What Happens When There’s No Data Left to Steal?
What would it mean to have a post-breach society, in which there’s no data left to steal because it has all been stolen? We may be about to find out.
The concept of private property is central to our society and economy – indeed: it is a pillar of the Western world. And protecting private property goes right along with having it. What is the value of ownership, after all, if anyone can come along and just take what you have for themselves? Thus, we’ve developed laws and empowered civil servants (the police, the courts) to enforce them and to help us protect ourselves and our property.
In the last forty years, that thinking has extended naturally to our data as we’ve come to live in increasingly data- and technology driven societies. Our data - we like to think - belongs to us. We wittingly or unwittingly share it in our digital economy. In the last 20 years, it has become the main product that is aggregated, repackaged and resold by companies like Yahoo, Google and Facebook, as well as older firms like Equifax and TransUnion.
It would seem, then, that protecting that data would be of the utmost importance to those firms – not just for the sake of maintaining good relations with their users (us), but also for the sake of their bottom line. Sadly, that hasn’t been the case. Billions of Yahoo users were exposed in the breach of that company. More recently, Equifax admitted that information on a healthy majority of the individuals it monitors- some 140 million people - was likewise stolen by hackers.
So what happens when the systems we’ve developed to protect property fail utterly? What happens when the doors to the “banks” are thrown open and our assets and property are there for the taking by anyone with the wherewithal to know how and where to look? In civil society, we have a pretty good idea what that looks like: chaos – looting and theft, the breakdown of civil order.
It’s less clear whether that’s true in the digital realm, but we may be close to finding out. I’m referring to recent, public statements by IRS Commissioner John Koskinen, who told attendees at the Department’s Security Summit that he expected the fallout of the Equifax breach to be minimal. His reasoning: most of the data stolen from Equifax was of little value, because it had already been stolen in other breaches.
“We actually think that it won’t make any significantly or noticeable difference,” Koskinen told reporters in a question and answer session, as reported by The Hill. “Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals.”
Those comments followed a speech by Koskinen in which he trumpeted largely encouraging data about taxpayer identity theft - a crime that counts this reporter as a victim. The IRS has seen a steady decline in fraudulent identity theft attacks in the form of fraudulent returns with 883,000 confirmed identity theft returns in 2016, but only half that number - 443,000 - confirmed through the first eight months of 2017 - a 30-percent decline from the same period last year.
The IRS was also under scrutiny for awarding a multi-million dollar no-bid Federal contract to Equifax just days after news of the breach broke - an embarrassing turn of events for the agency and perhaps reason to try to soft pedal the breach itself.
But the Commissioner’s statement jives with other news. A report by the security firm F-Secure found that 81% of CEOs have had their email address and other personal information exposed online in the form of spam lists or leaked marketing databases. (PDF report here.)
Once closely guarded, data like Social Security Numbers, email addresses, mailing addresses and even usernames and passwords now slosh around in a vast, underground marketplace of stolen information. Not too long ago, malware was the best way onto a victim’s network. Today, hackers can just buy remote access credentials to a computer that is already on the network they’re interested in. Problem solved.
What will this mean for the future of our information driven economies and societies? It is unclear. One simple response is to phase out the use of simple identifiers (like Social Security Numbers) and, thus, neutralize the value of that stolen credential. There is some evidence that efforts are underway to do this. But we have yet to reckon with the radical implications of this kind of forced transparency: the busting down of the doors we thought kept our online data (and selves) from the prying eyes of the public and from those who would prey on us.
It seems clear that there’s no simple technology fix for this problem - but that a fix is needed. History would show us that bad things happen when the public loses faith in the ability of governments and courts to protect their interests.
The long-term response may require new laws and protections - including enforcement - that restore balance to our online lives. We don’t ask citizens to injure themselves to muggings and property crime in order to live in our towns and cities. We shouldn't require those who venture online to resign themselves to being robbed and victimized as the price of being online.
Paul Roberts is the Editor in Chief of The Security Ledger and the founder of The Security of Things Forum.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business