US Government and Businesses Remain Vulnerable and Ill-prepared
The Justice Department in Washington and Attorney General William Barr have announced indictments against four members of China’s People’s Liberation Army (PLA), charging them with multiple counts of hacking into the Equifax computer networks in 2017. “The scale of the theft was staggering,” Atty. General William Barr said Monday (Feb. 10, 2020). “This theft not only caused significant financial damage to Equifax, but invaded the privacy of many millions of Americans, and imposed substantial costs and burdens on them as they have had to take measures to protect against identity theft.” This is the latest of several accusations of hacking by Chinese nation state perpetrators. The breach by Equifax is directly related to their failure to promptly patch a software glitch, of which they were aware. The accused were able to compromise the software and use login credentials to enter the database, copy data from approximately 148 million individuals in the U.S. and another 35 million in Canada and the U.K.
How can this happen? It seems that Equifax and a large percentage of American businesses do not encrypt their data bases and software operations because it adds too much expense and complexity to the user interface. Encryption can take a number of forms, but it has been available since before WW II. If the Equifax data had been encrypted, and if they had practiced better security management, most, if not all, of the data would be gibberish to the hackers. As mentioned last month, Equifax has been forced to pay substantial fines ($275 million ) to the FTC, the Consumer Protection Bureau, and fifty states and territories.
What have we learned?
This column has preached encryption for quite some time. I am pleased to say that the manufacturers of our security equipment have begun to deliver encrypted devices to the marketplace. DMP, Resideo, and Alula are just some of the manufacturers who have stepped up and made the commitment to encryption. The security market is very large and not all manufacturers have seen the light. When you place your next equipment order, make sure it has encrypted components and promote that feature to your customers.
The $4 million ransomware siege at Allied Universal (Dealer Perspective…#21—February, Mirror) offers demonstrable evidence that encryption works. In this case it is in the reverse. The bad guys (purported to be from a nation state) encrypted the data for over 200,000 employees and said they would not turn over the key to unlock the encryption until the ransom had been paid. In light of the Equifax indictments, perhaps we have had another visit from the PLA.
Storing your data in the cloud may improve your chances of not being hacked, Amazon, Google, and other cloud-based data storage companies provide protection in a number of ways, but encryption is not (unfortunately) used very often. Again, it makes the process to access the data more complicated and expensive for the customer.
In 2015, China and the U.S. entered into an agreement to stop cyber security attacks and cyber espionage against each other. It does not seem to be working as intended. The U.S. government and American businesses need to be watchful and perhaps overcompensate for the risks involved in allowing Chinese companies to participate in the creation of our 5G system and sale of cameras and other electronics that might deliver backdoor access to our networks.
The world has been slow to accept encryption; in fact, only one country has issued a directive that all governmental information be encrypted…that country is China.
It was President Reagan who coined the phrase, “Trust, but verify”.
A final thought: review your data and how it is stored and accessed. Better yet, talk to the folks at InfoSafe and hear how they can keep you from being an easy mark for the bad guys. There are no silver bullets to keep you from being hacked, but the affordable InfoSafe Certification will make it more difficult for you to be breached, than it would be for the next guy. Isn’t that what we tell our customers when we give them a yard sign?
Tony Smith is President of Security Funding Associates, past President of the CAA and member of the ESA Board. He is a licensed California alarm dealer, member of TMA, and may be reached at (626) 795-9199 or firstname.lastname@example.org [/vc_column_text][/vc_column][/vc_row]