Consumer-facing Companies Still Have Few Incentives to Stop Data Breaches, and Thats a National Security Concern. – Council on Foreign Relations

admin on October 26, 2021 Leave a Comment

In August, personal information belonging tofiftymillion prospective, current, and former T-Mobile customers wasstolen, marking the mobile carriers third customer data breach in two years.

T-Mobile isnt unique: dozens of well-known brands, as well as hundreds of lesser-known companies, have experienced data breaches in recent years. Althoughthesebreaches are embarrassing, T-Mobile and its peersappear toconsiderthemlittle more than a cost of doing business.

More on:

Cybersecurity

State and Local Governments (U.S.)

Technology and Innovation

Intelligence

However, the consequences of leaving data vulnerable are more serious than most companies realize. In addition to exposing consumers to potential fraud and identity theft, data breaches are deeplyinjurioustonationalsecurity.

Net Politics

CFR experts investigate the impact of information and communication technologies on security, privacy, and international affairs.2-4 times weekly.

MatthewPottinger, former Deputy U.S. National Security Advisor,warnedin August that China is now able to compile a dossier on everyAmerican adult.In 2015, Chinahackedhealth insurance provider Anthem, exfiltrating data belonging to almosteightymillion people.China alsoaccessedthe Office of Personal Managementdatabases,seizing sensitive data includingthesecurityclearanceformsbelonging to current and former federal employees.About 150 million records werestolen when ChinahackedEquifax in 2017, and an additional 500 million records were compromised following a Marriothackin 2018. China hassincemade a habit ofobtainingincreasingly personal data, such as DNA information, from healthcare providers, biotechnology firms, and pharmaceutical companies.Intelligence officials haveestimatedthat80percentofAmericans have hadalltheir personal data stolenperhaps an exaggeration, but likely not far from the truth.

The potential usesfor the stolen consumer data extend far beyond counterintelligence and research purposes.Thestolen data couldbe (or, more likely, already has been) used to informspearphishingattacks, aid the coercion of intelligence personnel, or help identify potential spies. Such sinister use cases arent without precedent.Foreign Policyreportedlast year that, almost a decade ago, Chinese intelligence used its vast collection of stolen datasets to identify undercover American operatives entering Europe and Africa.

Chinas cyber capabilities have strengthened significantly over the last decade.The Chinese governmenthas spent years and billions of dollars developing some of the most advanced data synthesis and analysis technologies and methodologies in the worldto surveil its own citizens.Thesetechniquesareuseful not only for evaluatingdata gathereddomestically, but alsodatastolen from the United States.When geopolitical adversaries have both large amounts of personal data and sophisticated analysis tools, the impact on national security can be particularly acute. This month,The New York Timessuggestedthat artificial intelligence and facial recognition are partially responsible for the recent loss of dozens of C.I.A. informants.

In theUnited States, by contrast, data is held by private entities such as Google, Amazon, Facebook, and other major consumer-facing companies. The U.S.government,constrained bystrong civil liberties protections provided by the Constitution, hasengagedless oftenin the kind of wholesaleacquisitionof personal data that is common in authoritariancountries.

More on:

Cybersecurity

State and Local Governments (U.S.)

Technology and Innovation

Intelligence

These asymmetries, combined with the U.S. governments history of patchy and often inconsistent cyber strategy, and exacerbated by the frequent intelligence community leadership and policy changes that accompany each new presidential administration, mean that America isgivingadversariesasignificanteconomic and militaryadvantage.As data science continues to advance,thisdisparitywillonlybecomemoreprominent.

So, how can the national security risks of consumer data exposures be mitigated? Unfortunately, the gatekeepers of consumer datacompanieshave little incentive to increase investments in their own resiliency.It is not clear that falling victim to a breach ismeaningfully more expensivethan paying for the additional cybersecurity that would have prevented it. Thus, theres an argument to be madethat finesfor cyber breachesshouldbe more consequential to companies bottom line.Greater fines, though,not onlyencouragecompanies to be lessforthcoming about databreaches butarealsofruitlessifreporting and disclosure requirementsremainweak.

At thenationallevel, there is an evolving and confusingpatchworkof disclosure laws, as states adopt different standards. This lack ofcoherence not only disadvantages consumers, who are confused and exhausted by often vague and unhelpful breach notifications, but also constitutes a key weakness inU.S.cybersecurity strategy.

Thereisalsocurrentlyno federal cybersecurity breach disclosure law, meaning that the UnitedStates struggles toidentify the scope, frequency, and severity of data breaches.A bill that would require disclosure of cyber incidents at federal agencies, government contractors, and critical infrastructure owners (like T-Mobile), theCyber Incident Notification Act of 2021, was introduced earlier this year. Related provisions passed recently by the House as part of theNational Defense Authorization Actwould have similar consequences.While these bills would be a good first step,manyof the companies that hold vast troves of consumer data would be outside the scope of either law, andtherefore continue to have no federally-imposed obligation to disclosedata breaches.

U.S.cyber policy continues to focus on critical infrastructure and other traditional sectors with obvious cyber vulnerabilities, while overlooking breaches with the greatest potential for consumer data theft. Although important, suchanarrow focus is insufficient. National cyber policy needs to reflect the reality thatintrusions can be damaging no matter where they happen.

Maya Villasenor is a computer science student at Columbia University and a former intern in the Digital and Cyberspace Policy program.

More here:

Consumer-facing Companies Still Have Few Incentives to Stop Data Breaches, and Thats a National Security Concern. - Council on Foreign Relations

Related Posts
Posted in Data Science

Comments are closed.