Major corporations have made serious mistakes with information security recently, resulting in spectacular failures to protect business and customer records. After years of warnings, why do so many businesses still fail to deal properly with this issue? Eugene H. Spafford, a professor of computer science at Purdue University who frequently advises government, law enforcement, and big companies, has some ideas. He spoke with technology journalist Brian Krebs for Technology Review.
TR: You recently testified to Congress about the Sony breach, which appears to have happened after the company ignored warning signs about holes in its PlayStation network. How does an organization as big and as technologically advanced as Sony fail so massively on security?
Spafford: Some business management organizations simply do not have a proper IT security organization, and often that function is still kept under the company’s chief information officer. When that happens, the people who deal with security are way down the line, and they don’t have [access to] the CEO or the company’s board. So the security function of that organization isn’t funded and doesn’t have the authority at a high enough level to really operate the way it should. Many IT organizations have grown up from the level of system administrators who started at the bottom of the organizational hierarchy. These typically are people with computer science and technical training, but they don’t speak business. They don’t always understand risk or cost-benefit analyses. As a result, they are not able to present the business case for security and privacy issues. We learned recently that Sony didn’t have a chief information security officer [CISO] prior to the attacks that exposed personal and financial data of more than 100 million customers.
But is there any evidence that Sony’s lack of a CISO contributed to the breach? In other words, is the answer to these types of breaches really just to spend more money on security and add additional layers of organizational bureaucracy?
Well, CISOs aren’t exactly duplicating someone else’s job. For one thing, there is a bit of a conflict by design between the CIO and the CISO. The CIO’s job is to make information available, and the CISO’s job is to make sure that certain information is not available—limiting where information goes, setting rules for those who should have access to it, and then setting rules and consequences for when those rules are violated.
To your second question, there are many things that companies need to do and spend resources on that have no obvious return on the bottom line, including maintenance of their buildings and grounds, or equal-opportunity and antidiscrimination training. It’s the same thing with security policies: if you don’t spend enough on them and keep at them, at some point something bad is going to happen and you’re going to end up paying an awful lot more than you would have if you’d gone about it more proactively. It’s the responsibility of informed parties within an organization to understand the risks and appropriately plan the investment up front to build defenses against the most expensive risks, and to make plans about how to cope with what’s left when they occur. That has to be part of overall business planning, but someone at a high enough level in the organization has to understand that.
Sony’s case doesn’t appear to be an anomaly. It seems almost daily now that we’re hearing about breaches that expose huge caches of consumer information. Why do you think that is?
It’s a whole set of things that have come together, and not any one factor. We have more systems and data available on the Net than ever before. There are more people who are on the Internet and who are Internet-savvy, so there are a greater set of targets and greater sets of people who want to exploit those targets. And these crimes are occurring faster than the increase in law enforcement resources and our ability to deal with them. The crimes also are being masked better, and as a result the criminals are able to be bolder and there is less deterrent value. So many of them are going after much bigger targets.
Well, Sony isn’t exactly a traditional target, is it? Why are we seeing so many nonfinancial organizations being attacked?
Look at where the real value is today. The recent IPO of LinkedIn is a good example. Why did their stock price double within hours of their IPO? It’s because they have all of this information about users and their habits that people either indirectly or directly provide about themselves, and it’s the same reason Facebook is valued at tens of billions of dollars: the information can be mined, aggregated, and used for marketing purposes. This is very valuable information.
That means consumers run the risk of seeing their information breached or leaked no matter which services they use?
Many of us accept the idea that information about ourselves is not something we have control over, and in most cases we have no idea where it goes when it’s out of our hands. Take the recent breach at [e-mail marketing firm] Epsilon, for example: how many consumers impacted by this had even heard of Epsilon before their breach disclosures started? Meanwhile, organizations that collect that information often don’t have as strong a sense of stewardship over it as they should. Also, breaches can be much more serious when they happen to companies that provide software-as-a-service. And we’re starting to see more of these [when] a vulnerability or weakness is disclosed or exposed in one common kind of platform or infrastructure, and then you may see a bunch of these incidents cascade. So what might have been one breach for a relatively small company turns into a breach that affects dozens of others, because those companies rely on it for outsourced data services. And we’re only going to be seeing a lot more of that, I believe.
You’ve touched on a sore spot—the often fuzzy IT buzzword of “cloud computing.” Do you think organizational appetites for outsourcing their data to third parties will weaken anytime soon because of security concerns?
I think in the next three to five years—if tech development keeps going the way it has been, for various cost and policy reasons a lot of companies will realize that cloud computing doesn’t give them the advantages they were counting on and will move things back into a data center or private cloud.
Thirty to 40 years ago, back when we had these massive data centers that were under control of centralized management because it was a huge investment in infrastructure, generally the data was under [tight corporate control]. Then we started moving out to distributed media and desktop PCs in most organizations, and I think the ’90s were about the low point in terms of centralized business control over computer systems. Now we’re getting back to the point where companies are realizing—especially with big shared databases—the importance of having more control over their data.