July 25, 2019
Welcome to Codebook, the cybersecurity newsletter looking for vacuum recommendations.
Today's Smart Brevity: 1,286 words, 5 minute read
1 big thing: Unpacking the Equifax settlement
After Equifax agreed this week to a landmark settlement with state and federal regulators for its historic 2017 data breach, regulators are hoping that its penalties — which will cost Equifax up to $700 million — are big enough to deter the next firm from allowing the next breach.
Why it matters: There has never before been a breach like Equifax, where enough personal data was pilfered to steal the identity of the majority of U.S. adults. It's a milestone that consumers and regulators alike hope will only happen the once.
By the numbers: The Equifax settlement includes $275 million in penalties to state and federal regulators and up to $425 million to provide protection and reimbursement to consumers harmed in the breach.
Details: The consumer fund — which starts at $300 million, with provision to go up to $425 million as needed — will provide identity theft protection insurance and pay for 4 years of credit monitoring at all 3 major credit bureaus along with an additional 6 years at Equifax.
But the fund also contains a unique feature that experts believe could become a new standard in future penalties for breaches. It will reimburse costs of dealing with the breach, like lawyers, out-of-pocket credit monitoring services and time spent wrangling with the whole ordeal, up to $20,000 per individual.
Stricter than Europe: Penalties under GDPR, Europe's privacy law, are usually portrayed as tougher than those in the U.S. While GDPR didn't take effect until after the Equifax breach, had Equifax spilled personal information on 147 million Europeans, the fine under GDPR would actually be smaller than what the U.S. just dished out.
- Equifax did not encrypt personal data stolen in the breach, which would have violated GDPR. The penalty for violating GDPR is 2%–4% of global revenue plus restitution.
- For Equifax, which made $3.36 billion in revenue in 2017, that's a fine of $67 million. The state and federal regulator penalties for Equifax totaled around $200 million more than that.
The big question: Will this settlement's bite carry over to future breaches?
- "There’s a real good chance the new reimbursement scheme will be the new standard," said Ken Dort, a data security and privacy attorney at Drinker Biddle.
- However, experts think some of the high dollar totals may be more a response to alleged egregious mismanagement at Equifax that led to the breach.
The intrigue: It's only a matter of luck that a federal agency was able to dole out a fine for a privacy violation. While the CFPB can penalize financial institutions, no federal agency has the authority to fine most other companies on this issue.
- Several lawmakers hope to pass legislation giving the Federal Trade Commission this central authority.
- "Strengthening the FTC by giving it authority would be the strongest deterrent to future breaches," said Terrell McSweeny, a former FTC commissioner who is now an attorney at Covington.
What they're saying: "I expect a good number of lawyers will be using this as a case study for their clients in the future," said Marcus Christian, an attorney in Mayer Brown's cybersecurity practice.
2. Barr's faulty encryption logic
Attorney General William Barr delivered a plea this week for tech companies to weaken encryption, allowing law enforcement to access digital communications that are, at present, unreadable by them.
But, but, but: An argument Barr made during his address at an FBI-run cybersecurity conference encapsulates one of the main problems with his position:
- "If the choice is between a world where we can achieve a 99% assurance against cyberthreats to consumers, while still providing law enforcement 80% of the access it might seek; or a world where we have boosted our cybersecurity to 99.5% but at a cost of reducing law enforcement's access to 0% — the choice for society is clear."
It’s wildly irresponsible to pretend that security can be reduced to a percentage. Hackers will focus on the insecure part. As WannaCry — malware that caused billions of dollars of damage globally — demonstrated, Windows systems that were .001% insecure effectively were 100% insecure.
- But if experts were to guess what our current security percentage is, it probably wouldn’t be 99.5%. Using layers and layers of the best tools, we’re still at a point where a determined hacker with minimal training can breach most systems given a few weeks of work.
- And if experts were to guess the level of security that would be forfeited by placing a hole in those layers for law enforcement and intelligence agencies to crawl through, they’ll typically point out that they can only protect that law enforcement gateway as well as anything else: imperfectly.
The bottom line: Barr's percentages probably don't apply to the reality of the situation. And until law enforcement can argue for backdoors in encryption using an applicable assessment of risk, we'll still be at an impasse.
Go deeper: How to break the encryption deadlock
3. Notes on the Mueller hearings
A few cybersecurity notes from Robert Mueller's testimony. I promise to be quick.
- Mueller chided President Trump's praise of Wikileaks as encouraging hacking. "Problematic is an understatement," he said, adding it offered a "boost to what is and should be illegal activity."
- Mueller said Trump officials' use of encryption hampered the investigation.
California Rep. Tom McClintock (R) attempted to confront Mueller with what appears to be a misinterpretation of ongoing proceedings against Russia's troll farm.
- A judge in that case noted that the Mueller team did not present evidence that the Kremlin directed trolls.
- Most experts agree it is common in national security cases not to present unnecessary evidence that would compromise sources and methods (the trolls allegedly broke the law regardless of who was in command).
- But right-wing websites have taken that to mean there is no evidence in the case, and McClintock repeated their claims.
4. Meet BIMI, the email safety system of the future
Google announced it would join the governing council of an emerging phishing prevention protocol on Wednesday, marking a huge step forward in its potential adoption.
The big picture: Brand Indicators for Message Identification, or BIMI, places a brand specific logo on emails verified to be from a vendor.
- For example, if Axios adopted the platform and this email didn't have an Axios approved sign of authenticity, it would be easily identifiable as a fake.
Background: The protocol is new, but a key player in BIMI says adoption is growing quickly. Patrick Peterson, the founder and CEO of email security firm Agari, notes that BIMI adoption grew dramatically over the last quarter, from 180 companies onboard to 511.
- As with many security protocols, the key factor blocking its effectiveness is that there isn't yet a critical mass of firms adopting it.
- Google getting onboard would push BIMI a big step closer to widespread use.
"A story that’s not always told is there’s a lot of people fixing the internet," Peterson told Codebook.
5. In case you missed last week
The NSA announced its Cybersecurity Directorate (WSJ): The defensive-minded Cybersecurity Directorate will be headed by Anne Neuberger and will be better integrated with signals intelligence than the division it replaces, the Information Assurance Directorate.
Harold Martin gets 9 years (DOJ): The former NSA contractor plead guilty to hoarding classified documents in his home for 20 years.
Huawei built North Korea's 3G network (Washington Post): Leaked documents show Huawei's covert involvement with North Korean 3G networks.
- This could be a problem, as Huawei components use American technology and are subject to sanctions.
New tools watch:
6. Odds and ends
- Johannesburg's power authority is dealing with a ransomware attack. (Reuters)
- A firm is commercially selling code to take advantage of a dangerous Microsoft bug. (ZDNet)
- Neo-Nazis "SWATted" nearly 3 dozen journalists. (Krebs on Security)
- Kaspersky allegedly sabotaged its rivals. (Reuters)
- Hacked Deliveroo accounts are being sold on the dark web. (Forbes)
- Facebook will shell out $5 billion for privacy violations. (FTC)
- DDoS: A retrospective. (Medium)
- Banksy offers low-tech but effective cryptographic authentication of his work. (Boing Boing)
- The cost of an average U.S. data breach is over $8 million. (Axios)