The recent revelation of a historic hacking attack on U.S. businesses and government targets has put America’s national security apparatus in a conundrum. On one hand, the scale of the likely Russian sponsored attack is an excellent cudgel with which to press Congress for more power and money to fund secretive — and constitutionally problematic — national security programs. On the other, it proves that privacy hawks have been rightfully concerned about the state of America’s data security.
Earlier this month, reports surfaced that a major IT security company, SolarWinds, was hacked and its software corrupted to include a “back door” easily exploited by other hackers. This corrupt software was then unknowingly pushed by way of an “update” to an estimated 18,000 customers – including numerous Fortune 500 companies and several government agencies – which left the back door wide open to hackers for months prior to being discovered. Experts suggest we may never know the full scale of this attack, or the degree to which it imperils America’s national security.
That the hack involved a malicious back door is an irony not lost on privacy hawks, who have for years warned against federal agencies (especially the ultra-secret National Security Agency) having the power to force private software providers, smart phone manufacturers, and social media giants to build back doors that allow for surreptitious government access to users of their products and to their companies’ databases. The resulting compromised security has been as regrettable as it was predictable.
In 2015, for example, the Chinese government is suspected of hacking into the NSA itself, via an encryption back door the agency demanded of a major cybersecurity company. Even earlier than that, the NSA was involved in developing one of the most effective hacks of Microsoft systems, only to have this tool stolen by hackers and released to the public, where it is now accessible by criminals, foreign governments, and all manner of non-state actors.
It would be one thing if U.S. intelligence and law enforcement agencies were involved in just one side of this perilous game of cat-and-mouse between hackers and sensitive databases. Congress then could use its legislative and oversight powers to prohibit these agencies from engaging in practices that weaken private sector security and encryption. However, in addition to weakening available cybersecurity measures, government (at all levels) also has a well-known, insatiable thirst for data on private citizens that makes it a target rich environment for attackers.
It is not necessary to watch the Netflix documentary The Social Dilemma to understand the frightening extent to which social media companies are creating a comprehensive data model of all users. This massive database documents past and present behaviors, and increasingly is able to predict future behavior; truly the Holy Grail for hackers whether to gain market advantage or to blackmail individuals with top-level security clearances.
This month’s revelation of a historic, prolonged, and almost certainly continuingattack on America’s vital government networks, is a stark reminder that Uncle Sam’s internet security infrastructure is woefully inadequate and in desperate need of an overhaul. Even more important, the attack highlights why the federal government should not be allowed backdoor access to private sector encryption capabilities.
Updating America’s cybersecurity infrastructure to meet the increasing talent of foreign threats is a Herculean challenge and is one that never ends; hackers never sleep, and we do at our own peril. Allowing government agencies to have backdoor keys to private encryption capabilities actually heightens the risk that unfriendly hackers will gain access to even more private databases than they otherwise would.
This most recent massive data hack should be a clarion wake-up call for the American people to demand that the Congress at long last take real action to limit the information on individual citizens that is collected and databased by federal agencies, whether the Transportation Security Administration, the Centers for Medicare and Medicaid Services, the FBI, or the dozens of other agencies that now routinely gather detailed private information on millions of citizens.
Simply continuing down the oft-hacked path on which the government now trods electronically, will only become less and less secure over time.