Kempner: Why cyber muggers keep winning (and we keep losing)

6:00 a.m. Monday, Sept. 25, 2017 Business
Equifax said it has made changes to address customer complaints since it disclosed that it exposed vital data on about 143 million Americans. Equifax has come under fire from members of Congress, state attorneys general, and people who received conflicting answers about whether their information was stolen. (AP Photo/David Goldman, File)

It’s not uplifting to chat with cybersecurity experts these days, because our most sensitive data is not safe.

Sure, the businesses, government agencies and others that have our private information try to protect our valuables. They smack away lots of attempts by bad guys to grab our data.

But, ultimately, many of the defenders end up buckling, just like credit reporting agency Equifax recently did with Social Security numbers and other data on 143 million people. Why haven’t they done better?

I’ve heard a variety of answers.

“Right now, we have no way to measure the insecurity of our networks,” said Georgia Tech professor Manos Antonakakis.

We’re 20 years into cybersecurity efforts and we can’t do that? (As you might guess, he said he’s doing research to come up with such a measure.)

Security products “are not doing what they claim they can do,” Antonakakis told me.

Others told me the same thing when I stopped by a cybersecurity conference at Georgia Tech.

My visit was after Equifax disclosed its massive data breach.

“This is not going to be the last,” Sal Stolfo, a Columba University professor, told me.

He said it twice, just to be sure I heard.

He offered only a bit of hope: “Over time, things will get better. But they are not good now.”

People make mistakes. Employees click on links in emails that they shouldn’t, letting malware into the system. Software makers create “buggy” products.

And troublemakers with a financial or political incentive are mega motivated to find security holes.

“They are dedicated. They will look at every vulnerability immediately,” said Kang Li, a computer science professor who directs the University of Georgia’s Institute for Cybersecurity and Privacy.

Compare that with many big companies that store sensitive data. The bulk of their profit focus is usually on something else, like lending money, selling sweaters and hammers or providing medical care.

Li said he many corporate boards don’t dedicate enough attention and demand sufficient resources to protecting data.

Some cybersecurity researchers are frustrated with Equifax.

The company’s breach involved a vulnerability, one that a patch apparently had already been available to fix. Installing some security patches in a complex corporate network takes testing and a lot more work than it does on a home computer.

Still, Li told me, “there is no excuse.”

“I don’t think Equifax treated it seriously enough,” he said. “I think people should be mad.”

Alfonso Valdes, a research scientist from the University of Illinois, told me he wrote his congressman over the incident.

“I feel outraged as a consumer,” he said.

He put credit freezes in place, but he told me he still feels exposed by what he suspects will turn out to be “poor digital hygiene” on Equifax’s part.

“If you run a big digital warehouse, you have to be on top of this.”

The Atlanta Journal-Constitution
Equifax’s headquarters in Atlanta. HYOSUB SHIN / HSHIN@AJC.COM

Yet cybersecurity experts also told me that while you can take steps to limit attacks, there’s no guarantee of success.

“A strongly motivated individual can get into any environment and any company, given enough resources,” Tech’s Antonakakis said. “Why is that? Because they need to find one hole to get in.”

And there’s always a hole.

So here’s how companies try to prevent problems. First, of course, limit holes. They also monitor for suspicious network activity.

Equifax said the breach apparently began in May, but it was only discovered in late July.

“That sounds like a major detection problem,” Antonakakis told me.

It’s also not unusual. It now takes an average of 191 days to discover a breach, according to recent research by the Ponemon Institute.

Companies have other options to fend off electronic attackers. Stolfo at Columbia University suggests broader use of deception, like creating lots of copies of fake information so thieves don’t know if they are stealing the real thing.

Or more companies could avoid storing super sensitive data on consumers.

That’s the premise of Atlanta-based startup Evident ID. Under its system, individuals can keep their personal information locked up on their smartphones, then give companies permission to determine that the encrypted data has been verified, using Evident’s system as a go-between.

“We are trying to help businesses avoid these large-scale attacks,” said David Thomas, Evident’s CEO and co-founder.

Rather than hackers getting access to millions of records in one swipe, they’d have to break into millions of individually encrypted records held in different places, he said. “It changes the economics so it isn’t worth the effort.”

Jessica Rich, a former head of consumer protection at the Federal Trade Commission (and now a vice president at Consumer Reports), told me one reason big breaches keep happening is because companies don’t pay enough attention to protecting consumer information.

Congress needs to pass a tougher law that cracks down on such organizations, she said.

We consumers have to shape up, too. Create better passwords. Don’t give away personal information on social media that can be exploited by scammers. Update software promptly. Put in place tougher security programs.

None of that is enough, though, if organizations that hold our data don’t do better.

View full experience