Earlier this morning, US lawmakers sat together to grill current and former executives from Equifax, Yahoo, and Verizon. Today's hearing, titled Protecting Consumers in the Era of Major Data Breaches, was focused on massive security breaches that the companies faced under these executives. While Yahoo lost data of over 3 billion of its users, Equifax managed to have personal data, including social security numbers of 145 million Americans exposed. Verizon was in the panel because of its recent acquisition of Yahoo.
Included in the panel were, Paulino do Rego Barros, Interim CEO, Equifax; Richard Smith, the CEO when Equifax suffered the intrusion; Marissa Mayer, the former CEO of Yahoo (she only appeared before the committee after lawmakers subpoenaed her); Karen Zacharia, the deputy general counsel and chief privacy officer at Verizon; and Todd Wilkinson, President and CEO Entrust Datacard Corp.
Earlier in October, Chairman John Thune (Senator R-SD.) had said that the hearing would give the public "the opportunity to hear from those in charge, at the time major breaches occurred and during the subsequent response efforts, at two large companies who lost personal consumer data to nefarious actors". However, today's hearing didn't add anything new to what we already knew.
Some key takeaways from today's hearing:
- Yahoo still doesn't know how the breach happened, just that it was Russian hackers (4 of which have been indicted by the Department of Justice).
- Equifax continues to say it is a victim despite the fact that the company failed to patch the security vulnerabilities that led to the data breach.
- Both Equifax and Verizon (now the parent company of Yahoo) gave vague responses when asked about the developments and improvements they have made in their cybersecurity strategies.
- When asked if their consumers are better protected now than they were before these breaches, both the companies failed to assure the lawmakers.
- Both the executives and the lawmakers agreed that there should be some public-private cooperation that helps the companies better respond to these incidents.
But, what could potentially be more dangerous is how the National Security Agency was brought into the discussion - multiple times. In her statement, Marissa Mayer continued to refer to the FBI's investigation saying that the private company couldn't have detected the sophisticated attack carried out by the state-sponsored Russian hackers on its own. She added that the playing field has dramatically changed and that even the most cautious companies could be the next victims of the state-sponsored attacks.
"We now know that Russian intelligence officers and state-sponsored actors were responsible for highly complex and sophisticated attacks on Yahoo’s systems.
The threat from state-sponsored attacks has changed the playing field so dramatically that today I believe that all companies, even the most-well-defended ones, could fall victim to these crimes."
While Equifax's breach didn't involve state-sponsored hackers, Yahoo's testimony was turned into a basis for bringing the NSA into the game.
The inclusion of the NSA - reassuring or troubling?
In her testimony, Mayer did add that even government agencies aren't safe from cybercrime. However, some lawmakers clearly missed that part. "Your companies can't stand up against them [state-sponsored attackers], the only person or the institution that can stand up against them is the National Security Agency," Senator Bill Nelson (D-Fla.), ranking member, said.
He insisted that there is going to be some cooperation between the "most sophisticated player" in America - which Senator said is the NSA - and the private companies.
"There's gonna have to be a cooperation between the most sophisticated player in the United States, which is the NSA, and you all. Otherwise we Americans are not gonna have any more privacy."
The mega breaches that have come to the front in the last one year have made it clear that the government needs to come up with legislation that incentivizes private companies to be more serious about their security practices with penalties and fines, not just demanding apologies and their presence in post-breach hearings. But these checks and balances will and should be done by the regulators, such as the Federal Trade Commission.
This collaboration shouldn't mean that the government intelligence agencies get access to the private tech companies and their products. Senator Nelson's saying that the NSA is the only agency capable of fighting against state sponsored attacks and that the agency has to be brought into the equation raises several questions and serious privacy concerns despite his claim that not bringing the NSA will result in America losing its privacy.
The American intelligence community has long used cyber and other crimes as a way to chip away at user privacy and security. From the continued debate on weakening encryption and the NSA's failure to inform tech companies about the security vulnerabilities that the agency discovers - and that are later on used to power massive ransomware campaigns - suggests that this cooperation will probably only result in companies letting the NSA into their systems but won't require the agency to help patch security vulnerabilities that it uses in its own espionage and surveillance campaigns.
An agency that continues to fail to protect its own secrets and is obsessed with spying on everyone, including American citizens, should be the last "sophisticated player" given even more power and direct access to tech and/or financial companies.
The mention of the scarred agency in this conversation also takes attention away from the more important solution - having standards in place that the industry has to follow when it comes to security practices, and penalties that the companies should face when they fail to follow those standards. As Senator Brian Schatz (D-HI.) said it is unfathomable how the CEOs of Equifax and Yahoo walked away with $90 and $23 million golden parachutes and that there is a need of a law, not just hearings.
"Regular people don't understand that and they shouldn't understand how you [executives] harm consumers and then walk away with the amount of money that a small city or county uses for their annual operating budget," Schatz said. "It is not fair."
Giving the NSA more spying powers should also be not fair.