Nicolas Dupont is a technology executive in New York City. He is currently the CEO and Chairman of Cyborg Inc., a cybersecurity firm.
Equifax, Capital One, Zynga, Quest Diagnostics, SolarWinds. The list goes on, with each of these companies experiencing a significant data breach in the past four years. With each, the story repeats itself: a minor vulnerability in a far-flung IT system exploited by sophisticated hackers, gaining access to sensitive data and exposing millions of customer records, including credit card and social security numbers.
The latest high-profile attack, on network monitoring firm SolarWinds, is estimated to have impacted more than 425 of all Fortune 500 companies in addition to a number of federal agencies. While details of this breach are largely unknown, the blame shouldn’t be solely placed on SolarWinds for a lack of proper security measures or quick software patching. Rather, we need to collectively examine the larger pattern at play here, and why history keeps repeating itself.
The Zero-Trust Model And Client-Side Encryption
Fundamentally, every breach has a common thread: poorly protected data. It’s simply naive and unrealistic to expect that every corporation’s IT systems will be properly patched and provide airtight security to the world. However, it isn’t unreasonable to expect the data held by these companies — data belonging to consumers like you and me — be kept in a secure manner. In fact, the technology which enables this already exists.
Zero-trust security is a philosophy that stipulates that no entity can be trusted — not the source of the data, not the network on which that data travels, not the servers on which it is processed, nor the storage on which it resides. This arguably paranoid mindset provides a layer of security in the initial design of information systems by ensuring that data is never left in a vulnerable state.
Encryption plays a key role in the zero-trust model by giving a well-trodden course for scrambling data in a secure, reversible way. In today’s digital world, the Advanced Encryption Standard (AES) is ubiquitous and contains cipher methods largely unbreakable by current computers. The encryption method, however, is only half of the equation — key management, which determines who can decrypt and access encrypted data — is the other half.
The world’s strongest door lock would be useless if you hid its key under a doormat. Similarly, strong encryption with poor key management is a considerable security vulnerability. The adoption of client-side encryption would be a significant step in reducing this exposure. Put simply, client-side encryption is a system where data is encrypted on the client’s device and can only be decrypted and accessed by said client. Just like end-to-end encryption used in secure messaging apps like Signal and Telegram, client-side encrypted data is opaque to all third parties, adhering to zero-trust philosophy. With proper use of this method, breaches of large corporations would bear little fruit since stolen consumer data would be encrypted and unusable.
Technology solutions that solve this significant problem already exist. Why aren’t they being used?
The Role of the U.S. Government
Security is expensive for companies to implement — but without it, consumers pay the price. Adequate data protection measures, including adherence to zero-trust principles and the implementation of client-side encryption, don’t only comprise capital cost for affected corporations but also opportunity cost. If consumer data is rendered fully opaque, companies become unable to use that data for monetization or business intelligence purposes — a significant disincentive for the adoption of these security principles.
This incentive dissonance leaves a gap which the U.S. government must fill. Protecting American consumers is one of the primary roles of the government, and its lack of a coordinated, comprehensive regulatory framework for universal data protection is an abdication of responsibility. Inspired by the European Union’s General Data Protection Regulation (GDPR), individual states have adopted legislation such as the California Consumer Privacy Act (CCPA). These privacy mandates, however salient, don’t go far enough in terms of ensuring data security and don’t have national jurisdiction. While targeted frameworks such as HIPAA, which protects healthcare data, address the need for encryption and data protection measures, the United States lacks a universal standard reflective of the scale of the threat.
Protecting consumers from massive data breaches, and the ensuing identity theft and fraud made possible by such breaches, should be one of the U.S. government’s top priorities. Such protection is completely feasible with today’s technology, so no reason stands for not enforcing this mandate. A coordinated effort between state and federal government agencies would protect American consumers from a threat over which they possess little control while empowering corporations to employ new technical innovations which allow them to monetize data without sacrificing their customers’ data privacy and security rights.
We must adopt a comprehensive strategy to secure our data and our digital infrastructure as a whole. Without it, history is bound to repeat itself.