National Post (National Edition)
Privacy protection should be tops
The other day I noticed a book called “Critical Infrastructure Security” and thought sadly, “There’s a short read.” It’s amazing how dependent we are on ever more elaborate, integrated, vulnerable computer networks that we take for granted like gravity, always there, sometimes convenient and other times not, but really nothing to do with us.
I have many concerns about the internet, from the proliferation of junk to the deterioration of manners to the dangers of AI starting to design itself. (Laugh while you can.) But what currently has custody of my goat is a report by Bruce Schneier’s “Cryptogram,” which I have recommended before, about the latest Equifax hack.
Faxes? you may ask. But Equifax is a massive consumer credit reporting agency that collects, and sells, sensitive personal information on millions of people, mostly Americans. And gets hacked. This September, the New York Times ran an anodyne story about Equifax admitting yet another digital breach, with hackers roaming its systems undetected from mid-May through late July 2017, accessing files on nearly half the U.S. population. But, the company said, nothing really bad happened. Yawn.
Bruce Schneier’s account to a U.S. House of Representatives committee paints a different picture. It’s worth reading in full but here’s one thing I really want to underline. The hackers exploited a vulnerability in Equifax’s Apache server software that Apache itself had identified in March, promptly issuing what it labelled a “critical” security patch. Equifax was contacted directly and told how to fix the hole.
It just didn’t bother for four months.
As Schneier also notes, Equifax is one of the big three “data brokers” whose business model depends on compromising your privacy even if you or they aren’t hacked, and there are thousands of smaller firms. They know how many kids you have, how you vote, where you went to school, what car you drive, everything except your intimate tattoo and possibly it too, and when they get hacked you do too. The Equifax breach included about 100,000 Canadians and 15 million Britons. And if you think cybersecurity is better here, I have some Nigerian diamonds I know you’ll help me export.
So what was Equifax thinking, failing to apply the patch, not telling people about the breach for six weeks, then setting up a website for affected customers that was laughably insecure? The same thing as everyone else, it seems. We just learned that the FBI didn’t bother telling senior American policymakers Russian hackers were targeting their Gmail accounts for over a year. Why would anyone want to know that? We discovered two years ago that Chinese hackers roamed United States Office of Personnel Management computers stealing sensitive information about millions of people’s security clearance screening for over a year before the OPM even noticed. Zzzzzzzz. And as Schneier asked the Congresspersons this November, “Does anyone remember last year when Yahoo admitted that it exposed personal information of a billion users in 2013 and another half billion in 2014?”
You get the idea. The internet is incredibly vulnerable and we are incredibly blasé about it. But what happens if our increasingly digital economy is overwhelmed by fraud? Or hackers with interests beyond identity theft shut down critical infrastructure as an act of terrorism, state policy, sheer malice or simple incompetence? It’s not only that our “just in time” economy would suffer food and gas shortages. We might lose major parts of the power grid for months.
It’s not obvious what we can do, especially as individuals. I personally take all reasonable precautions in terms of antivirus software, avoiding misspelled phishing attachments and not banking in hotspots. So I’m quite confident the only reason Vladimir Putin isn’t reading my email is he has better things to do. (Hi Vlad. You stink.) But I’m also confident the Canadian government is leaking like a sieve and, in the marvellous Irish phrase, has its arse out the window on infrastructure cyber-systems. Or rather, all our arses.
I could go on and on and, being a columnist, undoubtedly will. For instance about the stunning failure to shelter critical infrastructure operating systems against electromagnetic pulse with Faraday cages, a cheap, simple, highly leveraged insurance policy, on which my former colleague Anthony Furey wrote in Pulse Attack.
Instead of apologizing for things they didn’t do and promising things they can’t do, it’s time policy-makers acted to increase government cybersecurity, ramped up penalties for firms mishandling data, and imposed consequences on hostile powers that mess around with our privacy and safety online. But all these politicians telling you how great they are, and how totally devoted they are to your wellbeing, don’t lift a conceited finger. Why? Because we don’t make them.
Meanwhile, here’s a free copy of my own short publication “Critical Infrastructure Security”: It would be a good idea.