In the march towards the November election and all the high-profile headlines, there is little room for a thoughtful discussion around the never-ending unpleasant cybersecurity news. In fact, many companies like AT&T and Snowflake are thankful for the current environment! At any other time in history, their unprecedented system compromises and data leaks would normally dominate the headlines for weeks.
I have attempted to write this blog post at least three times since the middle of July. First, when AT&T disclosed its massive data breach exposing the data of every customers’ (110 million subscribers) phone and text message activity and geolocation data, I thought, “This is it! A wake-up call! AT&T will have to come clean and face the consequences.” But then the CrowdStrike incident took out large swaths of the internet. AT&T’s executives’ prayers were answered! The implications of their outrageous failures and negligence would be dealt with, in the quiet shadows of the endless recriminations of CrowdStrike’s own gross negligence (yes, you read that right, gross negligence).
Of course that wasn’t the end. Rumors of the National Public Data’s system compromise had been swirling and in early August news of the disclosure of 3 billion records containing names, addresses, social security numbers and other private data, became public. But that wasn’t the end. There preceded a stream of disclosures from other high profile businesses including ADT, HealthEquity, FBCS, Trello, Rite Aid, and Twillo.
The hard truth is, all of these incidents were avoidable. The excuses are endless, and the “reasonable” explanations are endless. Yes, building secure software and systems is not simple, easy or inexpensive. In the case of CrowdStrike, you will hear people explain away that no system is immune from system failure and how impressive their response and resilience was. In the case of the AT&T data breach, you will hear excuses about “sophisticated foreign threat actors” and their significant resources. They will also point fingers at the hosting provider, Snowflake, for not maintaining a secure by default design.
These are all excuses! None of the scenarios that lead to any of these failures are so novel, so creative or so unavoidable that the designers of these systems couldn’t have reasonably anticipated these types of faults and built in appropriate controls and resiliency. The problem is a lack of accountability. There are very few regulations around the building and maintenance of critical business systems and the protection of private data.
The incentives for businesses and investors are reflective of the limited financial and legal risks associated with the failure to protect consumer and businesses data and systems. Businesses are highly incentivized for fast growth and product development based on easy to deploy private cloud and SaaS infrastructure. This article on Lawfare does a nice job of exploring the issues. In other mature industries like construction, automotive, airline, food safety and medicine, we do have regulations that help ensure a baseline of safety and standards.
Building and health codes were born out of tragedies such as fires and disease. As early as the 1680s, cities such as Boston started implementing codes to limit catastrophic fires. It wasn’t until the early 1900’s that building codes started to take shape with the formation of the National Association of Home Builders (NAHB) in 1942. We all now take for granted that our homes are safe, the roads and bridges we drive on are safe and the buildings we conduct business in are safe.
Food safety standards started to take shape in Massachusetts with the passage of the Massachusetts Act Against Selling Unwholesome Provisions in 1785. In 1862, Abraham Lincoln formed the USDA and FDA. Throughout the twentieth century, several acts were passed to strengthen food safety and transparency. None of us questions the safety of foods we pick up at the grocery store now.
The standards around IT infrastructure and software design are all over the place with various standards being established by different federal agencies, states, not-for-profits and for-profit institutions. What’s already in place doesn’t even account for the emergence of AI. In addition, the Federal and State regulations that exist around data privacy have few teeth or little enforcement. The US Federal government has established regulations around military/DOD contracts, aka CMMC, but they’re too costly and heavy handed for any practical commercial application.
While it may seem like the recent CrowdStrike incident or the many other large data breaches are not the same as a building collapse or food born illness resulting in human loss, equally impactful tragedies are taking place as the result. Many businesses and individuals are left holding the bag. As a result, hospitals were unable to perform lifesaving procedures, small businesses have closed or shrunk due to lost or unavailable funds, and individuals have lost their retirements and life savings. These types of failures impact the lives of everyday people. And who will pay? Who will suffer? This week the FTC just imposed a $13 million fine on AT&T, which is a welcome development, but will neither make its customer whole or provide a meaningful deterrence to a 122 billion dollar company. Very few businesses will get insurance money to cover their losses due to a myriad of clauses around cyber and business continuity insurance. CrowdStrike’s own terms of service will at best cover the cost of services.
This is not a problem individuals or businesses can solve for themselves. The truth is that no business could have been fully prepared for CrowdStrike’s failed update or AT&T’s data breach. Some with more resources and better planning will recover more quickly. This is not, as some have suggested, a legitimate opportunity for businesses to practice their incident response plans.
If we are going to build our society around the fast-evolving technologies of public Cloud, SaaS and AI, we need to have an honest discussion about what the rules are, who’s responsible for what and how we can build a safe and secure future.
In the absence of these guardrails and standards, the best we can do is teach our clients to make themselves smaller targets. Adopt a good security framework like NIST or CIS and go through the exercise of understanding their own risk tolerances and what the costs are to minimize those risks.
0 Comments