The computer security industry is not stopping breaches. Not for lack of trying, but if you’re familiar with the myth of Sisyphus, such efforts are the definition of pointless. If this sounds strange coming from a computer security person, it shouldn’t. I’m not here to blow smoke up your fourth point of contact; I’m hear to point out that the impetus for progress is not going to come from anything a bunch of nerds conjure up.
The arguments that spring up whenever there is an epic breach are predictable and can be broken down into two major themes:
- Everyone in the victim company is an idiot. If they just employed people like me and my friends, this never would have happened.
- Securing data on an enterprise scale is hard. The idea that there is one or a hundred things that could have been done to prevent this disaster dismisses the complexity of what’s involved in protecting an “enterprise” and not “my basement lab.”
Now, the argument over whether or not the C-levels of Equifax were equipped — intellectually or materially — has been made, but the result doesn’t matter. Day to day the dynamic in corporations around the world is the same. The world’s greatest CISO still has to fight for budget, human resources, technical equipment and software, etc. The CFO still has to balance budgets and attempt (futile as it may be in security) to assess if the CISO’s requests produce a sufficient ROI, etc. The CEO really only cares about making his numbers in a fashion that keeps him out of jail.
There is no requirement for a secure enterprise. There is a requirement to have an enterprise that is secure enough to maintain compliance with applicable laws and that enables effective business operations.
Did Equifax do wrong? From what we can tell via publicly available information they did things, to varying degrees of effectiveness, and with questionable timing. They could have done a better job, but Equifax is just like every corporation in that security is something they have to comply with; profit is why they get up in the morning.
Breaches, regardless of their size or the sensitivity of the data involved, have become so commonplace that they are no longer automatically considered problematic. A breach alone is no longer justification for a lawsuit. Increasingly you have to show actual damages to have standing. Credit card number compromised? The bank makes you whole and happily issues you a new card. Medical data compromised? Insurance fraud is readily solved by a rate increase you hardly notice. Intimate details of your life lost to a foreign adversary? Well I guess the Forbidden City really is at this point.
And life goes on.
Breaches are a part of our way of life. By and large they do not impact our lives enough (or enough lives) to merit the kind of attention they get. As a friend recently pointed out, we are now living in a “post-authentication” world: so much data about us has been lost/stolen that anyone can be anyone else for a length of time. There is no point in trying to keep your personal information personal because it’s all effectively public, and has been for some time. Many times over.
The idea that this breach, or any breach hereafter, is going to be ‘the one’ that mobilizes the populace to a degree that they’re willing to do what is necessary to achieve political/legal change is wishful thinking. An angry mob, to the extent that anyone outside of the usual privacy/security community is going to get off their couch, is no substitute for the well-funded and organized industry lobbying effort.
I’m not saying it’s right, I’m saying that’s how it’s always played out, and there is no indication history is not going to repeat itself.