There has been a steady drumbeat of news about high profile data breaches in the past several days, including the news about the Equifax data breach and the disclosure of the breach at the SEC. In the following guest post, John Reed Stark takes a look at these data breaches and their implications. John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. I would like to thank John for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s guest post.
It has been a busy time for cyber-attacks. Equifax, one of three elite repositories of personal credit information, and a trusted source for personal security and identity theft defense products, disclosed a cyber-attack that could potentially affect 143 million consumers — nearly half of the U.S. population. The accessed Equifax data reportedly includes sensitive information such as social security numbers, birthdays, addresses, and in some instances, driver’s license numbers — a virtual treasure trove for identity thieves.
SEC Chairman Jay Clayton also announced a data breach into the SEC’s EDGAR system, a vast database that contains information about company earnings, share dealings by top executives and corporate activity such as mergers and acquisitions. Accessing that information before it’s disclosed publicly could allow hackers to profit by trading ahead of the information’s release.
The impact of these two recent data breaches will be unprecedented. Equifax, a company that charges its customers for protection and fortification from hackers, apparently cannot even protect itself from that very threat. Meanwhile, tasked with the enforcement of cybersecurity standards for financial firms such as brokerage firms and investment advisers, the SEC may have failed to meet data security guidelines and advisories that they themselves have promulgated. Moreover, as the guardian of U.S. capital markets and sworn protector of investors, the SEC may now unwittingly become a securities fraud kingpin, inadvertently sourcing ironclad tips of nonpublic information to an online stock trading ring.
No doubt that the irony of the Equifax and SEC cyber-attacks is glaring, proving once again that truth can be stranger than fiction. But lost amid the predictable condemnation, outrage and mockery are a few important takeaways worthy of attention.
The Upside Down World of Data Breaches
Despite the inevitability of data breaches, and the fact that many data breaches are acts of state-sponsored terror, there still remains an instinctive tendency to blame the victim. This misdirection seems unfair to say the least.
For instance, when Senate majority leader Charles Schumer lambasted Equifax, accusing its executives of “the greatest instance of corporate malfeasance since Enron,” he sorely missed the point. For the public to expect companies like Equifax or government agencies like the SEC to avoid data breaches is not just unrealistic and lofty, it’s absurd. Trying to avert a cyber-attack is like trying to prevent a kindergartener from catching a cold during the school year.
Chairman Clayton admitted as much in his extraordinarily candid disclosure of the SEC data breach, stating that, “We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.” Chairman Clayton has clearly signed on to then FBI director James Comey’s 2014 proclamation that, “There are two kinds of big companies in the United States. Those who’ve been hacked . . . and those who don’t know they’ve been hacked.”
The breaches of Equifax and the SEC are not at all surprising, and in truth, should not shock the conscience of anyone who has been paying the slightest attention to the data breach landscape. For years, legions of soldiers from across the globe (e.g. from China, North Korea and Iran) have woken up each morning with only one mission: to attack American computer systems and exfiltrate whatever data and information they can. The SEC in particular joins a lengthy list of government agencies who have experienced devastating cyber-attacks including:
- The Pentagon Joint Strike Fighter Task Force (April 2009);
- NASA (March 2012);
- Department of Energy (February 2013);
- Federal Election Commission (December 2013);
- U.S. Postal Service (September 2014);
- National Oceanic and Atmospheric Administration (September 2014);
- White House (October 2014);
- State Department (November 2014);
- Department of Defense (April 2015);
- Internal Revenue Service (May 2015);
- The U.S. Army website (June 2015); and
- The Office of Personnel Management (June 2015).
Digital Forensic Investigations Take Time
When a data breach happens, the public’s demand for immediate answers is understandable. Lifesavings are at risk while the perpetrators of hacking schemes are rarely identified, let alone captured and prosecuted. However, in the aftermath of most data breaches, there exists no CSI-like evidence which would allow for speedy evidentiary findings and rapid remediation.
The most effective cyber-attack investigative methodology is a tedious and exhaustive iterative process of digital forensics, malware reverse engineering, monitoring and scanning. As analysis identifies any possible indicator of compromise (IOC), investigators examine network traffic and logs, in addition to scanning system hosts for these IOCs. When this effort reveals additional systems that may have been infiltrated, investigators will then forensically image and analyze those systems, and the process repeats itself. Armed with the information gathered during this “lather, rinse, repeat,” phase, investigators can detect additional attempts by an attacker to regain access and begin to contain the attack.
While some breaches may provide key evidence early-on, most never do, or even worse, provide a series of false positives and other stumbling blocks. The evidence among the artifacts, remnants and fragments of a data breach is rarely in plain view; it rests among disparate logs (if they even exist), volatile memory captures, server images, system registry entries, spoofed IP addresses, snarled network traffic, haphazard and uncorrelated timestamps, Internet addresses, computer tags, malicious file names, system registry data, user account names, network protocols and a range of other suspicious activity.
In short, the evidence analyzed during a data breach response is a massive, jumbled and chaotic morass of terabytes of data. That is why the investigation of a data breach can take weeks, perhaps months, before any concrete conclusions begin to take shape. Rushing to judgment not only creates further confusion and expense, but it also undermines the objectivity, truth and confidence that the public deserves.
The Cybersecurity Personnel Crisis
The greatest virtual threat today is not state sponsored cyber-attacks; newfangled clandestine malware; or a hacker culture run amok. The most dangerous looming crisis in information security is instead a severe cybersecurity labor shortage, with experts predicting 3.5 million cybersecurity job openings by 2021. Like modern-day fighter pilots, cybersecurity professionals are not merely a company’s elite corps of talented professionals with special skills, the company also cannot win the (cyber) war without them.
Academia has unfortunately failed to keep up with industry trends and is not producing enough data cybersecurity specialists to handle surging demand. According to one recent study, only a handful of the 50 top university computer science programs in the U.S. require that students take even one cybersecurity course. There exist world-renowned schools and academic programs of law (despite an extraordinary glut of attorneys and 200+ accredited law schools); business (despite the decreasing value of an M.B.A. and almost 400 U.S. business schools); and journalism and politics (as if we need more pundits). Yet there remains a dearth of campuses dedicated to computer science, cybersecurity and data breach response.
Cybersecurity threats are also constantly evolving, so that by the time students’ graduate, some lessons are already obsolete. Meanwhile, the nature of the legion of cyber-attackers has similarly progressed, from “black hat” hackers and profiteers to organized cyber gangs and rogue nation states.
In short, a cybersecurity patch of employees cannot sprout overnight – it takes time. The cybersecurity field is a lot like the medical field; building a skillset takes experience as an intern, resident and attending. Meanwhile, the nature of the legion of cyber-attackers continues to evolve, from old school hackers and profiteers to organized cyber gangs and rogue nation states.
Now “retired” Equifax CEO Richard Smith told a breakfast meeting in mid-August 2017 that data fraud is a “huge opportunity,” allowing Equifax to sell consumers more offerings. Smith touted the company’s credit-monitoring offerings, according to a video recording of the meeting at the University of Georgia’s Terry College of Business, and declared that protecting consumer data was “a huge priority” for the company.
But what the Equifax CEO failed to mention was that less than three weeks earlier, Equifax had apparently discovered a potentially massive data security incident and that Equifax had called in expert incident response firm Mandiant, to investigate. Yet, it was not until a few weeks later on Sept. 7, that Equifax disclosed the massive data breach to the public.
The SEC apparently undertook a similar route of delayed notification. Reports and SEC Chairman Clayton’s testimony before the Senate Banking Committee indicate that the SEC data breach was discovered in 2016, and the possible illegal trades were detected in August of 2017, but the SEC did not disclose any information about the incident until September 20th.
Both teams of SEC and Equifax senior executives have angered their constituents with their arguably sluggish disclosure. Both entities probably focused too much upon what they were legally and contractually obligated to disclose, rather than taking a more holistic approach to the question. Moreover, both Equifax and the SEC failed to heed the realities of “incidental disclosure.”
There exist a broad range of triggers relating to the disclosure of a data security incident, including: 1) statutes, rules and regulations; 2) contractual requirements; and 3) a particular incident, such as an audit, negotiation, event, happenstance or communication.
Ultimately, whether a cyber-attack victim has a legal obligation to disclose the attack to regulators; partners; customers; operators; employees; vendors and a range of other constituencies will be driven by a robust, methodical and independent forensic investigation. In other words, before a victim can make decisions about any legal responsibility for disclosure, the cyber-attack victim will need to conduct its own investigation and determine, among other things, the nature of the attacker’s efforts; the scope of the attack vector; and whether credit card data, personal identifying information, personal health information, intellectual property or any other relevant data was targeted, accessed or exfiltrated.
Ultimately, whether a cyber-attack victim has a contractual obligation to disclose an attack to partners; customers; operators; employees; vendors and a range of other constituencies will turn upon the various agreements in place relating to those parties.
However, even though a cyber-attack victim might not have any legal or contractual requirement to disclose a an attack, the victim company might still opt to disclose the attack to regulators; partners; customers; operators; employees; vendors, etc. Indeed, certain circumstances can arise where disclosure of the attack becomes necessary, prudent and/or practical.
Such so-called “incidental disclosures” can occur during certain events or because of certain relationships, such as:
- PCI Audit. If a cyber-attack victim takes credit cards and is about to undergo a Payment Card Industry (PCI) Compliance Assessment, the Qualified Security Assessor conducting the compliance review will undoubtedly ask questions about the victim company’s overall cybersecurity, which could prompt or necessitate candid disclosure of the attack;
- Cybersecurity Due Diligence. Certain vendors, customers, partners, etc. may send a cyber-attack victim company a data security questionnaire, which is likely part of their due diligence concerning the cybersecurity strength of the relationship. Along those lines, cybersecurity-related inquiries, solicitations and demands to a victim company have become increasingly common. Any one of these kinds of cybersecurity requests or queries directed at a ransomware victim company could prompt or require candid disclosure of a ransomware attack;
- Whistleblowers. So-called bad leavers (those who leave a company badly) or disgruntled insiders with an axe to grind, could learn of the cyber-attack and disclose the details to the media; to regulators; to contracting parties; or to any other interested party. Any of this kind of unwieldy disclosure could prompt candid disclosure of the attack;
- Law Enforcement Actions. The sophistication and prevalence of cyber-threats seems to be growing and law enforcement seems committed not only to deterring the attacks but also to capturing the perpetrators. Should the federal government bring a prosecution against a cyber-attack perpetrator or issue public warnings concerning an attacker, the attack could become public or could prompt or require incidental disclosure of the attack;
- Contractual Negotiations. If the cyber-attack victim company is a sophisticated corporation with many business relationships, contracts and agreements – and has any ongoing contractual negotiations or those contractual relationships up for renewal, discussions of cybersecurity could arise, which, in turn, could trigger incidental disclosure. Moreover, if the victim company is pursuing any new corporate associations, affiliations, acquisitions or other relationships, discussions of cybersecurity could arise, which, in turn, could trigger incidental disclosure of the attack;
- Special Relationships. Some contractual relationships carry with them a unique inherent/implied degree of trust and confidence or are of such extraordinary business importance, that, despite a cyber-attack victim company having no legal or contractual requirement to do so, the victim company may feel nonetheless inclined or obligated disclose the attack (such as during a status conference or other routine get-together); and
- The Public Interest. Some companies (like Equifax) or government agencies (like the SEC) have special and complex relationships with the public, and there is a definitive expectation that when a cyber-attack occurs, the company or government agency will disclose the situation publicly, not because of a legal obligation, not because of a contractual obligation, but simply dues to a sense of public safety and possible danger.
Neutrality, Objectivity, Transparency and Candor
When it comes to security issues concerning their respective entities, one option for the SEC and Equifax is to investigate the problem itself – get to the bottom of it, improve security practices, policies and procedures and move forward with better, stronger and more robust security. This approach may very well succeed — but there is a far more effective, more rewarding and more cost-effective option.
Whether it is British Petroleum struggling to handle the aftermath of an oil refinery explosion killing 15 Alaskan workers; Wells Fargo adjusting its operations after a massive company fraud committed by 5,300 employees against over two million customer accounts; or any company experiencing a threat to its customers, the same lesson always rings true. Confront the issue head-on with independence, transparency and Integrity.
For starters, having the same internal team that is responsible for data security failures also investigating the data security failure is an inherent and precarious conflict of interest. Strong leaders seek answers from independent and neutral sources of information. Otherwise, risks are not properly exposed and examined, and they become exacerbated rather than assuaged. Though Mandiant is apparently working diligently on the Equifax response, it is not clear if they are also undertaking any sort of risk and security assessment.
When responding to data security incidents, like those experienced by the SEC and Equifax, its leaders should:
- Engage a former law enforcement agent or prosecutor from an independent and neutral law firm or consulting firm (preferably never engaged before) to conduct an investigation and report its findings to the board;
- Report the investigation’s progress to shareholders, regulators, law enforcement and other constituencies every step of the way; and
- Disclose the details of the incident to those persons involved.
Instead of trying to characterize an incident, strong leaders can begin with these three steps, which evidence strong corporate ethics; fierce customer dedication; and steadfast corporate governance.
Next is to anoint someone from the engaged outside investigative team to serve as the face of the response. This person should be a former law enforcement official with impeccable credentials and the kind of gravitas that customers, shareholders and other important members of the public will trust and respect.
By navigating problems with integrity and transparency, corporate leaders can shift the tides in their favor, seizing the opportunity to reinforce strong business ethics; renewed customer dedication; and steadfast corporate governance.
C-Suite executives and boards of directors are not politicians and do not have the luxury of conducting self-serving investigations; they have fiduciary obligations to shareholders and others to seek the truth and they should do so with independency, neutrality, transparency and candor. Otherwise, no one will take the investigative and remedial effort seriously and any formal findings can lack credibility and integrity.
Amid the aftermath of a data breach, there will always be those who will point figures at the victim company for data security failures or missteps. When the dust settles, some companies will undoubtedly have given data security short shrift, opting to save a few pennies at the expense of the privacy of their customers. But like blaming a school principal when a kindergartner catches a cold, the criticism will not always be fair.
The public will also want answers about the cause and impact of a data breach together with assurances that their personal information is protected. But although we are all entitled to have confidence that governments and companies are doing all they can to guard against online larceny and identity theft, that will always be a tall order.
Data breach investigations can take months to conjure up what will typically be wholly circumstantial findings. Data protection professionals are few and far between, leaving companies with scant and overburdened IT resources. And cybersecurity, for all of its bells and whistles, will always be an oxymoron.
By putting their best foot forward and investigating data security incidents with independence and neutrality, entities like the SEC and Equifax will not only earn the appreciation and gratitude of their many constituencies, they will also inaugurate a posture that is respected and admired by regulators and law enforcement agencies.
Sadly, no company can evade suffering from a data breach. But by responding with speed, transparency, integrity and vigor, rather than being punished, companies and government agencies, can emerge from the crisis better off, and even worthy of praise and commendation.
John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook.“