Should we trust the private sector who collected and handed over our data or the government that took it from them?
It’s a faded memory now, but remember the Sony hacking scandal when it appeared North Korea was responsible for invading email accounts and generally causing a panic?
A few weeks ago, the IRS suspected Russia was behind the security breach that saw 100,000 tax returns stolen. Apparently Russian hackers have also repeatedly made their way into the White House and Department of State data systems.
Now it appears that suspected Chinese hackers stole data from U.S. government computers which included security clearance information and background checks dating back three decades. It is one of the largest known cyber attacks on federal networks.
These are just a few of the several dozen episodes of hackers causing mayhem and disruptions. Here are some more: Mt. Gox, the Bitcoin exchange, went belly up after hackers got away with $460 million in virtual currency. Foxconn was hacked by a group that stole bank data for its largest customers (Apple, Microsoft). The healthcare biggie Anthem (which handles government health care claims) was hacked. Servers of the Department of Defense, NASA, the Pentagon, NSA and others have been hacked. New York City government emails were hacked.
iPage, the website company, just sent a promotional email, “The Hackers Are Coming.” The email alleges $400 billion in costs from hacking, one in five small business attacked every year, 60 percent of the hacking victims will go under as a result.
Credit card numbers, bank accounts, personal login data and passwords, emails, virtually anything we do on the internet is now apparently vulnerable to hacking and theft. Most of our infrastructure and distribution networks – oil, natural gas, power – is vulnerable to hackers, principally from China, Russia and the Middle East. We know this because they have launched trial runs, probes, tests, modest little hacking attacks that don’t do much if any damage.
This should alarm us to the point of urgency and action. Well, for starters, we now have a Cyber Threat Intelligence Integration Center, reporting to the head of the national intelligence apparatus. We already had a National Cyber-security and Communications Integration Center within the Department of Homeland Security, and the Director of National Intelligence already had an Information Sharing Environment. So if nothing else, at least we have agencies
Everyone seems to agree that if any of this is going to be effective it will need the cooperation of the private sector, where trillions of bits of data live. Private sector cooperation is a dicey matter because many feel that the more the government “interfaces” with the private sector the less privacy we are guaranteed.
A reworking of “Aaron’s Law” to streamline Federal anti-hacking provisions is sitting in the Judiciary committee – but this is mostly to address the government spying on itself. The Federal government has renewed most of the provisions of the (former) Patriot Act, now the Freedom Act – but the collection of phone data is now left to the phone companies, with the government needing explicit permission to review data about a suspected terrorist. Our balancing act continues: on the one hand, privacy and protections, on the other, access to data that could prevent mayhem.
What does all this mean for the worldwide threat of large-scale hack attacks by foreign governments, hit-and-run raids by rogue cyber-terrorists, bugs and viruses and malware that gets implanted by various bad actors? Not much. Our fussing about giving the government too much (or not enough) access to data feels to me like a distraction from the big issues.
First, if our electronic infrastructure is vulnerable, then our Federal government should hire the best hackers we can find and put them to work building firewalls and other protections. In the movies we’re always releasing a bad guy who has special skills we need to save the planet. Let’s do the same thing to save the cyber-space we depend on.
Second, until and unless we can be sure that privately-held data is safe from hacking, we should not encourage private firms to hold massive data files. This may be one of those moments when we need to nationalize and federalize our data industries for the sake of our national security.
Third, to those who fear “Federal intrusion into our private lives,” let me suggest that I’d rather my own government had access to my data than the government of North Korea or China. This may be a case of the devil you know vs. the devil you don’t, but as we come to know more and more about the other devils, I’ll take this one.
A final thought: the more things we put on the internet, the more transactions and registrations and interactions, the more vulnerable our systems are going to be. It’s very convenient to turn to the web for all kinds of daily chores. Let’s just remind ourselves that with every click, another crumb of digital bread is dropped out there. Here’s to massive data management: may we use it wisely and well.