As security breach reports mount, experts fear alert fatigue
The geopolitical landscape is ripe for hacks, attacks, and exploits, but just because big breaches are being reported more often doesn't mean you should stop caring.
It's been a busy week for security specialists.
First came word that supermarket chain Supervalu had been hacked. That was followed in short order by news of security breaches at a large American medical group, the Nuclear Regulatory Commission and the UPS Store.
As large-scale security breaches carried out by individual hackers and sponsored by nation-states turn into the new normal, cybersecurity experts are also alarmed that people may throw up their hands and stop caring as news of even more breaches get reported.
But while four breaches in a week may seem like a lot, let's also keep perspective. What's actually happening is more complicated than a simple spike in the number of reported breaches.
"I'm not sure that we're seeing more activity, or more attention on the activity," said Andy Serwin, a partner in the privacy and data protection practice at analyst firm Morrison and Foerster.
Indeed, companies are getting better at reporting security breaches, which also feeds into the perception that the increase in the number of breaches may even be larger than it really is.
"Back during Operation Aurora [in 2009], when Google got hacked, Google coming out [in 2010] was a big step in the industry," said Lillian Ablon, a researcher for the RAND Corporation. "Before that, companies didn't really talk about being breached." Ablon also highlighted the 2011 hack of RSA's SecureID encryption tokens as influential.
Legally, companies and government agencies are required to report security breaches to the public only when customer data is involved, and only in 47 states. Alabama, New Mexico, and South Dakota lack mandatory reporting laws, and few laws on the books extract penalties when a breach occurs.
Whatever the magnitude of the number of security breaches, it's also true that customers find themselves in an increasingly uncertain world when it comes to keeping their data safe.
"We're going to see more attacks because there's no risk to the adversaries," who are attacking companies, said CrowdStrike President and Chief Security Officer Shawn Henry. He added that the public will have to be vigilant about keeping tabs on their data.
Even then, that's no panacea. When the hacks at the Nuclear Regulatory Commission and Community Health Systems got revealed in the last week, the attacks were suspected of coming from China. Of course, it's not always clear whether that means that the hackers were also sponsored by the Chinese government.
"Just because somebody robs a bank and has New Jersey plates, doesn't mean they're from New Jersey," said Henry, who cited common hacker tactics such as using TOR and anonymous proxies to obfuscate the IP address where the attack came from.
Even when you know where an attack comes from, it's still difficult to pin it on an independent source or a government agent.
"Attribution is generally not definitive," Ablon said. "If it is, you're hearing about in a place with closed doors."
The public release of documents leaked by Edward Snowden about the extent of the National Security Agency's cyber espionage activities around the world has further muddied the picture. One important takeaway from the Snowden document trove was proof of the extent of US spying on other countries.
"According to the Snowden allegations, we have targeted economic organizations. But the US has consistently argued that we do it for economic interests more broadly, that we don't do it for economic advantage," said Adam Segal, a China expert at the Council on Foreign Relations."That distinction is lost on the rest of the world."
Security experts believe that the eventual solution will require businesses to rethink how they operate, putting a much bigger emphasis on security.
"Right now, things are developed with functionality in mind, from creating products to creating businesses, and we slap on a band-aid of security," Ablon said. "What we want to do is shift our business to bake in security from the start." But the consequences of that could have global economic implications, if better security hurts competitiveness.
In the short term it means that customers who do business with companies that suffer security breaches will need to be that much more vigilant. That means not reusing passwords for multiple accounts, using two-factor authentication when available, and keeping a close eye on bank statements and credit card activity.
As for the breaches themselves, there's not much you can do except be prepared to hear about more of them, more often.
Update, 3:10 p.m. PT: Clarifies statements from Shawn Henry.
Update, 12:40 p.m. PT: Clarifies details of Operation Aurora.