The U.S. invites four Chinese military officers in the Equifax Act, lists new guidelines on privacy and the pain of going public with the Data Bridge, these stories and more, and this week's ICEMG security report. Hello, I'm Nick Holland. On Monday this week, four Chinese military officers were indicted for stealing 145 million Americans' PII in the hack against Equifax.
Matthew Schwartz, ICEMG's executive editor of Data Bridge, and you're submitted this pertinent piece of analysis. Just don't hold your breath for the purp wars. I'm here to announce the indictment of Chinese military hackers, specifically four members of the Chinese People's Liberation Army, for breaking into the computer systems of the credit reporting agency Equifax, and for stealing the sensitive personal information of nearly half of all American citizens. That's U.S.
Attorney General Bill Barr speaking at a press conference on Monday. He said charges have been filed after a two-year investigation led to a federal grand jury in Atlanta handing out a nine-count indictment. The charges tied to a 2017 intrusion into the systems of Atlanta-based Equifax, one of the big three credit reporting agencies. The result in Data Bridge ranks as one of the worst in history.
Social information for half of all Americans was exposed. And the Department of Justice says the hack traces back to attack launched by China's PLA. For years, we have witnessed China's voracious appetite for the personal data of Americans, including the theft of personnel records from the Office of Personnel Management, the intrusion into Marriott Hotels and Anthem Health Insurance Companies, and now the wholesale theft of credit and other information from Equifax. This data has economic value, and these thefts can feed China's development of artificial intelligence tools, as well as the creation of intelligence targeting packages.
Press Analysis of the Hacks puts them in context. Notably, he says China's Ministry of State Security, or MSS, has been continuing to announce personally identifying information or PII that could be used for intelligence purposes, including blackmailing targets and obtaining secrets for Beijing. Officials say these hacks make clear that Beijing has been continuing to steal not just intellectual property, but also PII, hence it's no surprise that they take down one of the big three reporting agencies. But it's unlikely that indicting nation-state hackers will do anything to stem these sorts of attacks.
Indeed, some security experts say that beyond being a bit of political theater, this indictment has no teeth. It's unlikely that the four military officers, named, will ever sit inside of a courtroom. Attorney General Barr's obligations also have to be viewed for the lens of how the White House is approaching this problem. Notably, the Trump administration's ongoing trade war with China appears to have led Chinese President Xi Jinping to ditch the historic 2015 cyber agreement negotiated by the Obama administration.
In terms of Equifax itself, as has been well documented in numerous reports, including from the US Government Accountability Office, this particular breach could have been prevented. The company had the tools and processes it needed, but investigators found that its personnel lacked sufficient training, that management had filtered to ensure that policies were being followed, and overall while Equifax did something right, it did a lot of things wrong. Accordingly, the Equifax breach stands as a case study into how not to run a security program, and the company has already spent more than $1.4 billion, learning that lesson the hard way. Clearly, having a good defense would have helped, but it's not a complete solution.
Nation-state attacks remain a reality. Unless governments can hold each other to behavioral norms, it's unclear how even well-prepared businesses would be able to blunt online attacks launched by well-resourced nation-states. For Information Security Media Group, I'm Matthew Schwartz. You're listening to the ISMG Security Report on ISMG Radio, your number one source for information security news.
There's a lot of activity right now around privacy regulations in the US, with C-C-P-A going into effect in January, and myriad other states looking at similar laws. In January, the National Institute of Standards and Technology, or NIST, released its new privacy framework, which, according to Naomi Lefkowitz, a senior privacy advisor and program manager for privacy engineering NIST, gives organizations building blocks to help them meet any obligations under any particular law or jurisdiction that they're subject to. ISMG's associate editor, Superma Goswami, spoke with Naomi about the new privacy framework. Here's an excerpt to their conversation where they discuss existing frameworks, such as the GDPR and C-C-P-A, and how NIST guidelines are designed to be agnostic.
We look at the framework as being, you know, we intended it to be agnostic to any particular law or jurisdiction, but said we look at it as having, giving organizations the kind of building blocks to help them meet any obligation under any particular law or jurisdiction that they're subject to. For example, you might have an obligation under GDPR to accept data deletion requests from individuals. And so, the framework is not a prescriptive requirements-based approach, but rather you have to think through the kinds of policy, technical capabilities that you might need, and so, for example, we have one of the activities or outcomes that we have is making sure that data can be accessed for deletion, because if you don't have the capability to actually go in and find and extract data in your systems, then meaning a legal obligation to take data deletion requests is going to be operational. Okay, correct.
I wanted to ask, can this framework be used to stay as a standard against which reasonable precautions must be measured? I wouldn't look at the framework that way. We don't really consider it sort of a standard. It's literally a framework that is a way to think through the kinds of policies and capabilities that you need to build a strong privacy program, and it provides a way, you know, it's really a way for organizations to have a dialogue both internally and with other organizations about the kinds of privacy risks that they're facing and the kinds of, you know, what kinds of solutions that they want to implement to address those risks, whether those speed policies or technical capabilities.
One of the most difficult parts of a data breach is the price-swalling act of public disclosure. Even the best possible scenario is an embarrassment to the organization and probably costly in terms of business, reputation, and stock evaluation. If executed badly, the results can be catastrophic. I, some of you, geez, managing editor security and technology Jeremy Cook spoke with John Graham Cumming, CTO CloudFlare, a company that had their worst possible day in early 2017 in a data incident that came to be known as Cloudbleed.
In this audio interview, they discussed why honesty and an adult approach to disclosure is the best policy. Whether it's a data breach, vulnerability, or another security mishap, how organizations communicate the issue with the public leaves lasting impressions, and organizations' response is a product of its own culture and sometimes a test of whether it can gracefully swallow its pride. One of the world's largest network security companies, CloudFlare, faced this issue in early 2017. A software bug caused a random regurgitation of data from the memory of its servers, potentially exposing passwords, cookies, and chat logs.
The exposure stemmed from a small coding error involving just a single character that was entered incorrectly into an HTML parser. The problem was dubbed Cloudbleed. I recently chatted with CloudFlare's CTO John Graham Cumming. CloudFlare's approach to what Graham Cumming says was a very, very, very embarrassing error was to put as much information out there as possible.
The company published blog posts that explained in great technical detail what happened and what were the risks. Users appreciated the openness. John Graham Cumming. I do think Openness really makes two different, because it builds trust.
I mean, it's really the only way to do it. And I think there has been a bit of a culture of, if we tell people about our security problems, they will trust this left of all worry that somehow that will create less trust. But they also worry about somehow that will expose vital secrets about their security, which might not otherwise get exposed. But the reality of the world is that how could we try to break into companies?
They're going to find where the weak spots are. And it's really not, the heck of really not the audience to which you should be communicating is the general public. There are reasons why companies may clam up when there's a big problem. Share prices could drop and heads could roll, but Graham Cumming says CloudFlare has fostered a culture where it's okay to talk about problems.
He says CloudFlare co-founder Michelle Zatlin calls it an adult's culture. Many employee can report an issue or a concern on a security mailing list, and problems are dealt with an even head. And remarkably, the CloudFlare employee who wrote the bad code was not fired from the company. Graham Cumming, who's the head of engineering, says it didn't even cross his mind to fire the person.
You know what's really interesting about that? If somebody actually asked me that, I gave the talk, and somebody said, I put a hand up to the computer, I said, did you fire the employee who wrote the bad code? No. I was blown away by the question, because they had never even crossed my mind to get rid of that person.
You know, if somebody was responsible for that, you should be pointing at me as the head of the engineering group, because you can say, well, what would you be doing correctly in terms of structure, in terms of testing, in terms of culture that allowed a bug like that to appear? The fact that an individual ultimately wrote the line of code that was bad, it would be very, very silly to put it on the individual, and it would also create completely the wrong culture in the team, which is, you know, do something wrong to get fired. And that would have been completely unhelpful, no, that person was definitely not got rid of. And, you know, also, that person themselves went through a difficult experience, it felt a greater responsibility for what happened, and, you know, just on a human level, firing somebody in that situation would have been extremely cruel.
There was a side effect, however, of Cloudflare's openness about Cloudbleed. Now, if Cloudflare has so much as a minor service outage, its users are now expecting a war and peace-length post-mortem. But he says it's more that users are interested in learning how Cloudflare solved the problem. Graham, coming again.
People like to learn from others, right? How did you respond to it? How did you deal with this problem? You know, how did you approach it?
And that's another benefit of talking about it. So in the end, it may not be easy to own up to mistakes, but surprisingly, it can have benefits. For Information Security Media Group, I'm Jeremy Kirk. That's it for this week's Ice and Security Report.
Theme music is by Ethan Colgo. I'm Nick Collins. Catch you next time.