In Cybersecurity, Some Regulations May Hike Productivity

Cyberattacks are distressingly common.  Chronicles of these criminal attacks against US government institutions and corporations are much alike — private information for thousands or millions of victims is exposed to misuse by criminals who are seldom identified or caught.  The database operator offers its regrets to the consumer victims and as penance pays for a few months of credit monitoring.

The most important news comes later when technical websites report the tactics of the breach.  We would like to hear that the database users and operators did everything right and the breach was totally unavoidable, but there is usually shared culpability, and the breach post mortem provides lessons on what consumers and IT employees could have done to prevent the breach.  The lessons from the examples below are repeated over and over, but somehow we refuse to learn.

The personal and health information for 750,000 people entrusted to Los Angeles County was exposed to a hacker who successfully convinced 108 County employees to reveal their computer usernames and passwords.  Anyone qualified to handle our private data should recognize and resist a social engineering scam.  The criminal was identified but has fled to Nigeria.

Before the 2016 election, email from prominent people in the Democratic National Committee (DNC) server was stolen and publicly exposed through Wikileaks.  The hacker’s tactics are unclear, although the DNC email servers had “virtually no protections for its electronic systems.”  The stolen emails contained embarrassing debates on “how to deal with challenging media requests [and how to coordinate] the committee’s message with other powerful interests in Washington.”  They also revealed the DNC’s bias against Senator Sanders.  The DNC server was woefully under-protected and users could have better protected their information.  Russia may have been involved even if it did not conduct the theft.

A massive breach against Target store’s database affected more than 50 million consumers.     The “initial intrusion into its systems was traced back to network credentials that were stolen from a third-party vendor.”  The calamity resulted from poor control over who had network credentials.  The perpetrators are believed to be in Eastern Europe, perhaps Russia.

Yahoo reported that personal information of nearly a billion people was exposed in at least two cyberattacks on its databases starting in 2013.  The database was inadequately protected.  “Yahoo’s security team [lacked the] financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems.”  The hackers (who  are not a nation state) sold Yahoo’s entire database at least three times, including once to a state-sponsored actor.

The federal Office of Personnel Management (OPM) keeps records on federal employees and applicants for employment and security clearances.  More than 21 million were harmed by several breaches by hackers and 5.6 million people are now estimated to have had their fingerprint information stolen.”  OPM’s Inspector General found that “OPM [had no] comprehensive inventory of servers, databases and network devices, nor were auditors able to tell if OPM even had a vulnerability scanning program.  [Neither was] multi-factor authentication… required to access OPM systems.”  OPM’s security failure is “the culmination of years of issues such as reliance on outdated software and contracting large swaths of security work elsewhere (including China).”  The perpetrators are suspected to be Chinese.

Private information of 83 million consumers in JPMorgan Chase’s databases was exposed “after hackers stole the login credentials for a JPMorgan employee…  Most big banks use… two-factor authentication, but JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme… That left the bank vulnerable to intrusion.”  The “F.B.I. officially ruled out the Russian government as a culprit.”

The most sinister cyberattack recently comes from a 100,000 computer Mirai “botnet” that waged a distributed denial of service attack.  It took down large areas of Internet on the US east coast by focusing its malevolent traffic into a 1.2 terabyte per second stream, more than ever expected by the victim sites.  Few of the 100,000 devices were regular PCs, instead they were a ragtag collection of video cameras and other cheap devices with Internet access which lacked security protection against hackers who perverted their intended function.

In each above instance, the consumer is a victim and may suffer monetary loss or loss of privacy but in most cases, the consumer carries no guilt.  The situation is like wearing a motorcycle helmet.  Without a helmet you assume a bigger culpability for the consequences of a crash and on average you impose on everyone else a bigger cost for emergency medicine.  Two factor authentication is the equivalent of a motorcycle helmet for the Internet and it should be required.  Two factor authentication does not infringe on our first amendment rights.

A hacker may or may not collect a fortune from an attack.  Although he is always “guilty,” he is seldom brought to justice.  The hackers’ work are made too easy when we leave attractive information and devices unprotected.

The hacker is not the only bad actor in most cyberattacks.  Readiness to fend off and quickly recover from cyberattack is a database operator’s duty.  Unfortunately, there are yet no widely accepted formal standards for the operator to adhere to.  Likewise, security protection standards are needed for devices that are intended to communicate with other devices.  They must be resistant to attacks, otherwise the “Internet of things” will become a wild west of cyber mayhem.

Until those standards are adopted, the drag of cybercrime on our GDP will continue at 0.64%.  Until cyber standards are in place, consumers will need to waste time and money on clearing their name from identity theft or from litigation if they expect redress from the database operators and device manufacturers.  Today’s lack of standards makes us less productive and makes the nation less secure.  Regulations will need to evolve as technology and hacker expertise change, and they will need to be controlled by an apolitical, cyber-competent agency.

Cybersecurity standards might be a rarity – a set of regulations that we welcome.