Headline-grabbing data breaches, like the most recent incident at Target, are revealing to the public what security experts have always known: Nothing is secure. It’s a constant arms race between those who protect data and those who steal it.
In one form or another, this fight has been going on since the concept of personal property was conceived. The only difference is that thieves now are downloading databases of Social Security numbers instead of stopping stagecoaches and riding off with sacks of gold and silver. Crime can’t be eliminated, but the stagecoach drivers don’t seem to be learning from their mistakes.
With each new headline, the public grows more frustrated with organizations that fail to protect private information. There will always be weak links and contingencies unplanned for, particularly in organizations as large as governments, which are spread across dozens of agencies and have thousands of employees. The same is true of profit-oriented companies like Target. As long as financial loss and bad press are kept to an acceptably low level, investments in preventing such breaches will not be viewed favorably by those who hold the purse strings.
Soon enough, the fickle public will forget, anyway. Where else are you going to go to buy bulk granola bars and generic-but-reasonably-priced clothing? It’s not like Wal-Mart is using some special network security practices that Target doesn’t know about. They just haven’t been hit yet. And during the uproar, that immutable truth seems to go ignored: no number of traps, bars, or alarms will keep out the determined thief.
Any number of organizations might claim to have great network security, but even that is an oxymoron. The entire system is set up to fail. All it takes is one stupid or negligent employee and the whole thing comes crashing down. Having strong network security means having a strong version of something that’s weak to begin with. The real solution is to circumvent the whole hopeless network security arms race completely.
The solution is simple in concept. If thieves keep stealing something valuable, make the thing they’re stealing worthless. In the past this would have been difficult. You can’t devalue most physical goods because they have intrinsic value to people. People will always want to buy (or steal) diamonds, gold, and silk because they’re shiny, pretty or soft. But data is different because it only has as much value or meaning as we decide to give it.
Easier said than done? Maybe, but the competition between good and evil online is beginning to feel like that scene at the end of Raging Bull where Jake La Motta, played by Robert De Niro, is slamming his head against the wall. The bad guys get away most of the time, and with each big breach, there’s an equally large security contract to be secured, so if you want job security, go into security. Meanwhile, everyone whose information was stolen is left scrambling to deal with the fallout, and the organization that allowed the data leak continues staggering onward, maybe a little worse for wear.
The solution to fixing all of this is to change the way that personal and financial information works. What if a Social Security number or credit card number in the hands of a criminal was useless?
Maybe the usual method of buying something online needs to be more involved than simply supplying a name, number string and address. Maybe applying for a credit card should involve biometric authentication. Maybe there should be two- and three-factor authentication in place for financial transactions that don’t involve just cash. Maybe credit card numbers should change every week. Maybe an entirely new system should be developed for handling credit that is completely foreign to the concepts and ideas used to define today’s system. The Bitcoin people seem to be pretty excited about the whole idea of a digital currency – maybe that’s part of the solution. Implementation is the hard part, and I’m not proposing a concrete solution. But the current way of doing things is not the best that we can come up with.
There are new and innovative technologies being born all the time, but none of them seem to be protecting my identity, personal information or finances, despite the fact that my identity, personal information and finances are the most valuable things I own. If I were in charge of protecting my own data, I sure wouldn’t do it the way banks, companies and governments are doing it now. My Starcraft 2 account is better protected than my bank account.
This is a call for lateral thinking. The public didn’t agree to be a part of today’s technological world. We all enjoy the benefits of improved technology and medicine, but there’s no opting out of the risk of having your personal information stolen. To be part of society, each person is forced by circumstance to be at risk, and yet there seems to be no burden on government nor on financial institutions to do anything to protect that data beyond the requisite measures, which I believe we have already established don’t work.
Policy makers and security experts need to join together, step back and create an environment for data that uses the best tools and ideas available today.
As the poet Arthur O'Shaughnessy wrote, “We are the music makers. And we are the dreamers of dreams.” The system doesn’t have to be broken if we don’t want it to be, and there’s no sense banging our head against the wall.
Colin wrote for Government Technology from 2010 through most of 2016.
NEW ON THE PODCAST