The VPN industry as a whole can learn from the NordVPN hack

author David Wibergh, about Announcements

The latest talk in the cyber security sphere right now is that one of NordVPN's servers were hacked. They knew about the intrusion for 6 months, and only let their customers know after an external security researcher discovered it and publicly tweeted about it.

I want to start off by stating the obvious; saying that nobody wants to be hacked. All VPN providers want to succeed and provide secure communications for users. As such, this post isn't about who's to blame for the NordVPN hack. There are enough of those posts around the internet.

But, at a collective level, secure communications can only happen when we admit our mistakes, learn from them, and create a climate where it is, in a certain sense, 'safe' to fail and be hacked. No one wants to publicly admit fault when they know the result of that action will be people pointing fingers.

Therefore, I think it's more important that the VPN industry as a whole embraces the need for transparency so that we as an industry can learn faster together, and improve the security and privacy of all users. We should create a climate where it is safe for VPN providers and data centers to say that they've found an issue with their security. Because this time it was NordVPN, but the next time it can be another VPN provider.

An open climate — where VPN providers and data centers can report issues with their implementations without anyone pointing fingers — would turbo-charge the power of learning for everyone in the industry. Because, as Eleanor Roosevelt puts it; "Learn from the mistakes of others. You can't live long enough to make them all yourself."

Perhaps with an open climate NordVPN would have notified everyone earlier about the breach, and that might have prevented other services from suffering similar exploits. The issue is that the VPN industry is acting in a closed loop right now. A closed loop failure doesn't lead to progress because information on weaknesses are ignored or kept under lock and key.

We should aim to have an open loop instead. An open loop where failures and errors lead to progress because they're acted upon and shared to all. I want to embrace an open climate so that the security for all VPN users — regardless if they use OVPN or another VPN provider — is increased. OVPN has been publishing transparency reports for years, together with technical details about our data centers and images of our server setup, but we can definitely do more. I therefore guarantee that OVPN will do our part and will publish weaknesses or errors that we find with our implementations so that other VPN providers can learn from them.

If there are any VPN providers out there that want to sit down, talk, and share knowledge I would love to do that. Our customers deserve it.

David Wibergh