Since its cybersecurity kerfuffle in June, Equifax has become a four-letter word. And that word is “hack.”
CEO Richard Smith went to Washington this past week to testify in front of four different congressional committees about the perilous pairing of human and technological error that led to 2017’s largest data breach. Unrelenting members of Congress demanded regulation and remediation for consumers.
The hearing by the House Energy and Commerce Committee’s Digital Commerce and Consumer Protection Subcommittee focused attention on Equifax’s plan to remedy consumer confusion. The fact that Equifax is both a broker of identity information and a company that sells services to protect that information makes the aftermath of the hack particularly tricky to navigate.
More than 44 percent of Americans had a treasure trove of personal information stolen in the hack by criminal actors yet to be identified. The data include names, birthdates, Social Security numbers, addresses, driver’s license information and credit information. Equifax added 2.5 million more to the 145.5 million total number of consumers affected by the data breach after cybersecurity firm Mandiant concluded its forensic investigation this week.
The news has prompted members of Congress to renew calls for legislation requiring companies to do more about cybersecurity. However, such approaches targets the symptoms rather than the disease.
Rep. Jan Schakowsky, D-Ill., is sponsor of the recently reintroduced Secure and Protect Americans’ Data Act, which would require any organization or company that holds personal information to develop a written security policy, implement extensive security procedures and assess their security program annually. In the event of a data breach, organizations would be compelled to notify consumers. The requirements set out in the Schakowsky legislation for “information brokers” are even more burdensome. The bill cedes power to the Federal Trade Commission to enforce noncompliance with these rules as an “unfair and deceptive act.”
While the bill is well-meaning, in practice, this regulation likely would result in more work, rather than more security, as organizations redirect resources to compliance.
Meanwhile, Rep. Ben Ray Luján, D-N.M., has proposed the Free Credit Freeze Act, which would require consumer reporting agencies to provide credit-freezing services free of charge in perpetuity. Equifax already has announced that it will be providing such a service, known as TrustedID Premier.
Both the Schakowsky and Lujan bills are emblematic of a shortsighted approach of overemphasizing response, remediation and resistance over a long-term resilience-based approach to cybersecurity. Breach notification, security policies and credit-monitoring services may cure the headache but they will fall short of preventing the next big hack. In contrast, pursuing resilience means that the cybersecurity ecosystem can withstand stressors, adjust to adverse events and bounce back quickly. Government should focus on fostering a policy environment in which these capabilities are strengthened.
Building immunity from the bottom-up requires a layered approach that focuses on the incentives that face both the attacker and the defender, much like the layers of defense in a secure internet-enabled system. Overlapping efforts from a variety of actors—who must include industry, individuals, third parties and government—is the only way to provide a systemwide solution to what is a systemic problem.
Consumer awareness is one way to affect change in the cybersecurity ecosystem. The Promoting Good Cyber Hygiene Act—sponsored by Rep. Anne Eshoo, D-Calif.—identifies one area where government can play a positive role. It suggests the National Institute of Standards and Technology produce an accessible list of best practices, based on NIST’s cybersecurity framework that currently is in use by both companies and the government.
Creating guidelines for individuals takes this framework one step further and empowers consumers to improve their resilience to cyberattacks. Such guidelines would include information about what to do in the event of a data breach. They would allow consumers to better navigate Equifax’s bungled consumer-notification process and misleading landing page. Industry leaders such as Google, Facebook or Apple as well as third-party organizations like the Electronic Frontier Foundation or the Internet Society can also work to fill this information gap for consumers.
In a world in which a majority of Americans have personally been the victim of a major data breach, an approach that focuses on resilience can do more than merely treat the symptoms.
Image by Shawn Hill