This article is published in the November 2017 issue.

Data Breaches: Time to Implement a Forward-looking Research Agenda

Equifax logo“Massive breach of databases containing personal information. Millions of records exposed.”

This seems to be an almost daily headline these days. One of the most serious events in recent memory is the breach of the Equifax databases, potentially compromising 143 million records with personal information such as name, social security number, and credit history.

While the Equifax breach garnered much attention, it is just the latest in a string of serious breaches. These events have highlighted the need for a forward-looking research agenda in support of regulatory frameworks and discourse necessary to increase the literacy level among corporate leaders. These are issues the computer science community can help advance, though we must be willing to engage with lawmakers, the business community, and others to have real impact.

Much has been written on the topic since the disclosure of the breach. Including articles in the New York Times (NY Times), Washington Post (WaPo), and Wired. Note that the actual breach occurred months before it was disclosed. Equifax offered some identity theft protection, but only for the year after the breach. Most agree that Equifax botched many of the steps following disclosure of the breach as covered here in Wired.

Yet, Equifax’s troubles continued. It was reported that some of their executives sold their stock in between the discovery and disclosure of the breach, and a link to a phishing website was accidentally tweeted by the company in an attempt to provide resources to impacted people.

An interesting aspect of the coverage of this particular breach is that there is much agreement across various outlets – from Wired, to NY Times, to WaPo, to NPR – that that the breach was due to complete and total corporate negligence. Since the patches to address the known vulnerabilities were available for two months before the Equifax attackers entered the system, there is a consensus that the company bears the responsibility. In response to that assessment, a well-done analysis in the Harvard Business Review has called for an overhaul of the regulatory system, which is painfully behind the technological advancements.

Back in May, another topical article ran in the Economist titled “The world’s most valuable resource is no longer oil, but data.” This was before the Equifax breach was public (though probably while it was happening). While this article primarily focused on the need for new antitrust laws given the digital economy and the emergence of data-collection giants such as Alphabet and Facebook, the points regarding the need for new regulations are highly relevant to this case. An analogy could be drawn comparing the data breaches to oil spills polluting identities, credit reports, and records of millions of people.

It is clear that the data is valuable – and just as clear that accountability and policies to protect the data are not keeping up. It is also very clear that these breaches will continue to happen unless something changes. So here are three things that as the computing research community we can focus on:

  1. Increase literacy and accountability of these types of issues at both executive and regulatory levels.
  2. Prioritize development of organization-centric tools and methodologies for risk assessment and resilience.
  3. Prioritize development of user-centric tools for identity management and authentication given that data has been compromised.

Approximately one year ago, the Office of Science and Technology Policy (OSTP) published the National Privacy Research Strategy, with community input, that provided a number of recommendations specifically regarding user-centric tools for identity management.

“Breaches are going to continue, which implies that we need to increase our focus on issues in remediation and recovery. The 2016 National Privacy Research Strategy of the National Science and Technology Council called for a wide set of research in this area, including into developing new techniques to effect redress, such as rendering the data useless, as well as mechanisms to delete or ‘forget’ information.” – said Keith Marzullo, Dean of the College of Information Studies at the University of Maryland and previously co-chaired the subcommittee on Networking and Information Technology Research and Development.

Much excellent work exists around the development of organization-centric tools and methodologies for risk assessment and resilience, including the normal chaos approach as proposed by Prof. Timothy Summers. He explains:

My colleagues and I propose looking at cybersecurity through a lens which we refer to as normal chaos. We use the term normal chaos to describe contexts and situations that are too complex for us, as humans, to truly understand the cause and effect relationships embedded within them. Normal chaos recognizes that such complex situations produce constant uncertainty, change and unexpected occurrences that negate our plans and reduce our ability to control the events around us. This requires and encourages us to re-adjust constantly as our plans are unlikely to be enacted exactly the way that we envision. It’s time that we recognize that management actually spends most of its time adapting to changing circumstances, especially in cybersecurity. The Equifax breach and other recent breaches are proof that our current thinking around cybersecurity isn’t working.

While increasing literacy and accountability of these types of issues may not appear to be part of a computing research agenda, if we are to be successful there must be a much more vocal engagement of the research community in both policy and regulatory discourse. Many of the vulnerabilities that are exploited in these breaches, are often well known. I wrote about the need for computer scientists to engage more here.

Both the Computing Research Association (CRA) and it’s standing committee, the Computing Community Consortium (CCC), are active in policy dialogue to this end, and at Arizona State University (ASU), we recently hosted a congressional conference on cybersecurity to help bridge the divide between technologists and regulators.

A key goal of the conference was to develop interactions between Arizona congressional delegation and academia and industry cybersecurity practitioners. The keynote was delivered by Senator John McCain, the Chairman of the Senate Armed Services Committee, who said, “Rapid development and deployment of information technology by American businesses and by our government has created new vulnerabilities. The entire information domain has become a potential battle space, and our enemies’ methods encompass everything from straightforward data collection to hacking attacks that might disable critical national infrastructure.” The Chairman’s full remarks can be found here.

At the time of writing, the Equifax CEO has stepped down. While that does indicate the willingness of the company to take responsibility for the breach, it does not address either the underlying regulatory and awareness challenges or the fact that the personal information has been compromised.

The Subcommittee on Privacy, Technology and the Law of the Senate Judiciary Committee convened a hearing on October 4th to discuss the breach and potential ways to make progress. The acknowledgement from our elected officials is an excellent initial step.

As a community, we need to focus on tangible ways to move forward – we will be repeating the breach cycle until we do.