Marc Groman, who joined Cyber Chat with host Sean Kelley, said existing incentives for data security have so far been wrong.
“When it comes to protecting the perimeter and protecting our networks, we’re still — in some cases — at data security one-oh-one,” Groman, a former senior advisor for privacy at the White House and now principal at Groman Consulting Group LLC, said. “We don’t incentivize data security enough. The incentive is to get your database up and running and I have been in more meetings than I can count where decisions were made to cut security.”
Groman said companies want to be generations ahead either in what they produce for sale, or in their own internal business processes. But in order for them to become better prepared to defend the entire ecosystem, agencies need to plan, implement controls and implement security appropriately.
“The insecure software product they rolled out with a bug gets exploited and when [society, the government, and sometimes a company feels the pain] data security and privacy is what often gets cut. Combating this problem is absolutely at an epidemic level. That’s in both the public and private sector and I don’t think we have a handle on it at all,” he said. “We repeat mistakes, don’t learn our lessons, and of course the threats are getting increasingly serious. Our adversaries are getting more sophisticated and so it’s not about just being good, it’s about keeping up with the threats and the adversaries and the risks and I don’t think we’re doing a very good job. “
Serious hacks and data breaches in the past have come from phishing, not serious terms. Groman said it was often just someone clicking on a link the intrusion prevention system didn’t catch.
“The damage is done … [Even] if you’re going to be storing highly sensitive data that is going to be the target for sophisticated adversaries, we’re still at human error,” he said.
Kelley asked Groman if privacy was at least in some realm already gone and how it’s affecting the next generation. Can we actually recover?
“I thought we needed this 10 years ago [because] we don’t have much privacy, particularly in the context of our internet and our online interaction; that’s just factually true”, Groman said. “We’re more than a decade late to this game and unless we get a handle around who can use it and for what purposes, I think we’re going to end up in a place that almost none of us are going to like.”
The United States does not have a comprehensive law at the moment for addressing privacy. This will become a major challenge if the administration doesn’t get it under control, Groman said. There are serious challenges in the context of privacy including collection that is responsible, ethical and fair, as well as the government or private sector’s use of the data collected.
“Artificial intelligence, machine learning, the Internet, the amount of data passively [being] collected by thousands of sensors around us from machine to machine communications is going to be mind blowing,” Groman said. “We have sectorial laws that apply in very narrow spheres and there are enormous gaps.”
He said in some ways we are all at fault for not predicting how our data could be used in negative ways. Facebook headlines each week are the poster child for data breaches.
“Today we’re into protecting passwords, last week not protecting data, going to third party’s week before something else,” he said. “We’ve got to get a handle around that.”
Europe moved ahead with a very comprehensive privacy law that is having ripple effects across the entire globe, including on American companies, the public and private sector, Equifax, OPM and the government.
America needs to do a similar thing to develop a comprehensive, federal privacy law that will govern the commercial sector, Groman said. But some are hesitant, as giving up some privacy to be able to use existing applications and services are convenient.
One of the biggest problems when it comes to data privacy is that information on who has access to our data or what it will be used for is not readily available. Double-checking our privacy standards should become a priority.
“I use my privacy settings to ensure that I understand when and what apps are collecting. I change what’s accessible to the public or I use two-factor authentication, and same thing with social media,” he said. “If you are not using two factor authentications with your social media accounts today, that’s moronic, [because] if you read what they’re doing with it, you’d be horrified.”
Cyber Chat with Sean Kelley is a monthly show featuring interviews with experts in IT and Information Security discussing the latest trends and hottest cyber topics and challenges impacting the federal community. Subscribe on iTunes or PodcastOne.