Without regulatory fix, Palmore sees no end to data breaches
8 March 2018. By Joshua Sisco and Mike Swift.
From an anonymous suburban office park in Silicon Valley, a team of federal investigators under M.K. Palmore reached around the world last year to unmask four men accused of looting personal data from more than 500 million Yahoo accounts.
“We’re pretty good at identifying who’s on the other end of the keyboard,” said Palmore, the assistant special agent with the Federal Bureau of Investigation in charge of the cybersecurity branch for the bureau’s San Francisco, California, division.
But ask the 21-year FBI veteran to name the one thing that would most stem the seemingly endless series of data breaches like last year’s Equifax debacle, and Palmore doesn’t mention more agents or better computer resources — though those would be welcome.
“I think there’s got to be some regulatory involvement from the government,” Palmore told MLex during a recent interview at an FBI field office near San Jose, California, in the heart of Silicon Valley. “It’s one of the problems where I think some form of regulatory oversight will help bracket the problem a little better for us.”
Palmore’s team of federal agents has investigated some of the largest data breaches in history. In the Yahoo case, his team’s work led to the indictment of two intelligence officers of Russia’s Federal Security Service, and a third Russian who is one of the world’s most wanted cybercriminals, Alexsey Alexseyevich Belan, 30. A fourth man, Karim Baratov, was arrested in Canada last year and pleaded guilty to computer fraud and identity theft charges in November in San Francisco.
By regulatory involvement, Palmore means some sort of national cybersecurity standard that would set clear cybersecurity expectations for every company that handles data, and that would set punishments for companies that fail to comply.
“We don’t have that right now. Everyone is on their own sheet of music,” Palmore said. “It will alleviate [companies] of having to make that hard decision of acting on their own if they have that kind of hammer standing over them.”
The FBI agent praised Europe’s forthcoming General Data Protection Regulation, in part because it mandates that companies designate a chief data security officer responsible for cyber security. But without more regulatory pressure in the US, Palmore is not optimistic that the pace of breaches will slow, even with recent law enforcement successes such as the Yahoo indictments and the takedowns of international online criminal marketplaces Silk Road, Avalanche and Infraud.
“I don’t think that, in and of itself, will stem the tide, because what you’re describing is the FBI wrangling the horses that have already gotten out of the stall,” Palmore said. “What we need to do is place emphasis on the actual fences that are protecting the horses.”
— US is out of sync —
The United States is a rarity among developed nations in lacking a national data protection law. And increasingly, regulators, consumer protection advocates and law enforcement officials such as Palmore say enforcers such as the Federal Trade Commission need a better toolbox.
Lacking a national data security law, the FTC must rely on the prohibitions against unfair or deceptive conduct in Section 5 of the FTC Act to bring data security cases. Unless a company has made misleading statements about its data security practices, the FTC must depend on its more difficult to prove unfairness authority to bring a case.
Nor does the FTC have the authority under Section 5 to levy a financial penalty if it finds wrongdoing.
Just this week, a House Financial Services subcommittee heard testimony on the Data Acquisition and Technology Accountability and Security Act. The bipartisan proposal would give the FTC civil fining authority and require a breached entity to notify regulators and law enforcement such as the FBI if the breach affected more than 5,000 people, or if there was a reasonable risk of future harm to consumers.
But the bill is far from final, and state attorneys general say it doesn’t go far enough, and hampers their ability to prosecute breaches.
In his Senate confirmation hearing last month, President Donald Trump’s choice to become FTC chair, Joseph Simons, said the FTC needs the authority to levy fines in data security cases.
“One of the things that I’m extremely concerned about is whether the FTC has sufficient authority to deal with data breaches, particularly in terms of being able to create a sufficient deterrence, to create an incentive for the companies to take care of consumer data as they should,” Simons said.
Section 5 of the FTC Act is a general conduct rule that says nothing specific to data security, said Justin Brookman, a former FTC official who is now director of privacy and tech policy for Consumers Union. “It would be good to have a statute that says that, backed up by a civil penalty authority,” Brookman said.
That is Palmore’s hope. “Government and law enforcement are a component of the solution” to data breaches, he said. “But we’re not the whole solution to it.”
— A board-level problem —
In fact, without a buy-in from top management across the corporate world, responding to data breaches will be little more than an infinite game of whack-a-mole.
“A large sector of the business industry frankly is not prepared for what reality is today, because they haven’t invested the time, resources, and adequacy in protecting their enterprises,” Palmore said.
And there is urgency in getting started. For companies with little cybersecurity infrastructure in place it can take as long as five years to reach “a decent level of maturity,” Palmore said.
Corporate executives and directors are just now beginning to realize that data security is not just a technology problem, but a significant source of risk for the entire company. It raises the difficult question of “how much do we invest in this problem?” Palmore said. “Nobody gets out of this without spending some money.”
It’s critical, Palmore says, that top executives begin to see securing their company’s data as a central mission for the company — not just a function for the engineers and programmers who run the computer systems. “For too long, cyber risks have been looked at as merely an IT problem, and they are not just an IT problem,” he said. “They are an enterprise problem, because technology finds its way into nearly every aspect of the business these days.”
And once a company does secure its data, its responsibility isn’t over. Legislative solutions will require collaboration with the private sector, Palmore said. “The legislature isn’t capable in a vacuum of creating the left and right limits that we need” without input from the private sector.
“Until we get to the point where there is an adequate status quo of protection — I don’t know what that looks like because we haven’t seen it yet — but until we get to that point, data breaches will continue to be the norm.”