The tech privacy gap: When the law isn't ready for a killer app
Third-party contractors — our weakest cyber link — need to be held accountable
If a poll were taken and the top threats to our national and cybersecurity were voted on, the usual suspects would be easy to name: China, Russia, North Korea and Iran. You'd be half right. Those countries are the biggest foreign threats. But the biggest threat lately is internal, and it's third parties with poor cybersecurity practices.
The latest breach involved the U.S. Customs and Border Protection (CBP). According to a statement released after the discovery of the breach, "CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network. Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract."
Reading between the lines, CBP just said "It's not our fault." The breach, discovered on May 31, involved fewer than 100,000 people photographed inside vehicles - as well as images of the vehicle license plates - that were taken as travelers left the U.S. through specific lanes at a single, unspecified land-border crossing. And though it was small consolation, CBP assured the public none of the images had appeared on the dark web. As if that was the purpose of the breach.
The most significant breaches of the last few years have all been self-inflicted. According to research from Flexera, "Patches were available for 86 percent of the vulnerabilities on the day of disclosure." In other major breaches, access was gained by compromising a third party, and stealing their credentials in order to log into the corporate network of the eventual target.
In 2013, Target lost 40 million credit cards through a third party HVAC provider that had direct access to the corporate network. The attackers stole the credentials form the less-secure HVAC network and walked right in through Target's front door.
In 2015 the Office of Personnel Management (OPM) was breached through KeyPoint Government Solutions. KeyPoint was a third party used by OPM to conduct background checks. The attackers, now known to be China, used stolen credentials to access two OPM servers and steal over 21 million files.
In 2017, an Australian defense subcontractor lost 30 gigabytes of highly sensitive data "including information on Australia's $17 billion Joint Strike Fighter program, and $4 billion P-8 surveillance plane project." The hacker, codenamed Alf for an Australian soap opera character, exploited a weakness in software that had not been updated for 12 months. According to one report, "The cybercriminal had access to pretty much every server and was reading emails of the chief engineer and a contracting engineer."
In 2018, China compromised the network of yet another defense contractor doing work for the Navy. According to a report from the Washington Post, the breach involved "stealing massive amounts of highly sensitive data related to undersea warfare - including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials."
Our technological advances and military superiority are being stolen from under our very noses. Russia and China don't have to invent anything. They've become quite adept at stealing everything in sight.
In an assessment delivered to Navy Secretary Richard V. Spencer in March, and reviewed by the Wall Street Journal, the Navy and its industry partners are "under cyber siege" by Chinese and Russian hackers primarily. This massive intellectual property and military secrets theft "threatens the U.S.'s standing as the world's top military power."
According to the report, China has "derived an incalculable near- and long-term military advantage from it [the hacking], thereby altering the calculus of global power." How could this have been achieved so easily? Simple. The Navy - as well as many parts of DOD - has a failed policy of allowing contractors self-reporting breaches and any vulnerabilities. According to the review, "That after-the-fact system has demonstrably failed."
Where is the accountability for failure to perform even the most basic cybersecurity tasks? Twenty years ago, cyberspace was a new and evolving landscape. Not today. Cyberspace is the fifth domain of warfare, and our government is being attacked at all levels: federal, state, county and local.
The CBP breach is just the harbinger of worse things to come. The best tactic to compromise a targeted system is to not take it head-on. Instead, attack the weakest links, exploit the unpatched vulnerabilities, steal the authenticated credentials, and log in as a trusted user. I'm not advocating putting businesses out of business. Not yet.
But if rampant cybersecurity incompetence is allowed to perpetuate unchecked, the future damage will be incalculable and irreversible. At some point agency heads need to be held accountable. With CBP, there should be no free pass because the "victim" was a third party. Civil penalties, in addition to criminal penalties, should be on the table. When the cost and pain of willful non-compliance finally exceeds the cost of business-as-usual, things will actually begin to change. Until then, don't smile for the camera.
Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He previously worked as a senior advisor in the U.S. State Department Antiterrorism Assistance Program and as senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.