The U.S. private sector received a wake-up call last week when the Department of Justice announced charges against four members of China’s People’s Liberation Army (PLA) for the 2017 Equifax hack that compromised over 140 million Americans’ personal information. Too often we think that nation-states are only after government secrets, and only cyber criminals would want any of our personal information. This oversight can be costly. Just ask Equifax. Or Marriott. Or Anthem. Or Sony.
Targeting of U.S. and allied private-sector data is a high priority for adversary nation-states such as China and others, who deploy advanced technologies and armies of digital warriors to constantly probe all of our information technology networks, looking for weaknesses and sweeping up anything of value. This latest pattern of targeting personal information by the PLA shows the sophistication of their longstanding effort to amass as much data as possible on Americans and our allies.
The U.S. government and the contractors who operate on the seams between the public and private sectors face this challenge daily and maintain a familiarity with the tactics and methods most commonly used by these adversaries. The indictment in the Equifax case highlights the increasing need for companies outside of this traditional defense industrial base to also understand how at risk they are and to take appropriate steps to protect themselves.
Our totalitarian economic adversaries long have been exploiting the digital disconnect between our government and industry, and in Western democratic societies we need our businesses to take the initiative to close these gaps. In the case of Equifax, several basic cybersecurity steps would have made it more difficult for the PLA to access, maneuver through and ultimately remove data from the network. The U.S. government cannot mandate that private-sector entities adopt certain security standards or protections, so it’s up to companies to take these steps on their own.
Unfortunately, many U.S. business leaders don’t know where to start, but there are some resources that can help businesses improve security posture and participate in established public-private partnerships to leverage collective knowledge about current threats and technology. Good information and concrete recommendations are available through the “Know Your Risk, Raise Your Shield” initiative at the National Counterintelligence and Security Center (NCSC) and the National Cyber Awareness System at the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security.
In addition to taking steps to better secure their data today, it would benefit U.S. and allied private-sector companies to start thinking about how their data will be protected in the future. Certain types of data lose their value over time, but many data types, such as Social Security numbers, retain their value for years. Because these nation-state breaches are targeting such massive data sets, it is highly likely that they contain information that will prove valuable well into the future. As we look ahead, it will become increasingly important that all organizations approach the storage of personal information in a smarter, forward-looking way.
Encryption technology provides a sufficient level of protection to keep data from being viewed today, even if it has been stolen. The challenge in the future will come when a nation-state such as China achieves a quantum computing capability. At that point, the encryption standards used today will be vulnerable to this exponential increase in computing power.
Conversations around the adoption of post-quantum encryption technology by both the public and private sectors have started and appear promising.
The Justice Department indictments of the Chinese military for stealing millions of Americans’ personal information is not only a wake-up call for businesses to start taking smarter steps to protect their data it also is a reminder to all of us that the challenges we’ll face in the future are best dealt with by making smarter collective decisions and collaborating across public and private sector lines.
Andrew Borene is the CEO of CipherLoc Corporation, an advanced encryption technology company. He formerly led teams at Symantec and IBM and was a senior advisor to the Intelligence Advanced Research Projects Activity (IARPA) and former associate deputy general counsel at the Pentagon.