Privacy and Cybersecurity in the Age of Data Analytics
Pt. 2 – Housekeeping and More
In part 1 (published 6/4/20), we saw how governments deploying data analytics need sound policies in place to preserve citizens’ expectations of privacy. In part 2, we look at the fat target presented by government’s massive collection of online data, and how to protect it from theft and exploitation by the wrong people.
Bill Burr apologizes. Even if you’ve never heard of Bill, you are likely affected by his work every day of your life. Bill was the principal author of the National Institute of Standards and Technology (NIST) Special Publication 800-63 Appendix A, which in 2003 recommended that every business, academic institution and government agency adopt complex passwords for each user and change them every 90 days. As everyone knows, implementing that policy has led to 1) machine-guessable passwords (“p@S$w0rd123!”), 2) unprotected, written password lists, 3) porous password recovery procedures (“What was the make of your first car?”), and 4) billions of lost hours of productivity.
The vulnerabilities are so well known that they’ve entered the realm of comedy. In the new Steve Carell series Space Force, the Russian liaison officer who is a mole hiding in plain sight suggests to the general’s grownup daughter that they should get to know each other better – for instance, who was her favorite childhood pet? what was her father’s mother’s maiden name?
The advent of data analytics and other comprehensive information management systems has permitted governments to collect sensitive information on a scale that was unimaginable just a decade or so ago. If people with bad intent get access, the tools to exploit these breaches are numerous and readily available. And the consequences are potentially catastrophic. Not only can private data wind up in the wrong hands, but the entire operation of government can be halted by a ransomware attack, as it is for hundreds of counties and municipalities each year.
The challenge for governments is even more complex than it is for the private sector. Where companies can (and probably should) lock down all of their sensitive information, governments must balance security against transparency and public participation. Information such as property ownership and taxes, home prices and mortgage terms, political party affiliations and public employee salaries are just a few of the categories that are essentially in the public domain, providing great places for the bad guys to start. No wonder the Center for Digital Government reported in 2019 that as of the previous year, 35 million voter records from 19 states were being offered for sale on a single site frequented by hackers.
With most government employees now working from home, a new risk has appeared as millions of work computers are deployed on home networks, secured in many cases by no more than a manufacturer’s default admin password.
So what can smart governments do to reduce the risks and plug the holes? A three-pronged program features training, an updated password policy, and comprehensive cyber-defense:
Training. Fortunately, a majority of state and local governments in the US have instituted regular cyber security training for their employees. Well-written, engaging programs can be found online at reasonable prices, and usually contain modules on protecting personally identifiable information (PII), safeguarding health records (HIPAA), and defending against phishing attacks. Especially useful are those that continuously probe for weaknesses, sometimes simulating phishing attacks and praising employees who respond correctly. Governments should add to these practices minimum requirements for home network security and a way to routinely update work machines that are now living in employees’ homes.
Password policy. Around the time of his retirement from NIST, Bill Burr was interviewed in the Wall Street Journal about his password guidance, saying, “Much of what I did I now regret.” In 2017, NIST updated the policy in Special Publication 800-63B, and it contains major changes:
- Longer, simpler passwords (“passphrases”). These are easily remembered strings of mostly unrelated words without special characters, like “cowtableuranium” or “minimizesaltvaluecollisions” (okay, that one is an actual phrase from 800-63B). They can be combined with a password manager and/or single sign-on to reduce the burden of recalling multiple passwords and the urge to write them down.
- Password change elimination. To the great relief of all, passwords now only need to be changed if there’s a breach.
- Multifactor authentication (MFA). This means having a second (or third) way to verify your identity. While biometrics are making headway, they are still clunky and unreliable. Inexpensive MFA apps such as Duo that only require registering a second device like your phone are simple to deploy and easy to use.
Cyber-defense. As cyber-threats and the consequences of a breach increase, smart organizations are turning to more sophisticated ways to protect themselves and in some cases, fight back. Active measures include good housekeeping like cloud backups, anti-virus programs and, more recently, AI-based intrusion detection software. Those who choose to fight back need a robust ransomware policy and a strong relationship with law enforcement. If your organization finds itself the target of a cyber-attack, the FBI has teams in every field office ready to investigate and take down cyber-criminals (see https://www.fbi.gov/investigate/cyber).