The U.S. Capitol in Washington, D.C.

ASU expert offers Capitol Hill testimony on Equifax hack

By

Marshall Terrill

ASU’s cybersecurity guru said before a U.S. Senate Subcommittee on Wednesday that massive data breaches like the recent Equifax hack, which exposed approximately 145.5 million credit records last month, is comparable to a human without an immune system.

“One small intrusion can cause massive effects that can shut down the system for considerable periods of time and cause considerable damage,” said Jamie Winterton, director of strategy for the Global Security Initiative, an interdisciplinary research hub at Arizona State University. “Our online systems are continually under attack, and it’s unrealistic to believe we can fend off every intrusion, every time. Cyber adversaries are clever and very persistent.”

Jamie Winterton

Winterton traveled to Washington, D.C., this week to give testimony to the U.S. Senate Subcommittee on Privacy, Technology and the Law. Entitled “Equifax: Continuing to Monitor Data-Broker Cybersecurity,” the hearing hoped to examine cybersecurity measures and industry standard practices in place at data brokers like Equifax, Experian and TransUnion. Two of those brokers — Experian and Equifax — have experienced major data breaches since 2015.

Equifax revealed in September that sensitive personal information was exposed in a data breach that lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers.

Winterton said threats are evolving more quickly than defenses, and companies collect and store vast amounts of personal data yet cannot adequately protect them.

“One reason why we can’t sufficiently secure online systems is because we fail to understand their complexity — from a computer science perspective, a social science perspective or a legal perspective, much less the overlap of the three,” Winterton said at the hearing.

Richard Smith, former Equifax chairman and CEO, and Tyler Moore, assistant professor at the University of Tulsa, also testified. The 11-member committee was chaired by Sen. Jeff Flake (R-Ariz.), who noted at the start of the proceedings that approximately 3 million Arizonans were affected by the Equifax breach.

Flake said the committee gathered to find out how secure consumer information was in the hands of data brokers.

“The answer: not very secure,” Flake said while looking at Smith, who has been under the microscope of Capitol Hill the past few days.

Winterton was asked to speak because of her broad expertise on cybersecurity as a complex problem — not just stolen consumer data. She said cybersecurity has far-reaching implications and also filters into areas such as homeland security, defense, intelligence, privacy and the U.S. economy.

Our lives are deeply intertwined with the internet, from purchasing goods online to research or signing up for a Twitter account. That means, Winterton said, it’s time to craft a forward-looking research agenda and “revolutionary approaches to the problem if we want things to change.”

Beyond credit data breaches, Winterton said she was more concerned about what a foreign adversary might be able to do with this sensitive information. She pointed to a breach at the Office of Personnel Management in 2015 in which approximately 21 million security-clearance files were exposed. This scenario, Winterton said, could leave a person “vulnerable to blackmail or bribery by an adversary to ‘leak’ classified information.”

Stopping massive consumer data breaches is not impossible, but it will require monumental effort from industry, government and researchers, she said.

“We must begin building systems that recognize an attack and defend against it, minimizing the damage of each intrusion — much like a health immune system isolates and destroys an intruding virus,” Winterton said.

She said the next generation of cybersecurity experts will come through universities, and it’s important to give them real-world, hands-on research experiences.

“Getting those research experiences in college means they are already contributing to solving problems,” Winterton said. “Universities have a culture of exploration; we embrace tough challenges and have the freedom to take risks.”

Leslie Minton contributed to this report.