Home » Other

Category Archives: Other

The Equifax Breach Should Result in Legislation, But Not What You Think

This entry was originally posted on the blog at Foresight Resilience Strategies here.

As long-time cybersecurity expert Bruce Schneier points out, even if every single person takes the advice of experts and protects themselves through credit freezes, it will not change the business model for data brokers; change may require legislation.  With a sufficient legislative and regulatory response, consumers will have less to fear from future breaches.  On the other hand, businesses worry about the impacts of a regulatory approach in the cybersecurity arena.  What follows is a deeper examination of what proposals have already emerged and a survey of approaches that might eventually become solutions.

Regulatory Landscape: The Patchwork Nature of Existing Controls on Information

The current regulatory environment around companies maintaining large data stores about individuals primarily as a third party (that is, without interacting directly with individuals) is fairly atomized and incomplete.  The primary law governing the credit bureaus is the Fair Credit Reporting Act (FCRA).  The FCRA imposes requirement on Equifax, Experian, and TransUnion as well as some more sector specific information organizations (such as Innovis, LexisNexis, and Telecheck).

Under the FCRA these consumer reporting agencies must offer the chance for consumers to access their records and correct them.  Any obligation to protect the information in those files is generally limited to a duty to correct or delete incorrect information.  In addition, the covered organization can face liability for intentionally releasing a consumer’s credit information to a third party without the consent of the consumer.  Consumer reporting agencies have no general obligation to provide some minimum level of protection to the consumer’s information from unauthorized access.  In other words, if a hacker calls the bureau and successfully requests a consumer’s information, the credit bureau has liability under the FCRA; if the credit bureau leaves that information on an insecure server and the same hacker accesses and downloads it, the credit bureau has no liability.

There are a series of other laws that cover specific types of information:  For healthcare information held by covered entities, there is the HIPAA Privacy Rule; for information about children, there is COPPA.  The Federal Trade Commission (FTC), in addition to its responsibilities under the FCRA and COPPA, can pursue “unfair or deceptive acts or practices in or affecting commerce” but that requires some evidence of deception.  If the company says it will share your personal information with others for profit and then does so, there is no deception.  Some of these mechanisms, especially a consumer protection mission similar to that of the FTC, exist in state attorneys general offices as well.

All of these authorities form an incomplete patchwork that means that even in the egregious situation we find in the Equifax breach, in which so many consumers are affected and it seems likely that the security practices of the company were insufficient, there may not be direct liability for failing to provide a basic level of security for consumers.

Data Breach Notification Requirements are Nearly Ubiquitous

At the state level, the most directly relevant form of regulation for events like the Equifax breach are data breach notification laws.  Data breach notification laws prescribe how a company that has had a breach must notify the public.  Some researchers have credited the nearly ubiquitous data breach notification mandates in U.S. states with creating a culture of transparency.  Data breach notifications have driven greater privacy awareness within the U.S. business community, especially when compared with other countries that have more prescriptive privacy laws on their books.

A national data breach notification standard would help in some ways by adding enforcement at the federal level to the system we have now.  There was nearly a national data breach notification law passed in 2015 and that bill has now been reintroduced in response to the Equifax breach.  It is too early to determine its fate.

Data breach notification has had a positive effect but it seems unlikely that adding a national layer to the requirement will drive additional change in how businesses handle personal data.  Data breach notification attempts to close the barn door after the horse has already escaped by imposing requirements on the after-action activities.  It does not impose requirement for what companies must do before the breach occurs.  Bad practices and a lack of incentives to protect your information are what led to this problem and regulation of those practices is the only way to ensure they improve.

At least one other proposal does the necessary work of improving the FCRA by increasing transparency for consumers and making it easier to seek remedies.  This doesn’t change the fundamental lack of protection for consumers’ information before the fact.

How Could Congress Respond?

Legislative proposals to respond to the Equifax breach should regulate what companies that keep personally identifiable information do with that information.  One current legislative proposal from Senators Markey, Blumenthal, Whitehouse, and Franken starts to focus on these elements of consumer privacy for the data broker industry.  It carves out data brokers already regulated under the FCRA from most of its access, disclosure, and notice provisions.  It does not except covered data brokers from the bill’s requirement that companies develop a security plan to protect consumers’ personal information against loss, unauthorized access, use, modification, destruction, or disclosure.

The previous Administration contemplated a more complete implementation of privacy principles into law, recognizing that consumers needed a more complete set of protections than the patchwork found in current law.  That draft covered a broader swath of companies and imposed a more complete set of requirements including notice to consumer, consent, access, integrity, security, and enforcement.  The proposal mostly relied on a reasonableness standard to determine the way a covered entity could comply with the requirements in each of those areas.  It also introduced the concept of safe harbors that would rely on a certified set of privacy practices developed in multistakeholder processes (several have been completed) certified by the Federal Trade Commission.

The Challenge for Industry and Legislators

The Equifax breach is the perfect storm of a security incident:

  • The breach broadly impacts the security of the personal information of potentially the majority of U.S. adults,
  • Equifax collected and mishandled this sensitive information without ever asking the consumers’ permission, and
  • The breach included sensitive data that, unlike a breach involving passwords, consumers cannot easily change

The message that Congress takes from this breach will determine whether it will drive changes to the business practices in this industry.  To the extent that the public considers this breach business as usual, Congress will likely restrict its activities to hearings on the topic.  Should a larger awareness of the dangers of identity theft from this breach cause a stronger movement for a solution that will try and address the problem before breaches occur, Congress may break the logjam on data breach notification legislation or even go further than that toward substantive privacy or cybersecurity regulation.

Reality and Perception: How the Russians Won an American Election

Americans really don’t get the Russians. We are a people who pride themselves on divided government, openness, and the exposure of corruption – almost to the point of obsession. The Internet has allowed those truly American attitudes an even greater sway in the its body politic. Now, everyone can be their own “loudspeaker of truth.” In Russia, the story is quite the opposite.

Russia has a 500-year history of oppression from their “leadership.” It started with Czar Ivan the Terrible and continues today under Czar Vladimir the First. Russia is country run by central control; a state that views opposition as criminal and traitorous. And one of the most important parts of state power is controlling what people “think” through the information they are provided.

Thanks to the Internet, the Russians can more easily manipulate information than ever before. And Moscow is now applying gleefully that ability to their overseas goals. Most recently, Moscow been accused by Washington of desiring to control and influence our Presidential elections. And to a limited extent, Moscow have succeeded by the very effort. In the domain of worldwide Internet, perception is reality.

This type of information manipulation for political result is not new. In the Cold War between the U.S. and Russia, perception was often reality. The United States used covert means to supply information to friendly overseas sources to reinforce its positions. Occasionally, such as in Vietnam, it even deluded itself and the American people into believing that a limited, winnable war was possible.

The KGB, Russia’s Cold War spy service, was expert at planting damaging information about the U.S. around the world. It was a way of undermining our influence and the perception of wrong doing was all that mattered in the war of minds. Sometimes it worked quite well and the damage persists to this day. For instance, it was the KGB that floated the idea that American experiments to dominate the Third World created AIDS.

And so it goes today. We deal with Russia relying on old habits reinforced and facilitated with new technologies. The Internet with its hidden corners of attribution is a hard place in which to fight rumor and innuendo. Instantaneous transmission makes it impossible to control or counter the initial message. The very fact the Russian are releasing information about American candidates is damaging to the perceived integrity of our elections. The idea they could fool with our vote count is even more upsetting to the legitimacy of an already spooked electorate.

So, the first game of perception management goes to the Russians. There will be a section of the U.S. population already unhappy with the election results that will forever believe the system is now vulnerable to massive rigging. The reality is that there are several thousand different voting systems – ranging from paper ballots to electronic voting gear rarely updated to the 21st century. Hacking on a mass scale is unlikely though some minor efforts may be made. But that does not really matter. Even a few hacking attempts could be enough to poison perceptions.

So, for this round, the Russians have won an American election. It will be up to a new Administration to make Moscow pay for this interference. The games have only just begun.

China applies ‘The Art of War’ to Cyber

“The highest form of warfare is to out-think the enemy.”

“In all kinds of warfare, the direct approach is used for attack, but the oblique is what achieves victory.”

“If you do not wish to engage with the enemy, even though your defences are no more than a line in the ground, you can prevent them attacking by luring them away with a feint or a decoy.”

––Sun Zi, The Art of War

In advance of President Xi’s State Visit to Washington this week, White House officials in August previewed what was to be the first use of the powers created by an April Executive Order (EO) aimed at curbing unacceptable cyberactivity. The EO authorizes tough financial sanctions against those who benefit from a country’s illicit cyberactivities, for damaging critical infrastructure and computer networks in the United States and benefiting from the cyber-enabled theft of proprietary information, as these are the components of the U.S. private sector’s economic competitiveness.

At that time, the U.S. government was reeling from reports of the first of two attacks reliably attributed to the Chinese government; against the Office of Personnel Management and attacks involving sensitive health information at Anthem, attributed to Chinese government-directed attackers, and against Sony Pictures Entertainment, which involved physical damage achieved through cyber means and carried out through North Korea’s Internet link that passes through China. The EO added strength to an ongoing campaign by the President and his advisors either to change Chinese government behavior or hold the Chinese government to account for it.

Those White House officials left some ambiguity about the timing of sanctions relative to President Xi’s visit and whether sanctions would single out China or include other bad actors. They timed the leak well. Mere weeks before President Obama welcomed Xi to the White House it alerted the Chinese government to the embarrassing possibility that the sanctions would dominate the news around the visit. By leaving open the timing of sanctions, the White House provided the Chinese government with an opening to negotiate on those elements, sparing the Chinese leader the embarrassment of a sanctions announcement on the eve of the visit.

The Obama Administration, however, may not have prepared for the Chinese response very well. They should have re-read The Art of War.

The conversation between the United States and China on cyber has become an endless discordant loop since the beginning of the Obama Administration. The United States has complained that Chinese state-directed hackers have stolen commercially relevant information from U.S. firms; China has denied that such theft––or any inappropriate cyberactivity––has taken place. The U.S. government countered that denial by building a stronger and more detailed case against Chinese government conduct. In some instances, the private sector has also provided public evidence. Last year, in fact, the U.S. government indicted on charges related to their cyberactivities five Chinese officials (whom the U.S. will presumably prosecute should they present themselves in U.S. territory). Naming and shaming, the U.S. government has sought to convince China to come to the negotiating table and discuss how Chinese behavior should change.

This tactic has failed at the most rudimentary level: the Chinese government flatly denies conducting any form of inappropriate cyberactivity––a laughable contention, as nearly all states with capacity engage in some form of espionage in cyberspace––and blames U.S. networks for hosting the majority of illegal cyberactivities. More convincing evidence will not overcome China’s airy denials.

In spite of the absence of meaningful dialogue, the U.S. government has tried to expand the campaign to like-minded nations. To rally the international community against China’s bad cyberbehavior, the U.S. government earlier this year sought support at the United Nations (UN) for certain norms in cyberspace. But that move actually confused the issue. The norms tabled at the UN address obligations to refrain from damaging critical infrastructure and to provide assistance to countries that have suffered an attack; the U.S. government did not include a norm against cyberactivities aimed at stealing the sources of another country’s economic competitiveness. The effort at the UN, then, will result only in Chinese denials to a larger community; it has also distracted from the principal U.S. goal of minimizing cybertheft of the foundations for economic competitiveness.

The Chinese government seems to have absorbed the implicit shift in the U.S. UN submission away from cybertheft. According to media reports this week, U.S. and Chinese negotiators have agreed to some form of code of conduct related to the critical infrastructure-related norms to be announced as a deliverable of Xi’s visit. The Chinese government seems to have realized that the U.S. government might accept a general commitment to norms unrelated to cybertheft, combined with additional commitments to talk, in exchange for taking sanctions off the table. If the agreement discussed in the press is actually limited to norms unrelated to cybertheft, it would not constitute the progress that President Obama last week suggested would suspend U.S. consideration of sanction. In that case, the Chinese will have succeeded beyond any expectation. The United States is left with more words, further delayed action, and Chinese agreement that they will not engage in conduct… that they never acknowledged in the first place.

Would sanctions against Chinese individuals and entities have been a game changer in the ongoing battle over economic competitiveness? The record for unilateral U.S. sanctions changing bad behavior does not provide much reason to think it would, in and of itself, end Chinese cyberhacking. But sanctions would change the calculus for bad cyberactivities in ways that bilateral or international discussions cannot, by closing off valuable U.S. and multinational business and financial access.

The agreement that the two Presidents will make on Friday has to pass a very high bar to be acceptable: in exchange for avoiding sanctions and turning a potential embarrassment for President Xi’s visit into an opportunity for Xi to look like a statesman, the agreement must cover cybertheft and provide concrete means to verify those promises from the Chinese. If so, it may take some time to assess whether the agreement is more than words. Otherwise, President Xi has gotten a State Visit and avoided embarrassment. It will be far less clear what President Obama and the United States have achieved.

Adam Bobrow is the Founder and CEO of Foresight Resilience Strategies and a senior fellow with the GW Center for Cyber and Homeland Security.

New EU strategy proposes a “European Counter Terrorist Centre”

The European Union now has a new Agenda for Security for the period 2015 to 2020. It specifies “three priorities for EU action” — terrorism and radicalization, organized crime, and cybercrime — based on the “level and complexity” of these threats, as evolved since the formulation and release of the previous Security Strategy for 2010 to 2014.

Among the “concrete actions” that are envisioned to address these threats within the EU are the following:

…the Agenda proposes to step up Europol’s role by setting up a European Counter Terrorist Centre as a secure centre for information exchange among national law enforcement authorities, building upon the successful experience of the Cybercrime Centre (EC3). …

To prevent radicalisation online, the Commission will launch an EU-level forum with IT companies to develop tools against terrorist propaganda.

…the Agenda aims to put in place effective measures to “follow the money”, by reinforcing the powers of financial intelligence units to better track the financial dealings of organised crime networks and enhance the powers of competent national authorities to freeze and confiscate illicit assets. 

The next step is for the European Parliament and the European Council to consider and, potentially, endorse the Agenda (which emanates from the European Commission). The previous Strategy was criticized on the ground that, among other things, it failed to incorporate sufficient input from institutional stakeholders.

For more on the new Agenda as whole, see here and here. For further analysis of the new Counter Terrorist Centre, “with limited powers that will not amount to the equivalent of a European FBI,” see here.

New name and location for our blog

As part of the effort announced last week to establish the GW Center for Cyber and Homeland Security, we have renamed the Center’s blog as Security Insights, located at http://www.securityinsights.org/. All previous posts from HSPI.org have been migrated to the new site, and we expect to post actively on the new site in the coming days and weeks.

New HSPI report: “Putin’s Russia: A Geopolitical Analysis”

Today HSPI published an Issue Brief entitled “Putin’s Russia: A Geopolitical Analysis,” co-authored by HSPI senior fellow Robert Dannenberg, together with Frank Cilluffo and me. Here’s a synopsis:

The speed and audacity of Russia’s annexation of Crimea earlier this year shook Eastern Europe and surprised the West. Yet the conflict in Ukraine is just one symptom of a much broader challenge, and one which the West has yet to recognize fully and respond to accordingly. Russian President Putin is much more of a revolutionary than people give him credit for being. In fact, however, he wants to reshape the world and reshuffle the international economic deck.

This Issue Brief examines events in Ukraine and beyond from a strategic perspective; and then offers a series of action recommendations intended to respond effectively to these geostrategic developments. Read the entire analysis at this link (PDF).