'Breach Fatigue' and Notification
From Epsilon and Sony to RSA and Lockheed, existing security is no match for today's hackers.Let's take a look at our cybersecurity state of affairs.
In a week, we've seen alleged hackers from China target Google's Gmail; a cyberfraud ring called LulzSec claim to infiltrate Sony Pictures and PBS's "NewsHour"; and attacks against government contractors Lockheed Martin Corp. and L-3 Communications Holdings Inc, both probably linked to March's RSA Security breach, which ultimately exposed technology behind RSA's SecurID multifactor authentication tokens.
Let's also not forget that just a few weeks ago we were rocked by the revelation that Sony and e-mail marketing provider Epsilon had also been hacked, exposing personal identifiable information on millions of consumers.
Some of the hacks have been humorous, and, in the grand scheme of hacking, relatively innocuous. Take the PBS attack as an example. That hack resulted in fictitious posts to the NewsHour website about the resurrection of '90s rapper Tupac, whom we all remember was gunned down a decade and a half ago. Crime still unsolved.
I view the LulzSec attacks like those launched by Wikileaks supporter Anonymous. These guys just want to prove how easy it is to get in. Sadly, that's a lesson we are learning far too well these days.
But the other breaches we've faced have been much darker in tone, highlighting serious concerns about not just the leaking of personal information, but details that could potentially compromise national security.
Congress is now getting in on the movement, to push for stronger security and breach notification. I'm not sure how much good their efforts will do, but at least legislators are taking notice, right?
This week I sat in on a House subcommittee hearing, during with Sony and Epsilon were both called to testify about the guidelines they followed when notifying customers adversely affected by their recent breaches.
During the hearing, both Sony and Epsilon told subcommittee members they support a national breach notification system, one that would trump the 46 disjointed state notification laws, which, to date, have made breach notification challenging.
Surprisingly, most subcommittee members seemed well informed about gaps in breach notification, as well as cybersecurity challenges. In fact, Rep. Mary Bono Mack, R-Calif., chair of the subcommittee who referred to the Sony breach as the "Ground Zero" of cyberattacks, plans to introduce legislation that calls for a national data breach notification system that would require companies like Sony and Epsilon to enhance security measures used to protect "sensitive" data and promptly notify consumers after a breach.
We'll see if bipartisan lines can blur enough to get that legislation passed.
In the meantime, I'm focusing on the fight against what our friend at the grassroots Identity Theft Council, Neil O'Farrell, has rightly coined "breach fatigue."
With so many cyberattacks coming at us from so many different angles, the fatigue syndrome may be one we all need to focus on fighting.