The Marriott data hack casts light on current regulatory, technological quagmires
On November 30, 2018, Marriott took the runner-up prize in a contest that no business wants to win, by announcing 500 million accounts had been hacked, the second-largest data compromise behind Yahoo’s 2013 hack that exposed 3 billion accounts.
“We are in the [cyber] arms race right now,” says Azer Bestavros, founder of Boston University’s Rafik B. Hariri Institute for Computing and Computational Science & Engineering. “Hackers are becoming more sophisticated against an industry that is refusing to do it right.”
Businesses have managed their data largely the same way for the past 40 years, and they’ve been slow to change, Bestavros says. What that means, he says, is that until society is willing to make cybersecurity a top priority and find ways to stop these massive breaches from happening in the first place, rather than reacting with patches each time a new one occurs, they will simply keep on coming.
A totally failsafe system, as Bestavros suggests, would require the IT industry to essentially start over with a completely clean slate — building a safe, protected cyber infrastructure rather than trying to fix an inherently leaky one. How leaky is it? Just ask Target, JP Morgan, FriendFinder, LinkedIn, Equifax, Sony, Dropbox, Home Depot, even the National Archives and Records Administration.
Meanwhile, until regulations and incentives give businesses a reason to move the needle, hackers are quickly evolving in how they breach databases, what their motivation is, and also in who they are.
“It used to be lonely individual hackers, but now we’re getting more organized groups of criminals and even nation-state–sponsored intrusions,” says Bestavros, who is also a William Fairfield Warren Distinguished Professor of computer science. Their motivations vary — some want credit card data to steal money, others want demographic data to influence elections.
In 2016, an organized group of Russian operatives hacked Democratic political groups and Illinois voter registration records. More recently, just two days before Marriott announced its data breach, researchers attending the CyberwarCon forum in Washington, D.C., warned that Russian cyber attackers are targeting the US electrical grid, searching for vulnerabilities to intrude on electricity generation and transmission systems.
“The cybersecurity solutions that we know could be bulletproof will require significant changes to infrastructure,” Bestavros says, including tightly controlled supply-chain security and quality control. “If we outsource manufacturing of chips to China or Russia, for example, and it’s not designed to specifications, then we’ll have trouble. You have to have security from the bottom up.”
With Chinese researchers leading the race to develop quantum computers — based on a system of small particles existing in two states rather than on the binary digits, 0 and 1, like today’s computers — some experts believe that quantum encryption will be the next forefront of cybersecurity. But Bestavros is skeptical, considering the pursuit of quantum encryption as more of an insurance policy against that potential future rather than a pragmatic focus area.
“At best, we are decades away from the threat of quantum computers making traditional cryptography obsolete (I have my doubts it will ever happen),” he says.
A hazy regulatory horizon
Although it’s not yet known how Marriott’s breach happened or who was behind it, the hotel chain is likely facing months of ensuing state and federal investigations into how responsible the company is for the breach.
“Whenever a breach is reported, state attorneys general and the Federal Trade Commission have been at the forefront of bringing lawsuits,” says Julissa Milligan, a visiting professor in the BU/MIT Technology & Cyberlaw Clinic. “In most cases, you’ll see a negotiated agreement in which the company will agree to a variety of protections” intended to “take reasonable security measures to assess software and privacy compliance.”
Agreements like this, Milligan says, are designed to improve a company’s security practices following a breach and to give the FTC and state regulators an easier path to suing the company if something goes wrong in the future.
If, for example, a company commits to taking specific action, and it doesn’t actually make good on that promise, the FTC could sue.
But Milligan says the FTC’s authority in data breach cases has become hazy in light of a June 2018 ruling by the United States Court of Appeals for the Eleventh Circuit, which challenged the FTC’s traditional method of pursuing these types of cases. The court’s decision hinged on the fact that it felt “reasonable security measures” was too ambiguous of a yardstick to determine fault for a specific security failure.
“Traditionally, when the FTC is investigating a data breach, if it finds that the company has committed unreasonable data security practices and consumers are likely to suffer substantial injury, the FTC would seek to hold the company liable,” says Milligan, who is also a member of the Hariri Institute’s Cyber Alliance. “But the Eleventh Circuit has cast doubt about whether that’s specific enough.”
Since then, the FTC has been convening roundtables to understand the situation better and decide if it needs a statute giving it additional authority to pursue cybersecurity cases.
“The FTC is trying to tell Congress that this is a really big problem,” Milligan says.
Yet, what’s needed to be more secure is not black and white. “On one hand, there’s desire by companies and regulators to provide clear rules, but in the context of the complex interactions between hardware and software, layered over specific applications and human behavior, it’s difficult to craft rules that will perfectly protect a company and its customers from a data breach,” Milligan says. “The challenge lies in the desire to remain flexible to recognize hackers are always evolving — you can get it right 99.9 percent of the time but a hacker only needs you to get it wrong once.”
Milligan says she believes data security will improve as organizations, and individuals, move toward better-established practices and standards, but doubts that a set of specific rules and regulations will ever be able to stop all threats.
To achieve 100 percent security, Bestavros says that new technology, not just regulations, is needed.
“If you think about breaches like Marriott, they had everything in one place, in one database,” Bestavros says. “Intruders lurking in the background can then easily collect this data because it’s all right there. Instead, imagine a setting where data is not stored in one place but split into pieces, encrypted and stored amongst separate places, so that if any one place gets breached, [the fragmented data] has no value” for hackers to use.
But moving from the current model of creating patches and workarounds to solve security problems in legacy database software and hardware, toward adopting a completely new system, built from the ground up with mathematically proven security features, would take years, maybe decades, and cost billions. It would also require leaders in Washington to acknowledge it’s a problem that needs to be handled proactively, rather than reactively. And then find the money to pay for a solution.
“I think when society wants cybersecurity bad enough, it will be willing to pay for it,” Bestavros says. The last few decades have seen “an IT gold rush; everyone building systems without thinking of the implications, but I think the day will come when people say our privacy is worth ‘X,’ and companies will have to adopt better systems because it will be part of the economics.”
This article was originally published on Boston University Research.
For additional commentary by Boston University experts, follow us on Twitter at @BUexperts. Follow Azer Bestavros at @Bestavros, the Rafik B. Hariri Institute for Computing and Computational Science & Engineering at @BU_Computing, and the School of Law at @BU_Law on Twitter.