The Equifax breach that compromised, by initial estimates, the personally identifiable information (PII) of 143 million individuals, has already found itself buried in business sections of major newspapers. This lack of attention is problematic because this data breach is different and the government doesn’t know how to respond.
While Equifax doesn’t own or operate critical infrastructure, it does own critical information – and not just some information, but essentially all of the PII of almost half of citizens in this country. While the investigation is still underway, we are learning that Equifax failed to conduct basic cybersecurity protocols (i.e., changing default passwords), which is inexcusable given the information they possess and are entrusted to secure.
What is the government’s role in protecting critical information that is held by a private company? The government doesn’t know what to do because there is no mechanism in place to handle this type of event.
I served as the Executive Director of the Presidential Commission on Enhancing National Cybersecurity, which was an independent, bipartisan Commission tasked by President Obama in March 2016 with developing a cybersecurity roadmap for the incoming Administration. One of the primary recommendations of the Commission is to convene senior leaders from industry and government to engage in pre-event cybersecurity planning. The Commission discussed the need to have leaders at the table who don’t just represent the obvious critical infrastructure providers, but to include leaders of companies who are part of our digital critical infrastructure. In an age of interdependencies – demonstrated by the proliferation of the Internet of Things (IoT) – we need to redefine critical infrastructure because the lines are getting blurry. We need to examine where the government must engage with companies that have an impact on our national and economic security; Equifax is just the latest example.
However, in order for government to do something, government needs to be available to act. Unfortunately, our nation has experienced two catastrophic natural disasters, while the Equifax breach was disclosed.
Earlier this year, the President appointed Tom Bossert to be his homeland security advisor. Mr. Bossert’s portfolio of responsibilities includes domestic terrorism, natural disasters, and cybersecurity. The broad-ranging nature of this portfolio would be challenging to manage by multiple people, let alone one. And when multiple crises occur across this portfolio simultaneously, it is impossible to dedicate time and resources effectively.
The White House and Mr. Bossert should be commended for their extraordinary efforts in managing Hurricanes Harvey and Irma; Mr. Bossert’s FEMA background and expertise have proven to be extremely valuable in his new role. But, the White House and Department of Homeland Security (the civilian agency primarily responsible for cybersecurity) are consumed with the hurricane responses. What if these hurricanes happened when a nation-state attacked our country via a cyber attack? Are we resourced appropriately and do we have the right mechanisms in place to respond effectively?
Another primary Commission recommendation is to have one individual, who reports directly to the President and whose sole portfolio and responsibility is cybersecurity. The seniority of the position should reflect the criticality of the issue – because rank and title matter, as the Commission bluntly said.
The primary catalyst for the Commission was the Office of Personnel Management (OPM) breach. When it happened, President Obama didn’t have a single person, at a senior level, dedicated to cybersecurity.
While the current Administration has experienced and highly skilled individuals working on the National Security Council in cybersecurity, the Commission would likely assert that this structure is not sufficient – and the past two weeks of events have proven the vulnerability in this approach.
Hurricanes Harvey and Irma demonstrated a significant improvement in our coordinated responses to natural disasters – lessons learned from Hurricanes Andrew and Katrina. We now need an equal level of improvement in our cybersecurity response, which mandates coordinated cybersecurity preparedness between the public and the private sector. The Commission identified that the government’s current incident response construct is insufficient to handle the spectrum of cyber threats and cyber events we now face – primarily because it focuses on response and not preparedness and planning.
Equifax demonstrated that we shouldn’t allow companies that are a de-facto national repository of our citizen’s critical information and engage in transactions with this data to be completely disconnected from government; government needs to coordinate with these entities. In the digital economy in which we operate, critical information is critical infrastructure.
The Administration needs to appoint a senior person in the White House with direct access to the President whose sole responsibility is cybersecurity and who works with government and industry to effectively manage cybersecurity before, during, and after an event. Additionally, we need to create a government/industry mechanism for pre-event planning. This group will be comprised of senior leaders from government and industry, who are responsible for protecting our nation’s infrastructure and information and are collaborating on a regular basis – training, exercising, identifying threats, ensuring baseline levels of cyber risk management. Finally, we need to seriously look at how we are defining critical infrastructure. Equifax demonstrated that while owners and operators of critical infrastructure are important, holders of critical information are equally important.
The Administration has shown it has the right instincts on cybersecurity as reflected in the cybersecurity Executive Order that was released by President Trump in May. But, in order for these ideas and plans to be effective, the right government structure has to be in place that reflects the reality of the current threats and vulnerabilities to our interdependent infrastructure.
In 2017, there is simply no excuse for one of the nation’s largest data brokers to have failed the basics in proper cyber risk management. The Equifax breach exposed the urgent need for government to be engaged in protecting the critical information of our citizens in order to protect our national and economic security.