Facebook recently (and again) made the cybersecurity headlines, but for all the wrong reasons. As reported by numerous news organizations, on Sunday, September 16, Facebook engineers discovered that almost 50 million accounts had been compromised, and, weeks later, the public still doesn't know precisely what was taken, by whom, and for what purpose.
In more bad news for the company, the Irish Data Protection Commissioner also announced an official probe to check if Facebook complied with its obligations under the new General Data Protection Regulation. Coming relatively quickly on the heels of recent fines over the Cambridge Analytica scandal, it seems as if the company is entering stormy waters again.
Will these repercussions leave a lasting impact? That's a hard maybe. Historically, that's not how the aftereffects of breaches have played out in the commercial world. For example, cast your minds back to Equifax. Let's ignore how consumers felt about the company as the news of Equifax's woes broke, because that is irrelevant. Instead, let's get down to business … and I mean real business. Let's look at the stock price.
After the news became public, the company took a hard hit in the wallet, with its stock sliding to $95 per share, from the previous day's $141. A slow recovery gave it a 52-week high of $138.69 (reached on September 18, 2018), nearly matching the level before the company announced it had lost the personal data of almost 150 million people. It seems that the breach led to a sharp decline, a year of recovery, and then business as usual. That's really quite a run — and not a particularly unique pattern on news like this.
Such a recovery leads me to ask: Where is the outrage about breaches? Why does a breach of almost incomprehensible magnitude lead to such a quick recovery and so little lasting impact, despite long-term or even permanent consequences for those who lost their personal data?
My thesis for this is simple: We've become inured to data breaches. Our senses seared, if you will. Numb. At some level, we know they are bad, but a combination of factors has come together to mean that even with the best of intentions, the consequences to the stakeholder who lost the data are small compared with the potential impact on those whose data is now "out there" in the ether.
Three Drivers: Control, Consequences, Trust
To understand something this broad, I'm a big believer in perspective: We have to zoom out and take a more holistic view. To that end, I'd offer these following three drivers for our apparent laissez-faire attitude: a sense of a lack of control, the seeming absence of personal consequences, and the fundamental changes to trust that the last few years have witnessed.
First, there are huge issues around a sense of lack of control — and in this, users have a legitimate point. It's extremely difficult to protect one's own information online. Even if you opt out of social networks, use great passwords, and even switch to a more cash-only world, you are not going to be immune to data aggregation. Thus, people really don't have control in this space. That can lead to disengagement because there's a strong feeling that one's choices don't change the ultimate outcome. Faced with a world where one has a sense of no control, users just opt for convenience out of a type of denial.
The second issue is that there is no obvious and immediate connection to the breach and the personal consequences of it. For example, you decide to use a sketchy-looking website to buy something online because it's cheaper there. Months later, you notice some odd charges on your credit card, but you don't connect the cause to the effect. Another more serious example: We read about mega-breaches such as Equifax in the headlines … and then nothing appears to happen. When something does actually cause an impact — for example, you file your taxes just to discover an attacker has already snagged your rebate — you don't make the connection. This lag time between cyber events and personal events is a pernicious problem that's much broader than just breaches, and we need to think hard about ways to address it.
Finally, and this is a big one, there's the question of trust. In Rachael Botsman's excellent book Who Can You Trust? she argues — and I wholeheartedly agree — that how we trust has fundamentally shifted. While there was a time that our trust was based in brands and institutions, there has been a steady shift away to new models of trust … and distrust. Thus, there's a certain cynicism (we didn't trust them to begin with!) that means we don't expect better results than the ones we get. That belief then becomes a self-fulfilling prophecy.
What's at Stake
Combined, these factors have created the perfect storm that leaves us in an unenviable position. Logically, we know that much of the modern world is based on information and that by putting this information in the wrong hands, there will be negative outcomes. In fact, I'd go so far to say that breaches and the ready availability of information exposed as a result create issues that go well beyond personal security and snake out to threaten the foundations of democracy worldwide.
The stakes are high, the implications enormous, and the clock is ticking with respect to the time to act. Maybe for Facebook, things will play out differently because of the new EU laws, or some of the other headwinds the company is facing around privacy and nation-state-level psychological operations. Who knows? But in general, I firmly believe that nothing real will change until there is a genuine and informed sense of outrage over breaches, and that outrage, sadly, seems to be wholly missing in action.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.Dr. Richard Ford is the chief scientist for Forcepoint, overseeing technical direction and innovation throughout the business. He brings over 25 years' experience in computer security, with knowledge in both offensive and defensive technology solutions. During his career, ... View Full Bio