How (and why) the U.S. fails at cybersecurity
Updated: Jan 23
That's how many people had their personal information compromised by cybercriminals during the infamous 2017 Equifax data breach. At least, that's how many people had their data compromised if you believe Equifax.
While the revelation of the data breach did result in several high-profile executives leaving Equifax, the company made little to no changes of note concerning its actual business practices. Those who had their information stolen have still not been compensated in any way at the time of writing this article, and cybersecurity experts are still not sure how that compromised information is being used.
In late 2018, 100 million users of the Q&A service Quora had their personal information compromised in a data breach. At nearly the same time, 500 million individuals who had used the services of Marriot's Starwood Guest Reservation database also had their personal information revealed to cybercriminals in a - yes, you guessed it - data breach.
Across just these three data breaches, a cumulative 750 million individuals have had their personal information extracted by cybercriminals. Sadly, that figure is, in reality, likely much higher than what these three companies have reported. The precedent for businesses underreporting the severity of data breaches was set long ago by Yahoo, which stated that a data breach in 2014 had left the personal information of around 500 million users compromised.
In reality, across three data breaches, all THREE BILLION Yahoo users had their personal information compromised. That's over three times as many users as the company reported in 2016.
To write that American companies are failing spectacularly at cybersecurity is an understatement. If that's going to change, we need comprehensive legislation to be passed governing data collection, handling, and destruction in the U.S.
The EU is far ahead of the U.S. here, with cybersecurity and data regulation policies already in place that make the U.S. seem like the wild west of cybersecurity and data regulation in comparison - which it practically is. While this lack of regulation may seem enticing to businesses now, things are bound to reach a tipping point shortly, and U.S. legislators need to act before that climax point is reached.
Hacking is a full-blown, weaponized industry now, and black hat hackers often make a killing while white hat hackers are offered only a pittance. Additionally, small businesses - which provide the backbone of the U.S's economic infrastructure - are becoming increasingly targeted by cybercriminals. In 2017, 71 percent of all cyberattacks were directed at small businesses. If giant corporations with significant cybersecurity budgets such as Marriot, Equifax, Yahoo, Target, and Quora can't keep up with hackers, how are small businesses with one IT administrator supposed to cope?
The short answer to this question is: they can't. The time is long overdue for the U.S. government to step into American cybersecurity and data regulation practices and produce legislation similar to that already active in the EU. If that doesn't happen, then the future of the American consumer is less secure than ever before.
Of course, that's not to say the EU is doing everything correctly when it comes to regulating cyberspace. Article 13, which recently passed, is an unmitigated disaster that showcases just how out of touch older politicians can be with the technology of the digital era. However, the EU's data collection, handling, and destruction policies are light years ahead of the U.S., requiring companies to explicitly tell individuals how their data is being collected and what purposes it will be used for. EU data regulations also require companies to 'forget' data upon request, wiping an individual's data from their servers if that individual so wishes.
While the U.S. has historically been loathe to regulate the practices of businesses in the name of capitalism, it's clear that something needs to change, and fast. If the U.S. doesn't pass comprehensive data handling, collection, and destruction legislation, then companies should at least be federally required to devote a more significant percentage of their budget to cybersecurity.
Cybersecurity is a real issue in the U.S., and it's past time for U.S. legislators and executives to take real action to help prevent further notable data breaches in the future.