Equifax, Hack Backs and Heart Attacks
Happy Cyber Security Month! We’re not out of the woods yet. The first two thirds of this month have given us more than a few reasons to believe we’ve reached a turning point. People outside of cyber security are aware of the growing costs to society.
In studying Public Affairs, I learned about a framework for analyzing the organizational behavior of groups of people. It can be applied to many organizations such as businesses, industries and nations. Albert Hirschman’s Voice, Exit and Loyalty is a useful way to game out stakeholder behavior. Dissatisfaction with the system can be expressed by one of these three responses: exit, voice and loyalty. The power of voice is stronger when you can credibly threaten exit. Otherwise, you may as well be loyal. The public perception of cyber security is changing, but I’m not sure how. No ability to exit the system diminishes the power of our voice. This is why I admire bitcoiners even if I am a crypto asset skeptic.
Honestly, when I heard about the breach, I was relieved. At least it wasn’t my former client! Everybody from John Oliver to Fox Business is talking about it. Equifax crosses the aisle. Still, nobody seems set to do anything to prevent future problems. How can all the voices of the public be heard when there is no credible exit?
Another way to think of this is as a principle-agent problem. It may be closer to a fiduciary relationship, but let’s see where this goes. Your credit and other data is stored by the agent, whose incentives are different than yours. For example, they don’t care if they lose your data. You do!
Predictably, the cockroach idea of hacking back comes skittering out from under the fridge where it’s been waiting. People are exercising their voice and getting ignored by business. Exit isn’t an option, so voice escalates to other levels. Political levels. In fact, the Warren/Sasse, Graves/Sinema duos are both bipartisan.
So this is it? Kumbaya while our politicians unite to administer stern outrage and rash laws. Is this our generation’s great project, like settling the frontier? The journalist will miss their gun slingin’ metaphors, but we will not. The internet should not be a place settled, by The United States of America or any other country.
So we have arrived at the age where somebody can hack a heart and all your credit data is leaking out across the internet like some kind of digital BP oil spill. Some patients are choosing loyalty over voice. An IT worker said he knew better and figured it was a low risk. Not sure what that says about the industry. This brand of loyalty is next to complacency. This is not how we’ll solve the problem.
As Lenin says, What Is To Be Done?. No, not revolution. The founding text of Leninist Bolshevism says that the working class cannot create consciousness alone. They are too busy working. Therefore, there is a need for a revolutionary by occupation. Or as my former boss calls it Rebels at Work. She’s not a Bolshevik or a Communist. She’s just awesome.
It’s going to be up to the cyber security community to band together with allies and start speaking up in boardrooms, startup labs and coffee shops. The business community needs to get serious about protection and work together. Information sharing is great, but more needs to be done to pool risks. Insurance can play a big role in quantifying and allocating the costs properly. There won’t be a silver bullet or a finish line to cross, but the balance of power may shift.
The heavy lifting will be done by millions of people all across the internet. Open sources contributors, professionals, engineers and researchers. We all have to speak together if there is any chance of being heard. Voices needed.