Will the US ever get serious about security and privacy?

The beginning of what we now call cybercrime

I have been in this career for decades, yet it seems like we are still at square one. Back in 1970-1995 Kevin Mitnick had an advantage – he was a groundbreaking hacker, long before all the script kiddies showed up on the scene.

Mitnick penetrated some of the most high-profile networks in the world using social engineering schemes. He tricked insiders into revealing access codes and passwords. We now call this phishing and it’s highly automated.

Then, in 1988, worms like the Morris Worm showed up. What started as a seemingly small playful exercise launched from a computer lab at MIT, the worm spread much faster than anticipated. It went so bad Robert Morris was eventually the first to be convicted of violating the Computer Fraud & Abuse Act.

Kevin Poulsen made his mark in 1988-1994 when he took over the phone lines in Los Angeles to win a radio station contest. The prize was $20,000 in cash and a Porsche 944 S2 Cabriolet.

In 2011 things shifted into high gear. Enter the Stuxnet Worm. This was to become the world’s first weaponized attack. Stuxnet targeted Iran’s nuclear program, causing physical damage to their enrichment centrifuges. This was not the act of a lone hacker, prankster or script kiddie. This was the work of a Nation State.

Later in 2011, as social media was in full swing, hackers used this medium to publicize their work. The group Lutz Security would hack and tweet about their victim’s poor security. They even hacked Sony’s PlayStation network in an event that compromised more than 24 million users’ personal information. At the time, most operating systems were still not being not designed with strong security and neither was the internet.

Speaking of the not-designed-to-be-secure, in 1969 – the year of the Man on the Moon, Woodstock and the Miracle Mets – something else very significant happened. At the time very few knew about it, because there was no newspaper, radio or TV coverage of it.

On this day in October 29, 1969 the birth of the internet took place. Leonard Kleinrock, a professor of computer science at UCLA, sent the first message over a network that would eventually become the web. In an interview with CNN on October 29, 2009, Kleinrock had this to say about today’s internet:

“There’s a very dark side to the Internet, which we’re all familiar with. It started with a worm in 1988, and it became spam in 1994, and now we have pornography, we have denial of service [attacks], we have identity theft, we have fraud, we have things like botnets [pieces of software that cyberthieves use to remotely and secretly control your computer], which really worry me.”

The internet grows up, but can we control it?

So, we have this global network that was never designed to be secure, then suddenly in 2000 the dot com boom happened, and everyone was on the internet or getting on it. E-commerce was born. We would immediately place all our military secrets, medical records, educational records and banking credentials online.

Everything was now online. Did I say all of this was put on a network that was never designed to be secure?

It’s only natural to ask if greed has contributed to our cybercrime problem? Did we ignore security in our quest to make as much money as possible? Are we still doing this? Is security just too inconvenient for our customers?

Think about this: For the first time in history you could rob a bank in the US from Russia or anywhere in the world without ever leaving your safe and secure home or office. Every computer in the world now has the ability to connect to any other computer in the world.

How many targets are there? Add IoT, the Internet of Things, and cyber criminals can not only snoop on your baby monitor and home security system but also compromise you bank account and much more. How many devices are on the internet today? According to Internet World Stats, 4,383,810,342 as of March 31, 2019. According to Privacyrights.org, the total number of records breached since 2005 is 11,578,188,519.

I used to regularly give security presentations and I would always talk about the latest data breaches: Target, Sony, Home Depot, the US Government’s OPM, Adobe, Yahoo, eBay, Anthem, Equifax and Marriott, to name some of the more notable and newsworthy. Notice I didn’t include hospitals, where ransomware shuts down access to critical life-saving systems.

I’ve lost count. It’s become commoditized information when you announce another data breach. It’s like saying there’s another accident of Interstate I-4 in Orlando. In other words, it’s routine. We have become as numb to it as violence on the evening news.

The solution: Let’s work together…like the cybercriminals do

The 2019 Verizon Data Breach investigations report looks like this:

• C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees
• Nation-state attacks increased from 12% of attacks in 2017 to 23% in 2018
• Phishing is involved in 32% of breaches and 78% of cyber-espionage incidents
• 90% of malware arrived via email
• 60% of web application attacks were on cloud-based email servers
• Most email threats and BEC attacks only resulted in data breaches because multi-factor authentication had not been implemented
• 52% of cyberattacks involve hacking
• 34% of attacks involved insiders
• 43% of cyberattacks were on small businesses
• Ransomware is the second biggest malware threat and accounted for 24% of malware-related breaches
• There has been a six-fold decrease in attacks on HR personnel
• Misconfiguration of cloud platforms accounted for 21% of breaches caused by errors

I can’t and won’t speak for all nations, but for my home country the USA. It appears our siloed approach to cybersecurity is still hurting us. In Europe, privacy is considered a human right. It’s not even mentioned in the US Constitution (it only shows up in the 4^th Amendment under illegal search and seizure).

Another issue hurting our ability to secure user data are the mostly unknown data brokers. We know that data brokers have free reign in the US because profits appear to mean more to Congress than our privacy. Our lobbyists often come from the government and go on to work for corporations, including data brokers who fund congressional elections. This gives them power to manipulate our government and its laws.

Just this week I read on the International Association of Privacy Professionals (IAPP) website that Congress is going to conduct a hearing on data brokers and the impact on financial data privacy, credit, insurance, employment and housing. Forget what info Snowden or Assange say our government has on us. This industry This industry knows everything about all of us…and sells it.

And with our mixed bag of State and Federal laws, there is little to no consistency or standards that we as a nation can comply with.

It’s time our government moves toward uniform laws. California and Massachusetts have their own data privacy laws, while some states have little to none, while the feds go another direction. This siloed approach guarantees that we will always come up short.

The government pushed electronic medical records for good reasons, but it was another example of too much too fast. They themselves became victims in the Office of Personnel Management (OPM) data breach, wherein the most sensitive government security clearances were stored, and everyone including the FBI director’s identity was compromised by China. In short, the same government that was unable to secure its own security clearances was simultaneously pushing for all our medical records to be online and ready for the taking.

Just how many healthcare records have already been compromised? According to HIPAA Journal, between 2009-2018 there have been 2,546 healthcare data breaches, resulting in the theft or exposure of 189,945,874 health records.

Let’s face it: we are still losing this battle. Microsoft keeps forcing patches on their OS, an OS that is inherently large and complex and has unlimited vulnerabilities. Too many people are spending too much time attacking it and looking for new ways to exploit it. Why? Because for some, it’s apparently much easier than working for a living (and it’s very profitable).

We know where we’ve been, and we know where we are: still in reactive mode with no uniform or comprehensive laws that address security and privacy for all business sectors across our nation. Will the US do the right thing even if special interest groups lose some market share, or will we continue to have  a Darwinian approach cybersecurity laws where some win and others lose all at the expense of the global data feeding frenzy.

Will we keep kicking the cybersecurity can down the road?

Why have we made so little progress lately? Because Congress is too busy fighting itself. It’s time for our country to stop the partisan politics. This behavior is so wasteful and unproductive. While the endless fighting and division continues, cyber criminals who don’t work in silos are all too happy to continue to exploit our banks, medical records, military secrets and intellectual property.

We must acknowledge the risk of doing business online and prioritize the risk by industry. We need to provide real world solutions that manage this risk by including industry executives and cybersecurity experts.

We need uniform state and federal laws and security frameworks that everyone must adopt. We can’t have some cities or corporations doing nothing while others spend large amounts of money addressing this issue. Some industries are regulated, and others are simply ignored or are able to have substandard security in place.

There needs to be consistent and comprehensive mandatory security and privacy laws and corresponding compliance frameworks to meet them. We also need to work with the European Union and adopt GDPR. Even if we don’t address data privacy in the Constitution, it should still be a human right – especially in the digital age.

In the end, we must decide: are we really serious about cybersecurity and privacy, or will we continue down the path of ignorance and survival of the fittest in a global game of cybercrime that is working 24 x 7 to take everything we have?

We can do the right thing. Will we?