take it that you were not raised in Japan? Do you agree that someone raised in Japan would have a harder time questioning their boss?
I'm no expert, I've never been to the land of the rising sun. This is what people have told me of their time there. Your input is very much appreciated.
I think their idea is that the boss would be the one to introduce it ("Bosses might even enjoy the grandeur of showing off their status with an insignia-device.") and because of the culture it wouldn't be difficult for employees to adapt and go along with those new rules.
I think the point is that this works until the "boss" says they need X right now and can't provide digital proof because it's not working for Y reason. Do the employees say no? That's the real test.
The problem is that inevitably the boss will forget his signature one day. Who is going to challenge him? And if he his challenged, how will he take it?
Even in the West, nobody of low seniority challenges the C-level executive when they tailgate or walk around without their badge. And if you are new, if there is an important looking individual you don't recognise, you leave him alone, totally validating the "act as you belong adage".
I was quite annoyed - disappointed too - during security induction (Australian NSA). They explicitly said we should challenge anyone not wearing a badge, but then joked that we should learn the department heads first so we don’t accidentally confront the “wrong” person.
Exactly the wrong message to send, particularly for an agency that’s supposedly an expert on security.
A good example of the challenges of real-life hardening. Anecdotes like this are a valuable addition to any discussion of security I think. I perfectly understand what's wrong about the attitude transferred in the joke, yet I can easily see myself being the person sending that wrong message. Very educational!
This is a thing that already happens in Japan, where physical personal and company seals (inkan) are regularly used for all sorts of documents and transactions that would get signed in the West. But they've evolved protocols to ensure they're secured and stored, which is why this rarely causes problems in real life.
In practice, there is little if any difference between seals and signatures in tems of security.
A signature (or stamp) is easy to fake and get away with for a while. It's very rare that the authenticity of signatures is checked right away. Perhaps even easier than stealing or faking a not-particularly-secured stamp. It only happens when some problem arises and is investigated after the fact. The question is not whether the signature is "authentic enough" but who signed the document. You can aks and answer this question about a seal equally well.
The reason we have signatures (or stamps) is as an explicit ritual signifying ratification of a document that one cannot plausibly deny later.
Also for a country thats so technologically advanced, Japan loves paperwork. They have reams of paperwork that you are expected to furnish for something as simple as registering an office move from a building in one part of town to another building in another. Its mindboggling just how entrenched bureaucracies get if you give them an inch of room to play.
> It is so culturally alien to them that it would never get through.
If there's a need then this will change. You might as well say that they'd never use a telephone because it's culturally alien. It was alien, but it was useful, so they adapted. Same with email and video calls. The boss has to log into their banking just like everyone else, because there's a need for it. If there's a need for this, the OP's suggestion seems like a pretty good one, as it augments the existing culture with a security step.
I think the way it would work is that the boss himself would send the signature somehow (e.g. on teams) and bosses that don't want their businesses to fall victim would have to ensure that their employees would never accept a call from them outside of the system that allowed the signature check.
What if that voice comes packed in bad clothing, smelly and is full of grammar mistakes? Because that's how an order without credentials would feel like, when the rituals of signature verification are established as expected form. The correct reply to an underling who goes all sir-yes-sir without checking would be "do you consider me so unimportant that you don't think it worth your precious time to verify that I actually am who I claim to be?". It would certainly have to be a cultural adaption initiated from the top. If subordinates are expected to fill in for whatever diligence those higher up lack, it won't work, no matter where.
It's true, I don't know Japan, but I suspect that they might have it much easier to adapt than western pretend-buddy orgs.
Not really. In those cultures, just like in armies everywhere, authority comes from the boss/commander and they can override their previous instructions at any point (and many do at some point).
There’s often a distinction in armies between “illegal command” issued by a commander, which one has to obey (or risk disciplinary action) and “blatantly illegal command” which must be disobeyed. An example of the former would be “keep your post for 20 hours straight” (where regulations limit a shift to e.g. 12 hours). An example of the latter would be “cut the limbs off other members of your platoon”.
An army setting is a much better model of some cultures. They are not as bad, but if taken ad absurdum they would look like an army setting.
Armies are a good example of authority clearly coming from the role, not from the person, and roles inseparably tied to a lot of expected formal behavior. In an impersonation-hardened army (or corporation), you simply wouldn't make it beyond the very lowest rank unless you demonstrate flawless authentication on both receiver and sender side. Just like you wouldn't make it badly dressed.
Except .. there’s no effective authentication protocol in place to verify that a specific person is indeed in a specific role (or is indeed person they claim to be).
Sure, that's the gap that needs to be filled. In the age of deep fakes even more urgently than before.
But which work cultures will find it easier to effectively deploy countermeasures?
Informal ones, where everybody acts like first names buddies all the way to the CEO, where they believe they are invulnerable because all those pretend-equal underlings are invited to speak up when they sense something fishy? What if they don't sense anything?
Or formal environments, where authentication tools could be systematically added to the preexisting and deeply entrenched set of rituals?
"That guy is not just acting like a colonel, the device we now all have to hold while saluting confirms that the biometric checksum embedded in his uniform insignia matches and is signed with central command keys". Yes, that protocol is not in place, but if it was introduced it would actually work. Now try the same in an informal environment where everything is supposed to be solved through good personal relations. The exact same tools, deployed in a buddy-org, would only ever get used retroactively, for pushing blame down the hierarchy.
I actually think it will be the informal cultures who will have an easier time integrating it.
Because pockets of “Sir, I recognize you are my boss but you still need to do this properly through the regular channels” are, in my experience, more common in a non-authoritative setting then in an authoritative one (my familiarity is mostly with armies, not with Asian societies).
And if these bubbles do exist, I think it is easier for them to expand in a disorganized, distributed manner; unlike an authoritative society where everything like this must properly flow top down.
Heh, "pockets of correct behavior" is an interesting perspective, truly reads like an insider view, I certainly would not have put it like that.
The problem in the informal culture is that insisting on formality (the authentication check can never not be a formality) is perceived as a signal "they don't like me". That's a huge incentive for cutting corners, both up and down the hierarchy. In an environment that prides itself in formality, it's at least possible to sell going through the motions as a sign of respect. The failure mode I'm talking about is not what's happening the day the boss doesn't have their keys (that's challenging in any environment, and certainly not easy on the authoritative end of the spectrum), but how likely it is that the absent keys would even come up, how often a check will actually happen. Lack of procedures is the defining quality of informal organizations.
When it's routine, the orderly refusal is not so much "but you have to do this properly" (underling ordering boss around) but "you know that I can't do that without.." (underling showing off being a good underling)
That attitude will have to change, there's no way around it. These live deepfakes will be as easy to create as a word document in no more than five years and maybe less than two.
The Fukushima nuclear accident was not enough to change this culture.
And it is far too easy to state that a foreign culture needs to change. The Japanese could say that American or Western culture needs to change, just for example with the glorification of violent criminals in media.
The Fukushima nuclear accident had a far narrower impact than this will have. The Fukushima accident did not result in a 'push button to gain money' GitHub software projects.
If an angry video call from the boss is all that is required to exfiltrate millions of dollars, and boss video calls become as easy to produce as spam emails, then the exfiltration of funds from Japanese organizations becomes as fast as approximately (spam email send rate) * (millions of dollars).
When you have received the 7th angry call from the boss that day, demanding funds be sent immediately, you eventually realize you need a different system. At a minimum the boss will need to come be angry in person.
Yeah with the advent of good deep fakes were at the point where everyone having their own private key is a must for all communication that's not face to face.
That would work in Australia. In most places in the US and Britain as well. I can imagine Israelis calling the real boss and tell them “I don’t believe it’s really you” and refuse to do it.
But that’s not how it works in authoritative cultures.
Maybe it will teach authoritative cultures to be less authoritative, and to allow people to question authority. Because it's going to cost you money if they don't.
I don't know, most professionals in HK I have met are pretty open to challenging people but maybe that's just the people I choose to work with.
In any case what I find strange is that usually HK finance companies (like much of the rest of the world) will have some kind of maker-checker system which prevents individual mistakes like this.
I met 3 top managers from China (talking about very high-level managers) to whom I had to talk to and were kinda more challenging and open than the other Chinese I had to work with, but nowhere near the Germans, Americans or Italians.
Having dated an abnormal amount of mainlanders, One thing that I always found weird was the amount of "rule following". Top down directives that you must do.
I can only imagine this being leveraged nefariously.
Back in my days building custom software (in the US/Canada) a lot of the PM work was figuring out how the process overrides worked. Every organization has a set of formal rules... and the way things actually work (and 50% of my job was making sure our CRUD apps that were more than just spreadsheets with changelogs).
But having lived & worked in a few countries now, the way other cultures do their overrides is always more visible (e.g. Country A you might pay bribes to get out of tickets, country B might just not pull people over in nice cars)
It's funny how when something happens in Asia some commenters always say it's because of the culture.
Sure there might be cultural differences, but maybe this guy is just careless.
There was a case in the US where someone pretended to be a cop, called a fast food restaurant, and actually convinced the manager to strip search an employee.
I guess this is also a case of cultural power distance.
This is why a Korean Air flight crashed at some point. The copilot knew something was wrong but the pilot was a lot more senior than him and in Korean culture it's normal to defer to your elders (according to the checklist manifesto). The cockpit recording showed what happened and it directly contributed to efforts to standardize crew resource management training. Other incidents like a flight out of Morocco where an older male pilot disregarded the concerns of his female copilot and crashed the plane have reinforced the need for CRM, especially for pilots from cultures where people may be ignored for social reasons.
From the article this was an employee in Hong Kong on a video call with people supposedly in the UK.
Power distance might matter, depending on nationality of participants.
Also if English is a second language, then perhaps the sound quality of the synthetic voices wouldn't need to be as good - we are surely better at recognising voices in our mother tongue.
Scammers have fooled countless mothers into believing their voice belongs to one of their children before text-to-speach was a thing. (Just to say it's not incredibly hard. I'm not suggesting that being able to automate it wouldn't have a huge impact.)
In some ways the west is still remarkably feudal but to the direct chain of managers not just directly to your “liege lord”. I regularly see people say no to big bosses who are outside the direct management even if they have high ranks.
(Media reporting suggests this can also be true at some US hardware tech companies).