Last year kicked off with Cambridge Analytica being exposed for acquiring access to private data on at least 87 million Facebook users and wrapped up with Marriott announcing that 500 million of its accounts had been hacked. Quora, MyFitnessPal, Google+, MyHeritage, and Lord & Taylor also recently experienced cybersecurity breaches—each exposing the sensitive data of millions of users. As 2019 gets underway, cybersecurity threats continue to loom. So how can we protect our data? BU Research asked Ari Trachtenberg, Boston University professor of electrical and computer engineering, cybersecurity expert, and member of the Boston University Cyber Alliance, for his take on the most widespread cybersecurity threats to anticipate in coming months—and the policies, regulations, and business practices that can help mitigate cyber risk and increase privacy protection.
BU Research: What is the most widespread cybersecurity threat we should be aware of?
Trachtenberg: I believe that “privacy” will dominate our concerns this year. We have already seen how seemingly inconsequential privacy leaks (i.e., Facebook posts to friends) can be leveraged for political advantage (i.e., the 2016 election), and I expect that legislative bodies will be taking an increasingly strong position on the data rights of consumers—as has already happened in Europe with the General Data Protection Regulation (GDPR).
Businesses can get ahead of this by suggesting transparent and independently verifiable protections for consumers. However, it is also becoming increasingly clear that there is very little that consumers can do to mitigate their loss of privacy from third parties (with whom, very often, they do not even have a relationship). Perhaps the most effective recourse (in democracies) is political.
What are the biggest policy gaps from a privacy perspective that need to be addressed?
With respect to data privacy, I think that the most important task that can be accomplished by government (not just the White House, but also Congress and the judiciary) is to define a clear liability for loss of privacy. Today, companies can lose personal and sensitive information on millions of customers with little more than a social stigma (which companies have lots of experience battling through their public relations departments). Our courts do not know how to put a dollar amount on a person’s loss of privacy. As a result, there is no clear and strong financial incentive for companies to tighten their privacy protections. It feels like we live in a privacy Wild West, where each week an even bigger privacy breach is reported—and that’s only among those that are actually publicly reported.
Liability has proven an excellent way of addressing such issues in the product landscape, where, for example, manufacturers now carefully test their electrical equipment and get Underwriter Laboratories (UL) certification or risk significant lawsuits if people get injured. To see similar success in the cyber world, we need a well-defined and enforceable definition of privacy liability.
Do you think there will be a push for more regulations on how big technology companies, such as Facebook and Google, use and monetize consumer data?
I think that there will be a push for either breaking up big technology companies or regulating them much more heavily. The big tech companies each maintain control over historically unprecedented amounts of data that, with the help of modern computing, are highly individualized. On the one hand, they appear to have the power to swing elections and social policies, steer financial and stock markets, and read trends at a scale never before possible. On the other hand, their newfound wealth allows them to propel grand challenges and technical vision that cannot be enacted on a smaller scale (i.e., autonomous vehicles, searchable global encyclopedias, worldwide buying markets, etc.).
My preference would be for breaking up the larger companies rather than regulating them, as loophole-free regulations are notoriously hard to write properly without stifling innovation and transparency.
Data privacy and data security have long been considered two separate missions with two separate objectives. Do you think this is changing?
With respect to data privacy versus security, I would say that the two are technically (but not socially) inextricable. Security breaches are responsible for huge losses of privacy, and privacy breaches can often be leveraged for security vulnerabilities. However, as I mentioned earlier, unlike the broad cybersecurity area, there is very little financial interest in protecting privacy in today’s industrial (or, frankly, governmental) landscape.
Consumers are paying more attention to maintaining and controlling their personal privacy and data from corporations. Aside from potential policy regulations, do you think new technology solutions will emerge to help consumers maintain better control of their data?
The technological threat landscape is huge, and we really do not have a handle on how to technically protect it. My personal thought is that the task is impossible—much like making a pick-proof lock or an unsinkable ship. Instead, we need to focus our attention on joint technical and legal solutions.
What should modern-day cybersecurity officers be doing to mitigate the growing data privacy risk?
There is always more to be done in the cybersecurity domain, but there are some basic “best practices” that every chief information security officer (CISO) should know and train employees to maintain.
One way to mitigate privacy risk is, quite simply, not to store or process private or sensitive information. Companies should think very carefully about every bit of information that they get from customers, weighing the benefit of having this information against the risk of losing it. The problem is that very often, companies do not realize just how damaging the information loss can be. For example, the LinkedIn 2012 breach of (poorly) hashed passwords would later be used in extortion emails, which used the cracked passwords to convince unfortunate recipients that the extortionists had compromising information.
Where do you think the most funding is needed in cybersecurity research? Are there areas that you feel should be prioritized?
I think that the US needs, quite desperately, more funding for basic research of all types, not just cybersecurity research. True innovation does not often come from administrative guidance, but rather through inspiration and chasing down unforeseen ideas.
What impact would you specifically like to achieve in the cybersecurity/privacy space?
I have been analyzing the emerging field of side channels, where information is leaked (typically unintentionally) from the regular use of technical devices and software. My goal would be to develop some broad, overarching properties of these channels, where they form, and how we can mitigate them. The impact of such work would be a safer, more open technical world—but very few people would actually realize it.