Every company is a tech company, and that's a big problem. Or rather, either every company is a tech company but most suck at it, or most aren't tech companies but should be. Either way, we're gonna have a bad time. Stock photo companies oughta be making more images of hackers because that cat burglar / hoodie dude behind a computer isn't going to cut it when sh*t hits the fan on a weekly basis.
Somehow, no one seemed to realize that connecting the Internet to everything was a terrible idea despite also being a great idea. We built information super-highways...yay, great...but most businesses forgot the guardrails.
The Equifax disaster is just warning shot compared to what's to come.
It used to be that getting hacked or breached meant you had to change all your passwords. Attackers hit tech-first companies that at least had a basic understanding of security, and a limited amount of your immutable personal information. The Yahoo breaches from 2014 and 2015 that impacted over 1 billion users were huge, but not nearly as harmful as what happens now.
Today, the hacks and breaches are hitting banking and credit companies, government databases, voting machines, and public utility infrastructure. That stolen data can't always be changed, like your date of birth. Unless the government decides to reissue everyone a new social security number, once it's stolen, it's permanently vulnerable to exploitation.
For a quick recap, the Equifax breach hackers stole data including the full names, birth dates, Social Security numbers, home addresses and more from 143 million Americans. That data could be used to steal people's identities, take out fraudulent loans, or power social engineering attacks where hackers call your bank or cell phone carrier and use info only you should have to trick them into providing access to your accounts.
A brief look back on Techmeme surfaces plenty of other hair-raising attacks.
- Hacker group Dragonfly has penetrated operational networks of energy companies that control power grids in the US and Europe, which could allow them to disrupt utilties to hundreds of millions of people
- An indefensible vulnerability in all modern cars could let attackers affect sensors, airbags, and anti-lock brakes.
- Hackers penetrated voting systems before the 2016 presidential elections, but local officials weren't warned and the systems haven't been properly investigated for malware or alterations since.
- Hackers are fooling mobile carriers into letting them change the phone associated with a phone number, allowing attackers to empty people's cryptocurrency wallets
- German voting machines can be hacked to change the vote tallies
And those are just a few of the headlines from the past month. We have years or decades of this to come.
That's why we need every company to become a good tech company. Double the security budgets, break up sensitive into different databases, stop issuing unrandomized backup passwords. Clamp down with hardcore firewalls and physical security. Always update to the latest operating system security patches. Let us two-factor everything. Train customer service reps to spot social engineering hacks, and make sure every employee knows how avoid phishing attacks.
Meanwhile, software makers like Microsoft need to step up and take more responsibility for protecting older versions of their operating systems. And governments need to more aggressively punish companies with weak security such that it's too expensive to risk. The US failed to approve a 2015 bill proposed by Obama that would require public disclosures of breaches within 30 days, with penalties for keeping people in the dark. While some states have adopted their own disclosure rules, they're a haphazard patchwork.
Europe has set a good example with its new laws coming into effect in 2018 that levy stiff fines against companies that don't disclose a data breach within 72 hours (with some exceptions). Violators can get slapped with a penalty of up to 2% of their global annual revenue, which would of stuck Equifax with over $60 million in fines.
Unfortuantely, not all these changes are going to happen. So the future will require people and governments to make a new type of judgement call: How secure must a company's technology systems be such that the benefit of giving it access to information or infrastructure outweighs the risk of havoc caused by a potential breach.
Most people won't have the knowledge or interest to be able to accurately make this call. Most governments will be too slow-moving or penny-pinching to effectively make this call. The companies will knowingly downplay the risk to boost their businesses. And the hackers will laugh all the way to the bank, whether they want to steal everything inside or just burn it down.