Law enforcement's encryption dilemma
Good news and bad about that Capital One data breach
Capital One announced last week that a former employee of its cloud service provider had illegally accessed the credit card applications of approximately 106 million people from the United States and Canada. The breach involved addresses, dates of birth, and other information - including 140,000 Social Security numbers and 80,000 linked bank account numbers from 2015 to early 2019.
The announcement came just days after Equifax agreed to pay up to $700 million to settle lawsuits brought by the Federal Trade Commission and state attorneys general stemming from a 2017 breach of data about 147 million Americans.
In fact, over the past decade massive data breaches have grown to be an increasingly frequent and familiar story. Marriott disclosed the loss of 500 million records in 2018; Adult Friend Finder of 412 million in 2017; and Yahoo reported the loss of information on 3 billion accounts in 2016. According to security researchers, even the Capital One breach may be much bigger than originally announced.
Breaches are the new normal. In fact, it is no exaggeration to say that despite investing billions of dollars in increased cyber protections, we are incapable of securing any data absolutely.
Robert Mueller, when he was FBI director, famously said: "I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again." Little has changed since he uttered these words in 2013. We rely more and more on data, but we cannot protect those data effectively. It is that simple.
There is good news and bad news about this reality. The good news is that there is a lot we can do collectively to "deweaponize" routine data like name, address, and even Social Security Number. Most criminals only steal this type of data because they can use it to commit fraud. If we made the data less useful, we would reduce the incentive to steal it.
Federal law has already taken one step in that direction by providing all consumers the right to freeze their credit reports, without charge, so that new credit accounts can't be opened. If more individuals would take advantage of this right, there would be less that thieves could do with stolen data and therefore less reason to steal it.
But we need to go further. Social Security Numbers would be a good place to start. For close to a century, SSNs were never kept secret: They were printed on ID cards, IRS envelopes, employment forms, even in the Congressional Record when military officers were promoted. Then companies started using SSNS as default passwords and account numbers. Rather than stop this misuse of SSNs, regulators began the Sisyphean task of trying to secure SSNs.
A more rational approach would be to never use an SSN - a number originally created only to link an individual to his or her benefits information - for identification. If we don't treat the number as a way of verifying identity, thieves won't be able to use it to spoof the identities of others.
Similarly, a great deal of other historically public information like name, address, and phone number would be less risky if we stopped using it as a convenient, but ineffective way to verify identity. It might be a bit more inconvenient, at least in the short term, to require biometrics or other tools for verifying identity, but the immediate effect would be to take some of the sting out of having this type of data stolen. And even the inconvenience would likely fade as tools for verifying identity far better than name and address are replaced with fingerprints, facial recognition, and other new technologies.
The more sobering news in light of the fact that we cannot secure data is the fact that we keep deploying new technologies that rely on data to fly airplanes, drive cars, manage home and office security, conduct surgery, run our financial system, and for a thousand other mission-critical uses. These innovations are impressive, but the fact we cannot secure the data on which they rely - demonstrated by the frequency of massive data breaches - should make us think twice before turning our economy and our lives over to them.
So far, there is little evidence we are paying attention to this lesson. The Economist featured on its April 8, 2017, cover the headline "Why Computers will Never be Safe" and entitled its feature article in the print edition "The myth of cybersecurity." Despite overwhelming evidence that data is out of control, we continue to race headlong towards more reliance on automated, data-based systems.
A 2018 GAO report found "mission critical cyber vulnerabilities" in "nearly all" weapons systems under development. More recently, DOD officials have acknowledged purchasing off-the-shelf IT equipment with "known cybersecurity risks." Power stations, centrifuges, military drones, and insulin pumps have been compromised, without being recalled or given cybersecurity fixes. The 2016 Mirai botnet wreaked havoc on the web by "hijacking the computing power of web cameras, baby monitors and other connected devices." Chrysler had to recall 1.4 million Jeeps after they were hacked, and hackers working for DHS compromised the systems of a Boeing 757.
As important as the consumer data held by Equifax and Facebook and Capital One may be, it pales in comparison to the damage that can be caused by our inability to secure the data on which our critical infrastructure increasingly depends.
As a result, Congress and regulators should require rigorous testing of data-based technologies before they are deployed, and should consider restricting the sale or use of those technologies for critical functions until they can be demonstrated to be secure.
We should consider the need for back-up systems, including human operators, that don't rely on data-based technologies.
We should invest more in research not merely to secure data, but also to reduce the consequences of cyberattacks.
And in both public and private sectors we need a more thoughtful, and more cautious, approach to securing the data, and the systems that rely on data, that increasingly control essential parts of our economy, our government, and our lives.
What makes the bad news even worse is that another breach is bound to happen - we can't afford to wait any longer before acting.
Fred H. Cate is vice president for research, a distinguished professor, C. Ben Dutton professor of law, and a senior fellow in the Center for Applied Cybersecurity Research at Indiana University.