Published by The Lawfare Institute
in Cooperation With
The Equifax data breach that compromised the Social Security numbers and other personal information of more than 145.5 million Americans prompted calls from authorities and consumers for more federal regulation to protect sensitive personal data. The Federal Trade Commission (FTC), Congress, and the Justice Department, among others, are investigating aspects of the incident. Some experts frame the cause of the breach in terms of market failure, arguing that companies have insufficient economic incentive to secure the data they handle. Others have suggested that the breach reveals no legal or regulatory failures because there is no legislation or regulation that effectively addresses the spate of very public cybersecurity incidents against sensitive systems.
These approaches all have an ex post nature. But what’s needed, in fact, is to prevent such breaches before they happen. These intrusions occur because software and systems are imperfect and companies’ efforts to secure their systems are often ineffective (which could have roots in a perceived lack of economic incentive or the absence of binding regulation). Regulation and enforcement against cyberbreaches could work only if the cost of being compromised is so high that compliance is the only viable course of action. Of course, law enforcement has limited deterrence value against foreign hackers. Consequently, there must be a shift in thinking about cybersecurity, particularly when sensitive data is at stake. Regulation is prone to inflexibility, which could quickly leave it ineffective as technology evolves and develops. Hackers could figure out ever more sophisticated ways into consumers’ data, and security methods prescribed by regulations would soon become outdated.
That’s why, if we really want to secure our systems and prevent future Equifax-like breaches, the answer is counterintuitive: We should encourage more hacking against these systems. This would not be malicious hacking but, rather, the “ethical” type: cyber intrusions seeking to help secure systems by identifying security vulnerabilities before they can be exploited. If Nietzsche was right that order comes out of chaos, this is precisely the way to approach cybersecurity challenges. Incentivizing ethical hacking (or “white-hat hacking”) could be much more efficient than traditional forms of regulation. Put another way, encouraging a minimal degree of chaos could help prevent a major one.
Data breaches happen daily, and sectors are targeted indiscriminately. Americans’ credit card details, addresses, security clearances and voter data are just some of the sensitive information that malicious hackers constantly target, often successfully. Rarely discussed after initial reports of data being compromised are the ways breached companies handle vulnerabilities and whether they’re welcoming vulnerability disclosure efforts from the broader hacking community. While many tech companies including Google and Microsoft have vulnerability disclosure systems, companies that monitor credit, such as Equifax, do not have the same level of private-public cooperation with the community of ethical hackers. This often prevents these hackers from probing potentially vulnerable systems. HackerOne, a well-known platform aggregating vulnerability disclosure policies, has no reported guidelines for Equifax.
Although some companies have developed vulnerability disclosure programs, others are not particularly friendly toward ethical hackers who try to help. Cisco threatened legal action against researchers who disclosed vulnerabilities about its internet routers, and HP behaved similarly over a vulnerability in its Tru64 operating system. These inconsistent reactions about vulnerabilities reported by the broader hacking community point up an issue thoughtful legislation or regulation could address. Another foundational issue: making hacked entities directly accountable for data breaches.
Consider: Equifax’s breach might have been prevented if ethical hackers had more freedom vis-à-vis sensitive systems. In the aftermath of the breach, evidence of vulnerabilities was quickly publicized. Brian Krebs reported that Equifax used the default username and password—“admin/admin”—for at least one database. Had good actors been given more incentives to operate, or if vulnerability disclosure programs were mandated at every company that handles large amounts of sensitive information, this might have been spotted and secured earlier.
The issue here is not solely one of law and policy but also of democratic governance. A substantial number of companies process personal data without consumers having any form of influence over what these companies do and how they conduct themselves when it comes to that personal data. More freedom to ethically hack would create an oversight system that involves and engages the broader public and allow ethical hackers’ engagement in security research. In the arms race between malicious and benevolent hackers, law should create a clear distinction and open up this space for scrutiny. Current laws and regulations not only do not mandate routine ethical hacking but also make it illegal.
Ethical hacking on its own would not be enough to force companies to improve their cybersecurity. Even if ethical hacking is empowered and legitimized through law, that wouldn’t directly lead to systems becoming more secure. The next legal step would be to create a mechanism under which such vulnerabilities are reported, monitored and eventually fixed. An ongoing debate among ethical hackers is whether reported vulnerabilities should be immediately communicated to the relevant company or to the broader public. To force companies to fix their vulnerabilities, government-backed oversight and enforcement monitoring is needed over how companies handle these vulnerabilities. This is particularly relevant to the Equifax case, given that the vulnerability was known in March but that the company didn’t sufficiently ensure it was fixed. In addition to supporting ethical hacking, the government also needs to sanction companies that are reckless with data or don’t repair identified vulnerabilities.
The values of ethical hacking can be applied to other sectors and issues facing cybersecurity threats, such as voting machines, smart devices used as a proxy for larger attacks, and government databases. Many vulnerabilities in these sectors are preventable if benevolent hacking were allowed and encouraged under the law. This country needs more penetration testing, port scanning, e-sniffing for vulnerabilities and possibly even intrusions—as long as they come from vetted and responsible hackers.