Yet another massive data breach is in the news. Again. This time, Yahoo was the victim. The timing, of course, is particularly bad because Yahoo is in the midst of being acquired. Predictably, Congress piled on, demanding to know what executives knew and when they knew it. The New York Times weighed in with several articles by Nicole Perlroth. One article in particular sparked a larger Twitter conversation with Nicole, Dan Kaminsky and Shira Ovide from Bloomberg.
What became clear from the conversation is that, although many of us in the information security community would very much like for there to be a common set of standards and practices around data breaches, there really aren’t any. Regulations are flimsy; some states require consumer notification of data breaches, but these are triggered only after a company becomes aware of a breach. Naturally, it’s tough to prove when this actually occurs. There aren’t any standard systems that companies need to put into place in order to detect problems either, and there isn’t a standardized response. Imagine a world in which every building owner individually decided what fire detection and suppression systems to put into place, whether they actually need fire exits, and there isn’t actually any such thing as the fire department. That’s more or less the world of information security.
Predictably, this has led to a wide variety of responses. Contrary to Nicole’s assertion, forcing a global password reset in the event of a data breach where “hashed” passwords are involved is far from a universally accepted response. LinkedIn suffered a similar breach, but only forced a password reset on accounts created before 2012, and on which the password had never been changed. LastPass urged users to reset their master passwords, but didn’t force them to do so.
Ultimately, the response Yahoo chose likely came down to risk modeling. “Our users are grandmothers dialing up with AOL,” you can imagine the conversation going in the boardroom. “What’s the risk? And holy smokes, if we do this, the support costs will blow us out of the water.” So you get a few MBAs to build you a model and run some Monte Carlo simulations and before you can say “lawsuit” you’ve convinced yourself that you don’t need to force a password reset. The passwords are, after all, hashed. It would require the resources of a state-sponsored attacker to crack them. And what state would ever want to do that?
Of course, with AWS and a stolen credit card, the resources of a state-sponsored attacker are now available to any crime ring. That crappy Yahoo email password is also the source of truth for hundreds of millions of dollars in oil trades. And before you know it, a seemingly benign data breach turns into a massive potential liability. Worst of all, nobody involved in the decision did anything wrong! They can all credibly argue that they were operating with sound commercial judgment using the best information available at the time.
Time will tell whether this breach is as benign as it seems, or whether there were greater harms. What can happen, however, is what happened in American cities around fire control. My home city, Seattle, burned to the ground in the Great Fire of 1889 and ever since, fire prevention has been in our DNA. We led the nation in the adoption of certification standards (such as UL, based not far away in Vancouver, Washington), fire codes and national electrical codes. We created fire departments. And while government certainly has a role, the biggest driver behind all of this was actually the insurance industry. I wrote last year, in the wake of the Ashley Madison attack, about the urgent need for standards. Technology policy leaders in Washington, DC are starting to take notice. Senator Mark Warner is pushing for a federal data breach notification law — it won’t prevent data breaches, but will at least standardize how people are notified. Mudge has started doing some great work with Cyber ITL, which could do for cyber safety what Consumer Reports does for product safety. But there is much more to do.
Today, there isn’t a globally accepted and standardized risk management framework for assessing, reporting and responding to data breaches. This exists for fires, floods and practically any other emergency you can think of. When I was 15 years old and working in my first part-time job at an insurance agency, the risk management framework required me to be bonded because I walked the day’s cash deposits (usually less than $1,000) to the bank next door. But for the email servers hosting 273 million people’s accounts, the strongest regulations in place are actually aimed at making them less secure. Given the government’s appetite for warrantless wiretapping, all manner of back doors have been constructed in networks and information systems. In just 6 months, nearly 25,000 snooping requests were made to Yahoo alone — and this likely doesn’t count the ones accompanied by gag orders.
Where does all of this lead? Government, the technology industry, and the insurance industry urgently need to come together and agree upon a set of standards. No building is an island in a fire, and no data is an island in a breach. And none of this goes out the window when the government claims it’s chasing terrorists, money launderers, drug smugglers or people whose garbage bins are overly full. Can it happen? I’m optimistic. Notwithstanding the rancor of early Seattle politics, we could at least agree among ourselves that we should keep the city from burning down again. While the rancor of current federal politics may be a few degrees worse, nothing like being under attack by foreign governments pulls Americans together — and this is happening right now, today, to businesses all over America.
Better technology also plays a role. Passwords alone are no longer sufficient to secure data. However, many companies haven’t implemented better security because it’s expensive and hard to use. At PCPursuit, we believe that multi-factor authentication will be table stakes in 2017. Incidentally, our adaptive security approach is much less expensive because we use assets companies already own. Unfortunately, the field of information security isn’t evolving as rapidly as it should, and the federal government can play a role here as well through grants and fast-track programs to help startups build (and sell) new technology faster.
Stop piling on Yahoo. Instead, let’s build systems to make data breaches less likely, make detection more reliable, make responses more standardized, and make notification more assured. Until we do that, it’s only a matter of time until the next breach.
About the author: I am the CEO of PCPursuit, a smart, simple way to make your Windows network more secure. I am interested in technology that keeps people and their data safe while moving business forward. Feel free to reach out if I can help you.
