Americans are angry about the apathetic approach to our online data security by our state and federal governments, as well as tech giants. Repeatedly our data is compromised. The thieves are sometimes hackers, hell-bent on creating false identities or worse, and sometimes the culprits are big businesses making a buck off the personal preferences we offer up for free.
I sat down with Morgan Wright, a cyber-security expert, to get his perspective on what the near future may hold for our data security. Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He is also a Fox Business Chief Technology Analyst and contributor to the Hill. Previously he was a senior advisor for the U.S. State Department Antiterrorism Assistance Program.
To put it simply Wright says of hackers and corporate thieves, “Only in government could a gaping hole such as this be allowed to exist without fear of consequence.”
So, of course, I asked him for details.
1.) You pointed out recently that Tax Day is a high-value target for our private data and most people just totally missed it including the government. What did we miss?
It’s a rich source of identity theft because you’ve got everything there that you need. You’ve got the taxpayers ID, you’ve got their name, their address, you’ve got a lot of the elements needed. The bigger thing too is not only to commit identity theft but to commit tax fraud, return theft, so they’re actually filing fraudulent tax returns, a form of identity theft and getting the refund set to a different location. Why? Because a lot of taxpayers or waiting until the last minute to file their tax returns. This has been an ongoing issue and the problem you have is the IRS is trying to defend against this type of activity based on systems that are ancient. I mean the main system that they have is still based on a computer language called Assembly. It was created in 1947. I mean, I joked about it in my article on the Hill, but I said that more people understand Aramaic in the movie The Passion of the Christ and than understand how to write an Assembly language.
2.) If we find that our data is stolen, can we sue the government for this?
The government has a particular type of immunity. So it’s very difficult to sue the government for stuff like this. Extremely difficult. And it’s extremely difficult to bring actions even against State government. You usually you have the Inspectors General report that comes out that is usually critical of it. But look, these things mean nothing. The Office of Personnel Management had nine or ten years worth of critical IG reports and they didn’t fix anything. Nobody got fired. And then we had the Office of Personnel Managment data breach and all of our Standard Form 86’s were taken by China. What was stupid about what the government did is they offered credit monitoring to all the victims. China has no interest in hijacking our credit accounts. They’re building an intelligence database. I mean their response even didn’t understand the nature of the threat that we were addressing. They would’ve been better off to say, “Look, this is all in China. They’re not going after your credit. This is an intelligence product for them.”
We didn’t get our act together. We were operating a system that was supposed to be protecting highly sensitive data. The system was so old that the records couldn’t be encrypted. That’s like saying, “Hey, give us all of your money. We’re going to put it into a bank. The problem is the lock is from 1776, and it’s a skeleton key, but we think it’s a pretty solid block. I mean, it’s going to take at least a minute for somebody to break into it.” We are sitting on a ticking IT time bomb and people are worried about repairing bridges and tunnels. I get that, but guess what? Information technology infrastructure, that’s our critical infrastructure, that’s our intelligence, that’s our data, that’s our most sensitive secrets that are up for grabs.
And so this is my testimony from when I testified on Healthcare.gov, I said, “Only in government could a gaping hole like this be allowed to exist without fear of consequence.”
Do you think the United States government will ever place enough money into the sheer volume of manpower needed to get on top of this?
Nope. When something happens, there will be enough time and money to do it over. But not enough time to undo the damage.
How many more of these do we have to have? How many more Inspector General reports do we have to have with material deficiencies and critical flaws or nobody’s being fired over this? I actually worked with the House Science Space and Technology Committee one time to introduce some language in the Private Sector Accountability Act. In other words, you would treat people at the senior executive service level, the same as a Senior Executive in the private sector. You should be held accountable; you shouldn’t have the same protections that other government workers have. In other words, you screw up, you shouldn’t be able to move up. You should be fired or they can call it retirement. But all of the people in Equifax were fired, look how fast it would happen. All within two weeks. The CIO, the CISO and the CEO from Equifax all gone.
3.) Proofpoint the cybersecurity company announced its annual Human Factor report . And what’s interesting is they pinpoint the emphasis for data thieves now is primarily on the exploitation of people instead of software flaws. How does that work?
I used to teach behavioral analysis and interviewing out at the National Security Agency. We had damage assessment agents from the older espionage cases there and in spite of all the technology we now have, if I want to break into a system, the easiest way is to compromise a person. This is where insiders come into play. As technical countermeasures get better, humans are still easy to predict, and they’re easy to manipulate. They will be subject to spear phishing, deception, manipulation, influence. So, in fact, a lot more data breaches are being caused by malicious insiders. For example, remember when Trump’s twitter account was shut off by that rogue twitter employee?
Well there you go. There’s a malicious insider. Imagine if that one person can shut off Donald Trump’s Twitter account, what else they could have done or what information could they have given to other people or foreign actors? The fact is that trust is not a control. That yellow line doesn’t really keep that car on the other side of the highway. You just trust that somebody is going to stop at that stop sign. There’s no physical barrier that comes down and prevents that car from running the stop sign. So we deal in trust with people, but as we have found out people are fallible and they are adversaries.
4.) What about the companies that run these programs and are at fault for lacking proper oversight in their information security departments? Recently a sort of tech rendition of the Geneva Convention called the Cybersecurity Tech Accord was signed by corporate giants to promote greater cybersecurity protections for people. That’s a big promise, but there are loopholes and not every tech giant signed it. What kind of protections can they actually offer?
Some things have teeth in it, and then there is window dressing. This thing was a lot more window dressing than anything else. These guys are doing it to feel better about themselves. Now they can say, ‘No, we’re doing something about it. But pay no mind to the fact that three years from now this thing will be sitting dormant on some shelf collecting dust.”
5.) And growing concern for consumers is the selling of our data. From a free market standpoint I was struck by what Steve Wozniak said about his personal information just after he booted Facebook out of his life. “My disgust goes to Facebook. But, like all of us, I clicked ‘Accept’ or ‘OK’ or something and gave it away to Facebook. I have always felt badly about social websites being able to sell my stuff, like my photos, and keeping all the money,” he said. “It’s turned into money but none is returned to you for providing your data.Oh, I get a free account. Well, give me a price to never share my data and I’ll know how much I’m paying for that account.”
He’s like, hey at least give me the option!
I think what’s going to have to happen; we are going to need a radical technology out there, something similar to blockchain, where it decentralizes control and puts it back into the hands of the people. If I use a technology like blockchain, you can’t use my identity, you can’t use data points about me, and I’m no longer the product. You don’t get to use me for free. I can now monetize my personal data because it’s locked up now through a blockchain account. And I have to give you, one of two types of pins. There is an access pin and an authorization pin. I want to buy something, I give you my authorization pin. If I want you to have access to my medical records, then you have to use my access pin. This already being done, for example in Estonia people vote using blockchain. In West Virginia now has a pilot going – they’re going to allow the military in this next election vote using a blockchain application. So I can prove it’s you. It’ll be anonymous on the backend, but you can authenticate and say, “It’s me.” Regardless of where I am in the world. I can vote and then I can change my vote as many times as I want. I could vote for “candidate a” and then “candidate b” in the afternoon, and “candidate c” in the evening. And that’s OK. Each time it changes. It records that I’ve changed my vote so I could change my vote based on developments or things that go on. Especially when you have early voting. Three days away from the election, you find out that this person has just committed a felonious act or committed treason against the government, wouldn’t you want to be able to change your vote?
6.) Some may change it on the back of a last minute tweet, who knows! And speaking of blockchain, in the first three months of 201 8 alone, crypto miners surged to the top of detected malware incidents, according to Comodo’s Global Malware Report for Q1.
They’re now a bigger threat than ransom wear.
How does this work?
So blockchain essentially is a way to solve math problems that helps us then protect other areas of our life. In other words, if it’s a really difficult math problem and only I have the answer to it, well then I can use that to protect my identity and my voting record and my healthcare information. Blockchain was a way to keep government out of the middle of this so that we could create trust in an environment that was inherently untrustworthy. So how do you create trust between two people who don’t know each other? So blockchain is a way to establish that necessary trust so that we could conduct transactions. When you do an international transaction normally, it would have to clear banks and stuff. It could take four to five days to clear, why? Because everybody had to have their piece of the action – the banks and the governments. Blockchain, cut everybody out of the middle. Blockchain was an equalizer and allowed us to settle international transactions in less than 10 minutes. Now hackers figured out how to hijack everything from browser resources and they’ve been able to insert this malware into a lot of applications that have gone out there to the public.
7.) The New York attorney general announced the Virtual Markets Integrity initiative, official inquiries into the cryptocurrency markets. Should consumers be protected? People getting into a highly volatile speculative sector. What do you think of this?
It’s the Nanny State. In New York, I’ll tell you what, you can always tell with an insurance company ad, all you have to do is listen to the ads, and they’ll say, “So and so insurance not licensed in New York.” New York is the toughest state for these kinds of regulations, especially for insurance. Again, it’s the government; the government fears what they can control, and they can’t control the digital currency. Right now, bitcoin is speculative of course. But guess what? Caveat emptor, let the buyer beware, you know. Hey, if you don’t understand the risks, shame on you. This is like, this is like I’m applying 1900’s methodologies and ideas to technology in the 21st century.
8.) Corporate hacks are terrifying in scale. The Equifax breach of 145.5 million Americans social security numbers, addresses and birthdates and more this to a whole new level in the national conversation. Equifax delayed the announcement, then lied, then covered it up as the numbers of those affected mounted. Former CEO Richard Smith then sat in front of Congress and got his hand slapped. Is any real punishment going to be handed out? That is critical information you cannot get back.
Remember the debacle with Enron and MCI? The Sarbanes-Oxley Act changed the way companies like that do business. Sarbanes-Oxley said, “You, CEO, now you have to put your name on the tax return and if it’s false and if it’s wrong, you’re going to jail.” And so, when’s the last time you saw a CEO perp walk, that the FBI made an arrest on because they had a massive accounting fraud? It’s been an extremely long time. I say that to say this that one of the things that may come out of this that we may get the digital version of Sarbanes-Oxley so these companies will be required to do something like that. The CEO, like a Dick Smith at Equifax, will have to sign off and say, “Yep, here are the things we’re doing. I guarantee that these systems have been checked, that they’re safe.” The problem with Equifax was its basic fundamentals in one of their most sensitive systems that faced the Internet, which was the consumer resolution database. If you want to dispute something, you had to have access to it. Well, one piece of software, the stretch database, had a flaw in it. This was poor design, and to throw it on the backs of somebody else and say, “Well, they didn’t apply the patch.” If I have a critical system, how is that different than a critical piece of business that is generating money? If that goes down, if I’m the CEO, I know about it. Well, if I have my most sensitive data and there’s a flaw, I should be all over that like white on rice, “What’s the status of the patch?” I want to know anytime we have a flaw in our major data systems, I want to see what’s being done about it. I want to know that it’s resolved. I want to see the results of the test. Why? Why don’t we handle that the same way that we do all the financial stuff because there haven’t been the rules in place to do it. First of all you litigate if that doesn’t work, you regulate and if that doesn’t work, you legislate and I think we’re to that point. That’s why Sarbanes-Oxley came about; it finally came down to the fact that we needed a law and people needed to go to prison and so people ended up going to prison until others got smart and said, “I don’t like going to prison, so we’re going to make sure our books are correct.”
9.) Do you feel like these companies are playing the victim?
They just chose not to spend on it, so even though they’re playing the victim I have no sympathy for them because somebody like an Equifax had the money to do it right. They just chose not to and they chose to have a culture that allowed this kind of stuff to go on. But the companies don’t just lose our information – they take it and monetize without permission. LIke Facebook, whose CEO also recently warmed a seat in front of Congress. Do you see anything down the road that could solve this?
Steve also famously said, “If it’s free, then you’re the product.” And it’s true. This is something blockchain would solve because then what would happen now is I’ll have my data there and it would be protected by blockchain even with facebook and facebook couldn’t mine that data unless it paid me for it. And the only way they could pay me for it is they’d have to make a request. I’d consider it. I consider what information I was willing to release. You set a price for it and then you provide your authorization pin so that they can get access to it. Think about that business model
10.) Well Californians for Consumer Privacy has a huge problem with the current business model let me tell you. California is a remarkable laboratory for regulation, legislation and litigation that may go nationwide and the group has put forward a ballot initiative set for a november vote allowing people to sue digital and brick-and-mortar businesses for a data breach even if it doesn’t prove harmful. People could bring action if information is sold. Oh, and they also want to know where exactly their information has flitted off to. It’s a roadmap through the ether of the small print we sign up for when we use a product or service. It’s called the California Consumer Privacy Act. Silicon Valley is fighting it. Some think it has legs. You?
Who reads the end user license agreement? It’s written by lawyers for lawyers. It’s also a squishy part of the problem that I don’t know that we’ll ever solve. It’s like a blob of Jello, we’ll squeeze it here, and it’ll pop out somewhere else. We’ll squeeze it there, and it’ll pop out somewhere else. We’re just going to be in this back and forth for a long time because the laws, rules, and regulations will never be even close to the advancement of technology. California will get the conversation started, but I think it then becomes an ‘unfair burden’ argument for the company. And then what’ll happen is somebody will complain because they’ll say, “Well, we have to do this for California, and we can’t do it differently for all 50 states.” Then another state will want more regulation too, and it’ll be completely different. There’ll be a lawsuit, it’ll get resolved at some level and hold up in the Supreme Court – the Supreme Court will say it’s a federal issue because it deals in interstate commerce. And there you go.
11.) One of the points which unite people against companies is when our children are tracked or compromised online. And children’s information is being spread all over the internet. You are hosting an upcoming webinar where you discuss seven areas every parent needs to be aware of. How bad is the problem of our children’s data? (cite children’s apps).
An example: there is an app called After School, and it is targeted at high schoolers because guess what, they have ‘after school’. It’s not ‘after college’; it’s after school. Well, guess what, the minimum age requirement is for after school. It’s 17 plus because of the content that’s on there. And you have parents allowing 11-year-olds and 12-year-olds on there. I’ve got anecdotes about that left and right. And in fact, I’ve got a podcast as launching here in a week where I’ve got the first five episodes already lined out. And that’s part of the stuff I’m talking about is guys, do you understand what information?
And then the data collection and tracking! That’s why the laws about collecting information on kids under age 13 were passed because how is this information being used? In fact, Disney used to be very aggressive about getting kids to sign up so they could get the parents information and then market to the parents as well.
12.) Recently the google play store was called out in a study done by International Computer Science Institute for featuring more than 3,000 Android apps that are in violation of federal privacy law designed to protect kids under 13 years old. Google responded saying, “Protecting kids and families is a top priority.” Seriously.
That goes back to the problem of the difference between Google Play and iTunes. Itunes is a curated store, so everything has to go through an iTunes review, through a security review of policy review. You cannot get anything onto the iTunes store without somebody actually looking at it and verifying and validating it there. But on Google Play, it’s still kind of the Wild West. There’s not a lot of validation to be done. That’s why we see a lot of the banking trojans and the malware on Google Play. Now, a handful of them get through on the iTunes store but very, very few and when you hear the word, ‘banking trojans’, ‘malware and apps’ and stuff like that, 99 percent of the time it’s going to be Google play
Great. So excited about that.
Last but not least – actually this should be the very first question in every interview: In closing, what is the most utterly ridiculous media headline you’ve seen recently that you just can’t unsee?
Anything that says jumbo shrimp, or computer security or government efficiency – he he, that’s courtesy of George Carlin. Also, any headline where the government says ‘We Care About The Voters’. No, they don’t, they care about themselves, they care about staying in office.
Morgan, I thank you for your time. It’s always a pleasure to catch up with you. Especially because of the little-known factoid buried in your stellar bio – you are a former state trooper. Cool. And now you’re telling us how to take on the man.
You can follow him on Twitter at @morganwright_us.