Analysis: Indictments in Equifax Hack episode artwork

EPISODE · Feb 14, 2020

Analysis: Indictments in Equifax Hack

from Info Risk Today Podcast · host InfoRiskToday.com

The latest edition of the ISMG Security Report analyzes the indictments of four Chinese military officers in connection with the 2017 Equifax data breach. Also featured: Advice on implementing NIST's new privacy framework; lessons learned in a breach disclosure.

Episode metadata supplied by the publisher feed · Published Feb 14, 2020

The latest edition of the ISMG Security Report analyzes the indictments of four Chinese military officers in connection with the 2017 Equifax data breach. Also featured: Advice on implementing NIST's new privacy framework; lessons learned in a breach disclosure.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Analysis: Indictments in Equifax Hack

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

The U.S. invites four Chinese military officers in the Equifax Act, lists new guidelines on privacy and the pain of going public with the Data Bridge, these stories and more, and this week's ICEMG security report. Hello, I'm Nick Holland. On Monday this week, four Chinese military officers were indicted for stealing 145 million Americans' PII in the hack against Equifax.

Matthew Schwartz, ICEMG's executive editor of Data Bridge, and you're submitted this pertinent piece of analysis. Just don't hold your breath for the purp wars. I'm here to announce the indictment of Chinese military hackers, specifically four members of the Chinese People's Liberation Army, for breaking into the computer systems of the credit reporting agency Equifax, and for stealing the sensitive personal information of nearly half of all American citizens. That's U.S.

Attorney General Bill Barr speaking at a press conference on Monday. He said charges have been filed after a two-year investigation led to a federal grand jury in Atlanta handing out a nine-count indictment. The charges tied to a 2017 intrusion into the systems of Atlanta-based Equifax, one of the big three credit reporting agencies. The result in Data Bridge ranks as one of the worst in history.

Social information for half of all Americans was exposed. And the Department of Justice says the hack traces back to attack launched by China's PLA. For years, we have witnessed China's voracious appetite for the personal data of Americans, including the theft of personnel records from the Office of Personnel Management, the intrusion into Marriott Hotels and Anthem Health Insurance Companies, and now the wholesale theft of credit and other information from Equifax. This data has economic value, and these thefts can feed China's development of artificial intelligence tools, as well as the creation of intelligence targeting packages.

Press Analysis of the Hacks puts them in context. Notably, he says China's Ministry of State Security, or MSS, has been continuing to announce personally identifying information or PII that could be used for intelligence purposes, including blackmailing targets and obtaining secrets for Beijing. Officials say these hacks make clear that Beijing has been continuing to steal not just intellectual property, but also PII, hence it's no surprise that they take down one of the big three reporting agencies. But it's unlikely that indicting nation-state hackers will do anything to stem these sorts of attacks.

Indeed, some security experts say that beyond being a bit of political theater, this indictment has no teeth. It's unlikely that the four military officers, named, will ever sit inside of a courtroom. Attorney General Barr's obligations also have to be viewed for the lens of how the White House is approaching this problem. Notably, the Trump administration's ongoing trade war with China appears to have led Chinese President Xi Jinping to ditch the historic 2015 cyber agreement negotiated by the Obama administration.

In terms of Equifax itself, as has been well documented in numerous reports, including from the US Government Accountability Office, this particular breach could have been prevented. The company had the tools and processes it needed, but investigators found that its personnel lacked sufficient training, that management had filtered to ensure that policies were being followed, and overall while Equifax did something right, it did a lot of things wrong. Accordingly, the Equifax breach stands as a case study into how not to run a security program, and the company has already spent more than $1.4 billion, learning that lesson the hard way. Clearly, having a good defense would have helped, but it's not a complete solution.

Nation-state attacks remain a reality. Unless governments can hold each other to behavioral norms, it's unclear how even well-prepared businesses would be able to blunt online attacks launched by well-resourced nation-states. For Information Security Media Group, I'm Matthew Schwartz. You're listening to the ISMG Security Report on ISMG Radio, your number one source for information security news.

There's a lot of activity right now around privacy regulations in the US, with C-C-P-A going into effect in January, and myriad other states looking at similar laws. In January, the National Institute of Standards and Technology, or NIST, released its new privacy framework, which, according to Naomi Lefkowitz, a senior privacy advisor and program manager for privacy engineering NIST, gives organizations building blocks to help them meet any obligations under any particular law or jurisdiction that they're subject to. ISMG's associate editor, Superma Goswami, spoke with Naomi about the new privacy framework. Here's an excerpt to their conversation where they discuss existing frameworks, such as the GDPR and C-C-P-A, and how NIST guidelines are designed to be agnostic.

We look at the framework as being, you know, we intended it to be agnostic to any particular law or jurisdiction, but said we look at it as having, giving organizations the kind of building blocks to help them meet any obligation under any particular law or jurisdiction that they're subject to. For example, you might have an obligation under GDPR to accept data deletion requests from individuals. And so, the framework is not a prescriptive requirements-based approach, but rather you have to think through the kinds of policy, technical capabilities that you might need, and so, for example, we have one of the activities or outcomes that we have is making sure that data can be accessed for deletion, because if you don't have the capability to actually go in and find and extract data in your systems, then meaning a legal obligation to take data deletion requests is going to be operational. Okay, correct.

I wanted to ask, can this framework be used to stay as a standard against which reasonable precautions must be measured? I wouldn't look at the framework that way. We don't really consider it sort of a standard. It's literally a framework that is a way to think through the kinds of policies and capabilities that you need to build a strong privacy program, and it provides a way, you know, it's really a way for organizations to have a dialogue both internally and with other organizations about the kinds of privacy risks that they're facing and the kinds of, you know, what kinds of solutions that they want to implement to address those risks, whether those speed policies or technical capabilities.

One of the most difficult parts of a data breach is the price-swalling act of public disclosure. Even the best possible scenario is an embarrassment to the organization and probably costly in terms of business, reputation, and stock evaluation. If executed badly, the results can be catastrophic. I, some of you, geez, managing editor security and technology Jeremy Cook spoke with John Graham Cumming, CTO CloudFlare, a company that had their worst possible day in early 2017 in a data incident that came to be known as Cloudbleed.

In this audio interview, they discussed why honesty and an adult approach to disclosure is the best policy. Whether it's a data breach, vulnerability, or another security mishap, how organizations communicate the issue with the public leaves lasting impressions, and organizations' response is a product of its own culture and sometimes a test of whether it can gracefully swallow its pride. One of the world's largest network security companies, CloudFlare, faced this issue in early 2017. A software bug caused a random regurgitation of data from the memory of its servers, potentially exposing passwords, cookies, and chat logs.

The exposure stemmed from a small coding error involving just a single character that was entered incorrectly into an HTML parser. The problem was dubbed Cloudbleed. I recently chatted with CloudFlare's CTO John Graham Cumming. CloudFlare's approach to what Graham Cumming says was a very, very, very embarrassing error was to put as much information out there as possible.

The company published blog posts that explained in great technical detail what happened and what were the risks. Users appreciated the openness. John Graham Cumming. I do think Openness really makes two different, because it builds trust.

I mean, it's really the only way to do it. And I think there has been a bit of a culture of, if we tell people about our security problems, they will trust this left of all worry that somehow that will create less trust. But they also worry about somehow that will expose vital secrets about their security, which might not otherwise get exposed. But the reality of the world is that how could we try to break into companies?

They're going to find where the weak spots are. And it's really not, the heck of really not the audience to which you should be communicating is the general public. There are reasons why companies may clam up when there's a big problem. Share prices could drop and heads could roll, but Graham Cumming says CloudFlare has fostered a culture where it's okay to talk about problems.

He says CloudFlare co-founder Michelle Zatlin calls it an adult's culture. Many employee can report an issue or a concern on a security mailing list, and problems are dealt with an even head. And remarkably, the CloudFlare employee who wrote the bad code was not fired from the company. Graham Cumming, who's the head of engineering, says it didn't even cross his mind to fire the person.

You know what's really interesting about that? If somebody actually asked me that, I gave the talk, and somebody said, I put a hand up to the computer, I said, did you fire the employee who wrote the bad code? No. I was blown away by the question, because they had never even crossed my mind to get rid of that person.

You know, if somebody was responsible for that, you should be pointing at me as the head of the engineering group, because you can say, well, what would you be doing correctly in terms of structure, in terms of testing, in terms of culture that allowed a bug like that to appear? The fact that an individual ultimately wrote the line of code that was bad, it would be very, very silly to put it on the individual, and it would also create completely the wrong culture in the team, which is, you know, do something wrong to get fired. And that would have been completely unhelpful, no, that person was definitely not got rid of. And, you know, also, that person themselves went through a difficult experience, it felt a greater responsibility for what happened, and, you know, just on a human level, firing somebody in that situation would have been extremely cruel.

There was a side effect, however, of Cloudflare's openness about Cloudbleed. Now, if Cloudflare has so much as a minor service outage, its users are now expecting a war and peace-length post-mortem. But he says it's more that users are interested in learning how Cloudflare solved the problem. Graham, coming again.

People like to learn from others, right? How did you respond to it? How did you deal with this problem? You know, how did you approach it?

And that's another benefit of talking about it. So in the end, it may not be easy to own up to mistakes, but surprisingly, it can have benefits. For Information Security Media Group, I'm Jeremy Kirk. That's it for this week's Ice and Security Report.

Theme music is by Ethan Colgo. I'm Nick Collins. Catch you next time.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on February 14, 2020.

What is this episode about?

The latest edition of the ISMG Security Report analyzes the indictments of four Chinese military officers in connection with the 2017 Equifax data breach. Also featured: Advice on implementing NIST's new privacy framework; lessons learned in a...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!