Why We Need a Real National Breach Law
Okay, let me just say this at the beginning. This post is opinion. There is certainly factual information (or the closest to fact that we have), but in the end, this is just my opinion.
Currently, most cyber breaches are not reported. Even when breaches are reported, they are often missing key information, hard to interpret and written by spin doctors who are trying to reduce the risk of the company getting sued.
Here is one example. There are likely at least two sides to every conversation. We don’t have all of the information, so that makes things hard. I leave it to you to come to your own conclusion.
The company is UBIQUITI. They make network equipment like switches, routers, WiFi access points and firewalls and other Internet connected devices (IoT). I read somewhere that they have sold close to 100 million devices.
What happened? Someone, a hacker or hackers, got into an IT admin’s password vault and stole the credentials that gave them master access to Ubiquiti’s Amazon account.
Many of Ubiquiti’s products are remotely manageable from the Internet. By losing control of their AWS environment, the hackers likely could have taken over many of those devices remotely. Silently. And if the hackers are smart, they could stay there forever.
Here is the story from a contractor who was brought in after the breach, which started last December, to help fix the problem and who talked to cybersecurity reporter Brian Krebs.
“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”
According to Adam, the hackers had full read and write access to Ubiquiti’s databases at Amazon. He says that the breach disclosure was written in a way to minimize the damage, imply that a third party (Amazon?) was at fault and that Ubiquiti was just an innocent bystander.
The announcement said that they had become aware of unauthorized access to certain systems hosted by a third party. They said that they were currently not aware of evidence of access to the data, but they can’t be sure that data was not exposed. They encouraged users to change their password and enable two factor authentication.
In reality the hackers had admin access to Ubiquiti’s servers at Amazon, full source code, encryption secrets for single sign-on and remote access. But what they said sounds less scary. Also in reality, Ubuiquiti didn’t have sufficient logs to know what the hackers took. That is why they could legally say they didn’t have any evidence. Because there was no evidence.
Ubiquiti found a back door the hackers left behind, but when they disabled it, the hackers said that they wanted 50 Bitcoins (about 3 million dollars) to keep quiet and also gave them proof that they had stolen their source code. Ubiquiti did not bite and eventually found another back door. Are there more? Don’t know.
Rather than scaring customers by “invalidating” their credentials, they just said, hey, you should change your password. You should probably do that when you logon again – whenever that was. Those credentials would allow a hacker to control that customer’s network devices.
According to Adam, legal, not IT, was controlling the narrative and deciding what they should do.
Ubiquiti’s stock price was $243 on January 13th. It was up to $370 by March 21st. That is when Brian Krebs broke his story. The stock is at $289 today, so at least investors have not been hurt. So far.
But likely tens of millions of users don’t understand what happened, have not taken any steps to protect their homes or businesses, and may never do so.
In the absence of a strong, national breach notification law with very specific requirements, stories like this will continue to happen.
In light of the SolarWinds breach, it is likely that the feds will issue an executive order that requires companies that sell stuff to the government to disclose any breach quickly. It is thought that the EO will be released next week. We shall see what is in it.
While an EO like that has no effect on private sales, if a company sells to the government and also to the private sector, it is going to be hard to disclose a breach to some of their customers and not others. Hopefully, the EO won’t allow a company to disclose a breach under some sort of confidentially clause.
In the absence of Congress doing what it should, this may be the best we can get for now.
As I said, my two cents.
by 