Expert report likely to be pivotal as Anthem data breach litigation goes forward
14 April 2017. By Mike Swift.
In late August 2014, Matthew Cairns, an information security official at Anthem based in Indianapolis, was in a frustrating position: blocked in his attempt to plug a security hole that an expert witness in ongoing federal court litigation says enabled one of the largest data breaches in US history.
What Anthem allegedly failed to do next may well determine whether the case wins class-action status and is ultimately heard by a jury in a trial that could put the health insurer at risk for a multimillion-dollar damage verdict. So may the credibility of the expert witness who has assembled the evidence into a rare and highly detailed view of the chain of events leading up to the breach of the personal information of nearly 80 million people.
Back in the summer of 2014, two groups of Chinese hackers Anthem's information security team had dubbed "Violin Panda" and "Nightshade Panda" were for the fourth time that year inside the insurer's computer network and manipulating it in ways that the company didn't fully understand. The Anthem's InfoSec team had received an alert that nine Anthem servers were trying to communicate with malicious external servers associated with the hacker groups.
A few months earlier that year, the InfoSec team had detected that as many as 10 servers and an employee workstation were infected with an advanced type of malicious software. That malware had commanded Anthem's network to send data to a known malicious Internet protocol address in China.
In early August, Cairns' security team had determined that one of 89 users who changed their passwords was likely a malicious intruder who had potentially forced the password change for all those users as a ploy to steal network access credentials.
Given that chain of worrisome events, Cairns urged his superiors to take a significant step. Anthem should not just "re-image" the infected servers, a process by which all data is wiped from the server and its operating system is reinstalled. He said the company should also reset all passwords for a large group of potentially compromised cloud servers belonging to outside vendor Citrix Corp, where Anthem stored personal information about millions of healthcare subscribers.
According to evidence gathered by Matthew Strebe, an expert witness for the plaintiffs in the data breach class-action litigation against Anthem, Cairns was not only rebuffed — he was reprimanded by his superiors for making that recommendation known within the company.
One expert's analysis
To detail that chain of events in 2014, Strebe drew on the sworn deposition of Cairns, who after leaving Anthem became director of security operations for drugmaker Eli Lilly & Co. He also used the sworn statements of other Anthem data security officials, internal e-mails and other company records.
"Cairns' recommendations were correct, reasonably complete, and likely would have prevented the data breach that occurred, in my opinion," Strebe wrote in an 82-page expert report filed in US District Court in San Jose, California.
"In a properly functioning InfoSec environment where security is more important than the appearance of compliance, fear of repercussions including litigation, and keeping expenditures low, Cairns would have been rewarded for his thoughtful analysis rather than excoriated for documenting the fact that Anthem knew what it needed to do but decided against doing it," he wrote.
Strebe said that during 2014, Anthem ultimately fell victim to eight China-based advanced persistent threats. Called 'APTs' in security jargon, such attacks involve a hacker gaining unauthorized access to a private network and lurking undetected for a long time with the capability to gain control and cause harm.
A series of technical mistakes by Anthem's security managers in failing to fully respond to those attacks, Strebe said, ultimately led to the early 2015 data breach by the Chinese hackers. Anthem alleges that the hackers were sponsored by the Chinese government.
Strebe said there were also organizational flaws at Anthem that left the insurer vulnerable to hackers, such as the chronic underfunding of cybersecurity efforts.
"Anthem's senior leaders seem to have no real understanding of cybersecurity at all and were not competent to assess cybersecurity risks," the expert concluded in his report.
The Anthem data breach stood as the largest in US history until last year, when Yahoo revealed two earlier separate breaches that combined affected more than 1 billion accounts (see here). At least one of the Yahoo breaches was a Russian state-sponsored attack, US authorities say. But no information remotely close to the detail in Strebe's report on the Anthem breach has yet emerged about the Yahoo breaches.
Strebe's report includes references to a number of e-mails sent by Roy Mellinger, Anthem's former chief information security officer. The expert said Mellinger had tried to warn superiors about security holes for several years.
In a 2013 e-mail to Anthem's then-Chief Information Officer Gloria McCarthy, Mellinger warned that Anthem's "security infrastructure is sufficient to protect us from the most general threats, but anything sophisticated or intentional will find our defenses lacking. APTs … would probably be successful and we could not successfully defend against them at our current state."
In an e-mail to another Anthem executive, Mellinger complained that health insurance competitors Humana and United Health spent 3.5 to 4.5 percent of their total IT budgets on cybersecurity. "Year over year our security budget has been 1.8%. Very hard to implement improvements with a flat security budget, cost reductions three years in a row [from 2011 to 2013]," he wrote, according to Strebe's report.
Anthem said in a statement to MLex on Friday that its defenses before the attack, and its response afterward, were reasonable and proper (see here).
The company has already begun to challenge Strebe's analysis in court.
The report was written to argue that Anthem's allegedly weak cybersecurity affected all of its subscribers equally, a conclusion necessary for US District Judge Lucy Koh to certify the case for class-action status. In a motion filed last week, Anthem asked Koh to strike Strebe's testimony, saying that his two reports were "fundamentally flawed," and that he lacks the professional qualifications to be recognized by the court as an expert witness.
Strebe "admits that, other than a high school diploma, he has no 'training or education,' certifications, or other credentials in the field of information security," Anthem said in the motion (see here) that quoted the federal judicial standard to be recognized as an expert witness.
"He has not authored a single peer-reviewed paper or study on any topic. Therefore, Plaintiffs must prove that Mr. Strebe is otherwise qualified based on relevant 'knowledge, skill, [or] experience.' They cannot do so," the company said.
Strebe, the founder and CEO of Connectic, a San Diego data security firm, works from his home, and his company typically only works with smaller companies that have 10 to 100 users. "And his single experience with an Advanced Persistent Threat (APT) nation state actor, like the one that attacked Anthem, was 15 years ago," Anthem added.
Strebe got his data-security start as an electronic warfare technician in the US Navy, rather the more traditional path of a university computer science department. But his listed credentials include installing the first fiber-optic computer network in a US warship during his service in the Navy during the first Persian Gulf War, before going on to found his own data security company in the 1990s.
He has also authored multiple books about computer network security and related topics; he currently has 16 books listed on Amazon.com that he wrote or co-authored, including "Network Security Foundations: Technology Fundamentals for IT Success."
Moreover, Strebe is a computer hacker himself.
Indeed, he lists that fact a qualification for understanding the thinking of people like those who outwitted Anthem's defenses. But Anthem is likely to use Strebe's acknowledged history of breaking into computer networks to undermine his credibility.
Anthem has hired its own expert witness, Stefan Savage, who is challenging Strebe's expert report. The plaintiffs are due in early May to file their defense to Anthem's challenge to Strebe's report.
Eve Cervantez, a San Francisco-based lawyer for the plaintiffs, declined to comment about Strebe's report Thursday, other than to say the report "speaks for itself."
In deposition in January (see here), Anthem lawyer Craig Hoover quizzed Strebe about his own hacking experience, and Strebe acknowledged hacking into servers at Brigham Young University and the Utah Transit Authority while a teenager.
Hoover also challenged Strebe on his lack of university education. "So you don't have a master's degree?"
"I have never been to any form of secondary education," Strebe said.
Others who have investigated the Anthem breach have said the company's response was reasonable. A report done late last year for the California Department of Insurance and other state regulators concluded (see here) Anthem's response to the breach was "timely" and "effective."
"Once the Data Breach was identified, Anthem responded quickly and effectively to the Attacker's presence in its network, fully removing the Attacker's access to the network within three days," the report said, which also noted "deficiencies within Anthem's cybersecurity posture."
—Additional reporting by Xiumei Dong in San Francisco.