Business and government treat cybersecurity breaches like hemorrhoids. They deal with them in secrecy for as long as they can. But for cyber incidents, owners eventually have to tell the world what’s going on. Cyber breaches bedevil the backside not merely of the hacked organization. They affect millions.
So why the dwell time between knowing and disclosing?
The two latest big cases illustrate the point.
The SEC’s EDGAR system, a system first launched in the 1980s, was hacked in 2016. It took months for the agency to become aware. In the meantime, the hackers could have used the data from the non-public portion of EDGAR to do illegal trades. That “dwell time” affects many organizations. But the SEC people who knew about it kept quiet. The new chairman, Jay Clayton, came clean with the public after he learned of it in a cybersecurity review. Most likely the review was done in response to the Trump administration’s cybersecurity order back in May.
To his credit, Clayton issued a very long, detailed statement on SEC cybersecurity last week. But you have to read down a few hundred words to find that he and other commissioners learned of the breach and its potential consequences in August.
Then there’s Equifax. Its CEO, Richard Smith, will testify Oct. 4 before the Senate Banking, Housing and Urban Affairs Committee. He’ll have some “splainin'” to do. That company also experienced a dwell time of at least two months before learning of the hack. The breach occurred in March and was discovered in late July. The company disclosed it publicly in early September. It subsequently lost a third of its market capitalization. Maybe that’s why Smith waited nearly six weeks.
Worse, the company can’t seem to do much right in the aftermath. This account in Wired details how not to respond to a massive cybersecurity incident.
If a chemical plant explodes, or a freight train derails, or a robber hits back at gunpoint, alarms go off immediately. Witnesses put it on social media. First responders arrive within minutes. These cyber incidents threaten to shake confidence in the trading markets. They subject millions of people to possible financial harassment or ruin. Yet those in charge take weeks or months to tell us about them.
Companies worry about litigation. No doubt they call in the lawyers a millisecond after the cyber plumbers. Agencies worry about political damage. Regardless, as Colin Powell famously said, bad news doesn’t improve with time. It takes time to assess the extent of a breach, and hasty announcements can cause further damage. But sitting on vital information simply lessens the ability to respond to those affected.
I’m also wondering about information sharing. The National Cybersecurity and Communications Integration Center is the federal information sharing hub. It’s where industry is supposed to share cyber information with itself and with government. Did Equifax tell its competitors Transunion and Experian about the breach? Did it tell Treasury or DHS?
This episode has a third troubling angle. The credit scoring companies have more data on the average American than the federal government does. That’s why they’ve become data marketing companies. They offer data services agencies can use for identity management, fraud prevention and their own employment practices. Equifax offers a video explaining how its data can help agencies fight fraud with identity and analytics.