What We Should Learn from the Equifax Hack
It Will Always Be People and “Little Things” that Matter Most
A little over a year ago we got news of nearly 150 million people were affected by a breach of consumer credit agency Equifax’s network. The U.S. House of Representatives Committee on Oversight and Government Reform released its final report on its investigation. It reveals that while Equifax had the formalities of a cyber security plan, it was crippled by bureaucratic arrangements and a failure to appreciate the large consequences of not attending to what often seem to be “little things.”
How the Bureaucratic “Tragedy of the Commons” Crippled Equifax
The “tragedy of the commons” is a concept from philosophy which can be roughly described by noting that when something is broken, and nobody owns it, fixing it is always someone else’s job.
“Owning” cybersecurity will always be fraught with what are essentially political/bureaucratic challenges. The Committee’s report notes that the relationship between the Chief Information Officer (CIO) and his direct report — the Chief Security Officer (CSO) deteriorated due to “fundamental disagreements.” The CSO had developed company-wide information technology security standards as part of a three-year, $15 million effort to update Equifax’s overall security posture. It is unfortunate that the Committee’s report does not delve into the nature of these “fundamental disagreements.” That they appeared to develop at the same time as the effort to update Equifax’s security posture suggests that CSO’s security initiative conflicted with the CIO’s operational priorities.
If this was the case, it would represent the perennial challenge for cybersecurity in large corporations — the need to balance security and productivity.
As a result of this bureaucratic deterioration, the reporting lines were changed. Instead of reporting to the CIO, the CSO was brought under the Chief Legal Officer (CLO). This was a critical mistake for two reasons.
First, of the three perspectives in cyber security (Executive, Operational, and Technical), the operational perspective is the one most likely to push back against cyber security initiatives. This push-back is often well-warranted — companies exist because they have a value proposition recognized by their customers. If a business is unable to deliver on its value proposition, customers will go elsewhere and the business will eventually cease to exist. The best cutting-edge security technology and processes a company might have will be rendered irrelevant.
Second, moving the CSO under the legal department was likely the worst possible choice. A lawyer’s first priority will be keeping her client out of court. The conflict between security and operations requires first attention be paid to “how we can” operate in the most secure manner possible. A lawyer’s first attention is more likely to be focused on case-law reasons for “why we can’t” (or why we shouldn’t) choose a course of action.
It is when this “compliance-mindset” of “why we can’t” wins out over a “risk management mindset” of “how we can” that we see cybersecurity fall victim to bureaucratic conflicts of perspective.
It is not uncommon for a CEO to attempt to keep their number of direct reports down to a minimum. This was fatal for Equifax. A conflict between operational and security concerns was smoothed over by changing lines of reporting. It should have been brought firmly to the surface and thoroughly fleshed out. A CISO — which Equifax did not have at the time — could have overseen this process in order to provide the best possible advice to the CEO as to what risks were posed by the possible courses of action.
Takeaway: If a company has the resources to hire a Chief Information Security Officer (CISO), this person must report to the CEO in an advisory role. The CISO’s job is to keep the organization in a risk-management mindset (as opposed to a compliance mindset) and be an advocate for “how we can” operate such that the company’s business value is successfully delivered in a way where cyber risks are identified, understood, and controlled.
A Good Cybersecurity Plan Accounts for Conflicts of Perspective
As a result, the “what,” “who,” and “how” of Equifax’s security plan devolved into an incoherent bureaucratic maze. A good cybersecurity plan will have three components: The system itself will be described and include a system boundary. Inside that boundary will be all aspects of the system which will be controlled by the plan. This answers the essential question of “what” the system is.
The plan will also outline clearly “who owns” the system. This person embodies the Executive perspective, and is responsible for making final decisions as to how risks are controlled. All other persons responsible for various aspects of plan execution are described in the plan, which answers the essential question of “who” is responsible for “what.”
Lastly, but absolutely most important, is the Security Concept of Operations (SeCONOPS). This part of the plan describes “how” the system will operate. With a conflict between security and operations likely at the root of Equifax’s failure, the SeCONOPS is the critical piece that helps resolve this kind of conflict. The person or people who embody the Operational perspective (the people who keep the trains running on time) must be able to see how the system will operate in such a way as to support their delivery of business value, and yet control for security risks.
Takeaway: The balancing of the Operational perspective with the need to control for cyber-related risks is where the art of a good cyber security plan is found.
Partly because of the maze of who is responsible for what, Equifax’s security patching practices — while articulated in their plan — were not executed successfully. A critical patch was not applied in a timely fashion, a server was compromised, and became the entry point for subsequent compromise of other machines.
Public Key Infrastructure (PKI) Certificates — the “Little Things” in Cyber
Equifax’s system included sophisticated tools to detect this kind of intrusion. But these systems failed because something many tech people consider a “little thing” was left unaddressed.
If you have navigated to a website only to have your browser warn you of a potential safety problem with an invalid certificate, you may have responded by using the browser’s ability to register an “exception” with the certificate, or otherwise just proceeded to use the website.
These warning are almost always the result of an SSL certificate (which allows the website to be served up encrypted and with the “https:” in the URL) having expired.
If you look at your browser right now (yes, right now as you are reading this), look for the lock icon to the left of “A Medium Corporation[US].” Click the icon.
Note the “Certificate” setting says “Valid.” An SSL certificate is often issued for a period of one to three years, after which it requires renewal. By clicking on the Certificate entry on this box, we can see that the certificate is valid to identify the site from 5/31/2017 to 8/30/2019. By this coming August, Medium will have to renew this certificate.
Unfortunately for Equifax, the server used for intrusion detection and monitoring of traffic had an expired certificate. Equifax actually had 324 expired certificates, 79 of which were for machines which monitored business-critical domains.
As a result, the breach activity lasted over two months, and was not discovered until after the certificate for the monitoring machine was renewed.
IT professionals can sometimes get caught up in prioritizing things with “sizzle.” Developing a new cool tool for the business, or getting in “the zone” to solve a complex problem can often push seemingly “little things” (like renewing certificates) to the “bottom of the stack.”
Conclusion: Cybersecurity Must Plan for Conflicting Perspectives and Attend to the Little Things
Equifax’s experience teaches us this can be very costly. But perhaps most important is what we learn about the inevitable conflicts between security and productivity. These conflicts will happen, and a cybersecurity plan should be conceived with this inevitability in mind. Cybersecurity professionals should seek to become expert in the operational domain(s) of their company or clients. In this way, the cybersecurity professional can keep the focus on “how we can” operate profitably and securely.