No matter how hard we try to defend ourselves, in cyberspace the attackers always have the advantage.
The world has a way of reminding us of our own helplessness. The year 2020 has had more than its share of examples to choose among, but for those who prefer to direct their existential dread toward the inability of anyone to protect digital data, the recent revelation of one of the most significant cybersecurity attacks in history is an excellent place to start.
In the spring, hackers managed to insert malicious code into a software product from an IT provider called SolarWinds Corp., whose client list includes 300,000 institutions. About 18,000 of them were exposed when they downloaded a legitimate update from SolarWinds—the exact thing you’re supposed to do to keep your defenses fresh. The attackers spent months running freely through their victims’ networks before anyone noticed—harvesting secrets—and they may have been inserting vulnerabilities and doing who knows what else. The U.S. government and independent cybersecurity experts have tied the attack to hackers affiliated with the Russian government, and its victims include the U.S. departments of Commerce, State, and Treasury, Microsoft Corp., and cybersecurity firm FireEye Inc.
Sure, go ahead and mix a few special characters into the password for your email account if it makes you feel better.
In a sense, the SolarWinds attack is far removed from the security concerns of individual users, who are more vulnerable to such things as having their computers locked until they cough up ransoms denominated in Bitcoin. It’s not worth thinking too much about hardening yourself against state-sponsored hackers, just as you wouldn’t choose a deadbolt for your front door based on how well it would stand up to an intercontinental ballistic missile.
The options a government might consider in responding to cybersecurity threats are similarly not available to individuals. Much of the discussion in the wake of the SolarWinds hack has centered on how the U.S. can increase deterrence, which comes with the implicit assumption that there’s no purely technical fix to cybersecurity at the nation-state level.
In that respect, the breach has highlighted a weakness shared by large institutions and individuals. The digital landscape is far too complex for those who rely on it—us—to monitor all the ways we’re exposed. Major factors determining whether our data will be used against us are completely out of our control.
The SolarWinds incident is an intrusion called a supply chain attack whereby attackers sneak into a system by compromising a product on which it relies. Individuals have their own supply chains over which they have some, though not total, control. At times they inadvertently open themselves up to infiltration by choosing to use certain products, as in the 2017 attack on CCleaner, in which hackers altered the code of a product designed to erase web cookies and otherwise bolster users’ privacy protections. Just as in the SolarWinds attack, victims were then compromised when they availed themselves of the official update. At the time of that hack, CCleaner had been downloaded about 2 billion times.
In other cases, people are exposed when the digital supply chain of an institution they do business with is compromised, as with the 2013 hack of Target Corp. In that case, perpetrators made off with more than 100 million credit card numbers, addresses, phone numbers, and other pieces of personal data after compromising the company responsible for the retail chain’s HVAC system. There’s evidence that Target missed obvious warning signs, but it’s hard to say what the people whose credit scores were damaged as a result of the breach could have done differently.
The year before the hack, Target became a prominent example of another kind of personal data vulnerability, when the New York Times detailed how the retail chain analyzed shopping patterns to determine which of its customers were probably pregnant. Target then sent them ads for relevant products, in one case outing a 15-year-old girl who hadn’t told her father about her pregnancy.
A cyberattack and a violation of privacy aren’t the same thing, but both illustrate the consequences of individuals losing control of what others know about them and how those parties use it, says Dennis Hirsch, a professor at Ohio State University’s law school. Hoping to solve endemic weaknesses related to either security or privacy by relying on personal vigilance is like hoping to slow down climate change by persuading enough people to turn down their home thermostats. “The individual control model doesn’t work,” says Hirsch, who believes the debate over privacy policy has focused too much on giving individuals more choice about how they share personal information. “I can’t know enough to choose which credit card company is likely to spill my data because of its cybersecurity, and I can’t know which company is going to analyze my data to infer my mental health status and determine my creditworthiness.”
Chris Pierson, founder and chief executive officer of BlackCloak Inc., a company that provides personal cybersecurity for corporate executives and celebrities, is similarly pessimistic about anyone reclaiming control over all the information available online. “It’s something that honestly is worrisome, but you can’t mitigate it,” he says. He’s primarily concerned with the lengths people can go to reduce what he calls their privacy attack surface. “Can you remove your information from data broker websites so you’re a harder target? The answer is yes, absolutely doable,” Pierson says. “Will it actually decrease scams and all the rest? Yeah, it’ll make it much harder.”
BlackCloak offers a combination of securing passwords (using password vaults and setting up two-factor authentication on critical accounts), protecting physical devices (put that phone in a Faraday bag when traveling abroad), and constantly probing clients’ systems for weaknesses.
Weaknesses aren’t hard to find. Pierson says about 40% of clients come to BlackCloak unaware that they’ve already been hacked, which can mean anything from having malware installed on a personal device to having a security camera in their home livestreaming to a public website. For about 70% of new clients, the company finds a password to at least one of their accounts in the black market on the dark web.
Other services offer to give customers control over their data by maintaining physical control over it. One such company, Helm, sells physical servers that individuals can use as an alternative to email providers, photo-storage systems, and other services that store data on corporate servers. A person can allow new devices or accounts to access Helm’s data only after demonstrating that she has had physical access to the server itself.
Doing this eliminates one way that attackers—or marketers—gain access to personal data. But it also introduces other risks, such as having to be the physical custodian of your digital life, and headaches. As Giri Sreenivas, Helm’s CEO, says “it’s about how much friction you’re willing to accept.” And it becomes complicated, if not impossible, to opt out entirely. There are entire industries based on gathering such data without bothering to check with you first.
The last decade or so of building a global technology industry that seeks to maximize consumer convenience has led some privacy experts to bemoan a rising data nihilism. An often-repeated dynamic is the tendency of U.S. internet users to say they value privacy while demonstrating an unwillingness to do anything about it. It would be understandable just to give up, given the numbing procession of examples demonstrating how difficult it is to protect against privacy intrusions or cyberattacks.
But people do keep trying, says Lorrie Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University. The lab studies the approaches to privacy and security by nonexperts, who Cranor says tend to see them as a single issue. People are trying to reduce risks even if they know it won’t stop them from feeling exposed. After all, what else are they going to do? “There definitely is a sense of resignation,” she says. “They say, ‘I have no privacy.’ But they’re still closing their blinds and locking their doors, both literally and digitally.”