Yahoo has confirmed that it is the victim of a cyber security breach affecting at least 500m accounts, perhaps the largest in history. Data breaches of email and social media accounts, retail stores, health insurance companies and even governments are now routine. The lesson to be learnt from the Yahoo breach may be that, when it comes to cyber security, we are not learning the right lessons.
Following major breaches, companies often deflect responsibility by pointing the finger at “state-sponsored actors”, as Yahoo did. Certainly, states do engage in this kind of activity and in some cases leave enough of a trail to be blamed.
But there is also reason to be sceptical of Yahoo’s claim. Presenting breaches as nation-state attacks suggests that there was nothing the company could have done to defend its users. It is better PR to blame a foreign intelligence service than for a company to admit it lacked basic security features. It also puts companies on a stronger legal footing against users who may seek to sue them.
The trouble is that most cyber security breaches, including those by nations, exploit known vulnerabilities, such as where a patch was either not developed or deployed. Most breaches are preventable yet attacks continue to increase in number and scale. The woeful state of cyber security is, simply, a market failure.
The reasons are numerous and complex. Consumers are unable to make informed judgments about security when choosing where to entrust their information. Companies hesitate to share cyber threat information with industry competitors. Threats are distributed such that the relative probability that any one company will be the victim of a breach remains low. The bottom line is that companies do not have adequate economic incentive to invest in security infrastructure.
Governments must find ways to encourage companies to undertake more responsible practices. One way will be by developing liability mechanisms to impose costs on organisations that fail to protect customers’ data. And where the consequences of cyber security breaches are especially dire — networked medical devices or autonomous vehicles, for example — governments will need to enact robust regulatory standards to ensure safety.
But companies are not the only problem. Consumers are largely unwilling to accept even minor inconveniences for better security. Systems remain unpatched because individuals cannot be bothered to install updates. Users chafe against imposed security measures like the rejection of weak passwords. Conscientious companies walk a fine line between encouraging customers to be safe and imposing burdens
that individuals will circumvent with even more vulnerable workarounds, or running the risk of driving users to more convenient and less secure platforms.
Until we address failures at corporate and collective levels, the lesson of the Yahoo breach for the individual is that cyber security is every man for himself. When people cannot rely on large companies to protect personal information, the only responsible approach is to presume breaches are inevitable and try to mitigate the damage. Not reusing passwords prevents a single attack from compromising multiple accounts. Adopting two-factor authentication features reduces individual risk. And users should consider what information to store and share online.
But ultimately self-help will fall short. We have limited choice about what data about us are produced and stored and participating in modern society necessitates volunteering a great deal more. Preventing large-scale data breaches is similar to countering disease epidemics — individual practices can protect us only so much and, where we are unable to wall ourselves off, large-scale institutional responses are required.