It's a repetitive cycle- corporations aggregate our data without our consent, corporations sell our data without our consent, and criminals steal our data by exploiting the companies that don't adequately protect that data. Despite the frequency of PII loss, and the disproportionately negative impact for those effected, many practitioners see their organizations routinely underfund or neglect their information security and identity programs. Furthermore, when existing regulations (or the lack thereof) fail to get companies to invest in securing identity data, what non-regulatory recourse remains to force organizations to remedy their security posture? In this session Jon Lehtinen outlines what actions, if any, can be considered an appropriate response to this pattern of corporate behavior, the future risks this continued behavior may bring, and how identity professionals can work to align the interests of their employers to the interests of those impacted by these lax corporate security practices.
2. Disclaimer
The views and opinions expressed in this presentation (though
both true and good IMO) are my own and do not represent the
views or opinions of my employer, its parent company, or
subsidiaries.
4. What does a breach cost?
Money
• $7.35 million per breach – US
Time
• Factored into the monetary cost *for business*
5.
6. Humans & corporations: A comparison
A Human Being A Corporation
Life span ~80 years Indefinite
Waking hours per day ~16 (Hours per shift) x (Number
employees)
Constraints Time, space, hunger, thirst,
fatigue, morality, power
differentials, social obligations,
capital, laws
Capital*, laws*
Ability to influence governments
or other power structures
Low High
7. Equifax breach
• 146.6 million names
• 146.6 million dates of birth
• 145.5 million social security numbers
• 99 million address information
• 209,000 CCs
• Total cost of breach “well over $600 million”
10. What is the consequence for repeated
corporate mishandling of PII?
• No lasting damage to firms that lose PII
• Golden parachutes to executives that oversaw the loss
• Insufficient regulatory response/action
12. We missed our IAM SOX moment.
• Companies perceived as not accountable
• Government appears incapable or unwilling of holding them
accountable
• Populist indignation
• Lack of confidence in traditional avenues of justice
Rise of the insider threat motivated not by gain, but by “justice?”
13. How did we get here?
~35 years of compounding factors
14.
15.
16. Socioeconomic Factors
• Wage/Productivity Gap
• Housing up 84%
• Medical up 90%
• Public tuition up 237%
• Wages up 10%
• Rising suicide rates
• “No vision of the world or
of a better future”
24. Learn from GDPR
• GDPR proves that corporations have not yet fully superseded
governments in societal power structures
• Consider impact of HIPAA, SOX
• Resist perfection paralysis
26. Opportunity for ID professionals
• Technological solutions
• Self-Sovereign Identity
• Process solutions
• Zero-day researching/reporting as a model?
• Consistent execution of simple practices
• How to handle unresponsive organizations?
27. Vote with your
labor
If your organization
makes you
uncomfortable with their
handling of PII - even if it
is handled ”legally”-
Leave!
29. References
Fry, R. (2018, April 11). Millennials are the largest generation in the U.S labor force. Retrieved from http://www.pewresearch.org/fact-tank/2018/04/11/millennials-largest-generation-us-
labor-force/.
Ponemon Institute. (2017, June). 2017 Cost of Data Breach Study.
No author. (2018, January 19). 2017 Annual Data Breach Year-End Review. Retrieved from https://www.idtheftcenter.org/images/breach/2017Breaches/ITRCBreachReport2017i.pdf
Reuters. (2018, May 8). Equifax provides more detail to Congress on cyber security incident. Retrieved from https://finance.yahoo.com/news/equifax-provides-more-detail-congress-
010014354.html.
No author. (2018, March 31). Equifax Annual Report Form 10-K. Retrieved from https://www.sec.gov/Archives/edgar/data/33185/000003318518000011/efx10k20171231.htm.
Snyder, B. (2016, May 16). About Half of U.S. Families Would Have a Tough Time With a Surprise $400 Expense. Retrieved from http://fortune.com/2016/05/26/400-dollar-expense-
study/.
United States Census Bureau. (2017, May 4). Wealth, Asset Ownership, & Debt of Households Detailed Tables: 2013. Retrieved from
https://www.census.gov/data/tables/2013/demo/wealth/wealth-asset-ownership.html.
Lowrey, Annie. (2017, December 1). The Great Recession is Still With Us. Retrieved from https://www.theatlantic.com/business/archive/2017/12/great-recession-still-with-us/547268/.
No author. (2017, October). The Productivity Pay Gap. Retrieved from https://www.epi.org/productivity-pay-gap/.
No author. (2018, May). Suicides Risings Across the US. Retrieved from https://www.cdc.gov/vitalsigns/suicide/.
Boyington, B. (2017, September 20). See 20 Years of Tuition Growth at National Universities. Retrieved from https://www.usnews.com/education/best-colleges/paying-for-
college/articles/2017-09-20/see-20-years-of-tuition-growth-at-national-universities.
Menaker, W. (Producer) et al. (2016, December 12). No Future Featuring Adam Curtis [Audio podcast]. Retrieved from https://soundcloud.com/chapo-trap-house/episode-65-no-future-
feat-adam-curtis-121216.
Harris, M. (2017, June 9). Why Do Millennials Keep Leaking Government Secrets? Retrieved from https://www.washingtonpost.com/posteverything/wp/2017/06/09/why-do-millennials-
keep-leaking-government-secrets/?utm_term=.4d66a7ec0f53.
Editor's Notes
Hi.
I’m Jon Lehtinen.
I want to talk about when whistleblowing should become the response to corporate negligence.
Before I get blacklisted, or I go back home and my badge stops working, I first need to say that
One of the more obnoxious pieces of advice a leader gave me early in my career was that “perception is reality.”
He meant that I had to be careful and empathetic in how my words and actions could be perceived by others, namely my customers.
Whenever there was conflict or issues regardless the justification, the reality for my customers was that something was wrong, and the thing I was responsible for was the source of their problems.
There were 1579 breaches involving PII in 2017. As infosec and identity professionals, this is very much a thing we should be concerned about.
Let’s talk about the cost of these breaches in terms of time and money
Ponemon Institute – 2016
But what of the human cost?
We are infosec/identity professionals, we are in tune w/ this stuff. What about retail workers, retirees, students, and everyone else?
How must they perceive this, if they are even aware outside of breach-fatigue?
Time cost:
Enabling credit freeze
Enrolling in credit monitoring
Canceling fraudulent accounts
Changing accounts/payment options for impacts services (utilities, websites, stores, etc)
Identity theft of children
How burdensome is this- it often costs a fee to freeze/unfreeze your credit.
25% population is Unbanked or Underbanked
44k total wealth (all accounts, possessions, everything, not just liquid capital)
Comparatively, a corporation has cumulative time of its employees at its disposal.
It’s also functionally immortal, being a legal personage.
It also has fewer constraints and much more capacity to influence power structures than the puny humans it is inconveniencing.
Let’s pick on the biggest breach of 2017.
There are 249mm adults in the US, this breach impacts about 3/5 of every US adult.
The estimated cost of remediation (restitution, fixes, etc.) is $600mm as of May 2018.
Equifax is worth 3.2 billion per its 2017 SEC filing. That’s still a sizeable ratio of cost to equity, but the marginal utility of money suggests that for an org worth 3.2 billion losing 600mm is less impactful when 50% of American families do not have the liquidity to cover a surprise $400 expense.
So let’s examine how the markets are reacting & enforcing good PII handling practices.
Equifax lost ~30% of its stock value after disclosure, but recovered over time and now hovers at around 14% less than pre-disclosure.
I’m not saying that’s good or bad, nor am I making a normative statement that it should be a certain value. I’m just saying what happened.
But if we zoom out just 5 years, we see that Equifax is actually trading at about 2x its post-disclosure price.
From the perspective of folk expecting a market correction, it seems that Equifax is still in a superior position compared to just a few years ago, so that dip doesn’t really reflect much of a correction at all.
No lasting consequence for malfeasance
No regulatory response, stock price nearly recovered
Golden parachute for execs IF they are forced out
“ From a corporate governance and accountability perspective, cybersecurity today is being treated like accounting was before the fallout from the Enron scandal inspired the Sarbanes-Oxley Act’s increased standards for corporate disclosures. “
“A complex hack may not be a C.E.O.’s fault, but it is absolutely his or her responsibility. Investors and consumers need to demand more from the executives to whom they entrust their digital lives. The same holds true for government. Protection of the welfare and livelihood of its citizens is a foundational principle of government, and yet for more than a decade there has been very little consequence for nation-states and state-affiliated groups who’ve pilfered the intellectual property, and violated the personal privacy, of citizens and companies around the world.”
Both enterprise and government are asleep at the switch here.
We do not have our Sarbanes Oxley of identity, though we had our Enron-class disaster in Equifax.
When the companies themselves are not accountable, and when the government that allows that company to operate is incapable of holding them accountable, populist indignation may begin to manifest itself in unexpected ways to force accountability- this is a recipe for whistleblowers and insider threats motivated not by gain but by “justice”
How did we get here? I think we need to consider the entire landscape of the last 35-40 years to see how how the slow build of changing corporate, governmental, and socioeconomic structures positioned us so precariously. I’m going to talk in general trends here, and I’ll avoid normative statements and editorializing
Consider how enterprises have changed over the last 35 years.
Contracting vehicles, contract to hire, push risk of employment relationship onto prospective employee.
4-year degrees have become the minimum requirement for an entry level job. Sometimes unpaid internships are required to show work experience BEFORE starting a career.
Companies tend to hollow themselves out to reduce cost in the short term at the expense of long term stability.
And anyone who has worked enterprise can tell you how hard it is to get budget for anything that is not a revenue generating activity (like retiring technical debt)
Rolling back of the changes made during the New Deal and labor movements
Decline of union power and steady legal erosion of worker protections by regulatory agencies, legislatures, and the courts
As global trade opened new markets, de-industrialization, and the rise of increasingly specialized labor- necessitating those expensive degrees to get entry level jobs, assuming you were apt enough to do that work. Deindustrialization just meant now you did unskilled labor very cheaply.
Eventually replacement of governments as the locus of power in society
Regulatory capture
Decreased investment in public education as it became a requirement for work
This happened at a time when state funding of school stopped, and tuitions grew at a rate several times faster than inflation.
Unlike all other forms of debt, student loans become impossible to discharge thanks to a series of laws in 1976, 1984, 2005.
On top of carrying $1.5T of UNDISCHARGABLE debt required to get the credential to get an entry level position, wages stagnated relative to productivity.
Public instate up 237%, out of state 197%, private 147%
Rising opiate overdoses, suicide rates- CDC says up 25% over the last 20 years.
Adam Curtis – No Future. We recognize something is wrong, but not knowing how to react we continue onward. We have given up on the notion of a better future.
Delivery of information is efficient, everything would be fine- but this ignores that there is absolutely nothing left to say.
Millennials & Post-Millennials are 40% of the workforce, rising
I shudder at mentioning generational politics, but this is relevant-
Because
Started careers during Great Financial Crisis
They saw the carnage from the layoffs that came with the Great Financial Crisis, and experienced the headwind of building a career in that environment
Often carrying un-dischargeable student loans (law changed in2005) because they began at a time when college degrees and unpaid internships were how one launched a career.
Fear of default on those undischargable loans reduces negotiation power come raise time- of course its not like COL/annual raises have been keeping up w/ inflation since the GFC anyway.
A workforce experiencing perceived injustice (not just for themselves) but also for everyone else who is suffering under this power imbalance, and having a lack of faith in the traditional avenues of redress leads to whistleblowing/vigilantism/something else.
If this sounds unlikely, consider that this has already become a pattern in government where the stakes are much higher.
Edward Snowden
NSA mass spying program
Chelsea Manning
Collateral Murder & diplomatic cables
Reality Winner
NSA memo on Russian interference in 2016 elections
If an organization will only fund the fix to IAM/security after a catastrophic incident, then raising the risk of such an event may be seen as a forcing mechanism
What is the “ethical” response to someone who holds corporate wellbeing/their career in lower esteem compared to the greater good of millions of real people when they see ignored vulnerability that puts the PII of millions at risk that won’t get fixed unless it breaks?
But Jon, society is broken so to whom would the whistle be blown? Exposing the problem raises the likelihood of exploit. Fair.
What would it take to shame an organization into action? Think an anonymous reddit post or tweet- the bar to expose your organization’s dirty laundry could be alarmingly low.
Rather than just focus on how bad things are and how scared we should be, let’s instead focus on the spheres of influence & control we do have.
Actions to take immediately as an enterprise
Establish a process for reporting risks
Gets visibility to controlling stakeholders who are likely unaware the technical implications/existence of such a weakness
Transparency in Risk Mitigation calculations
Risk= Probability x Loss may not be known/understood
Sharing WHY that technical debt may go unresolved (if cost of remediation is worse than the cost of an exploit) goes a long way toward stemming potential resentment, AND building a culture of transparency and security
Update your insider threat models to account for the “altruistic” leaker
Consider not being “evil” (another touchy subject as we categorize evil)
Collection, disclosure, and consent policies
Corporate citizenship
Voluntary compliance to GDPR framework
Remember the political component at play here.
I use politics not in the “rah rah red team/blue team” distraction, but in its rawest form- the acquisition and application of power to implement policies aligned to your interest
In this regard, politics have been exercised quite effectively on behalf of corporations to reduce liability, responsibility, and operational friction at the expense of individuals, but we should remember that ostensibly that power can be still be wielded by us.
Further more- Steve Wilson – Technology is political
Blockchain – great financial crisis
Open source software
Self-soverign ID – this problem
Don’t resist wielding power. If we continue to think embracing politics or political thinking is gauche than we leave a potent tool out of our toolbox to fix this.
What organization can offer certification that an organization practices safe PII handling?
IDESG used to certify organizations, but it was self-attested. Is IDESG still relevant?
IDPro is dedicated to raising the quality and quantity of identity professionals. IAPP is also focused at the individual level.
It appears there is a gap to be filled here.
Opportunity for ID Professionals
Build a process and framework for reporting dangerous PII situations?
Consider the zero-day reporting/research process used by many tech companies. Is this a pattern to follow?
What organization could become the non-governmental arbiter for reporting/reconciling these issues until government steps up (if ever)
If we care about PII protection, simple process execution in infosec (patching, change management, defense in depth) are still the best way to prevent bad stuff from happening.
How do we handle unresponsive organizations?
Finally, the most atomized unit, the most personalized sphere of influence and action– yourself
If your organization makes you feel uncomfortable with how they are handling PII data (even though they may be handling it “legally”), leave.
Identity & security talent is in demand, and you shouldn’t have to compromise your principles.
So it’s been a winding road to get to the end of the presentation, but let me finally answer now “when should whistleblowing become the response to corporate negligence?“
Never, it absolutely shouldn’t.
But given the confluence of factors at play, and no relief in sight, I find it likely that a growing number will decide it is better to expose an organization’s dirty laundry to the world to force action than risk the real human cost of another breech.
And I feel we ignore this situation to our peril.
Thank you.