Sometimes Congress can be entertaining, but not usually. Today was an exception.
FORMER Equifax Chairman Richard Smith, under who’s watch the huge Equifax data breach occurred, testified at the House Energy and Commerce Subcommittee.
What did he say?
#1 – Even though Homeland Security told Equifax (and others) about the Apache Struts vulnerability in March, when they scanned for it, they didn’t find the vulnerable versions of the software.
#2 – As a result, the patch was not applied. Until today we didn’t know that EVERY system at Equifax that used Apache Struts was not patched. I, for one, was hoping that it was just one system that they missed, but apparently they missed the boat. And likely the entire ocean.
Those two items are not funny. Human error. Technical error. Stuff happens. It shouldn’t when Homeland Security specifically tells you about something, but sometimes it does.
#3 – They found out about the breach, they now say, on July 31. Earlier reports say that the hackers were inside their systems as early as March – several months. They didn’t tell people about it until last month. Congress was not happy about that.
Rep. Greg Walden (R-Ore.) said “It’s like the guards at Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults,”
He went on to say “How does this happen when so much is at stake?” And “I don’t think we can pass a law that fixes stupid.”
Rep. Anna Eshoo (D-Atherton, CA) said “It seems to me that you’ve accomplished something that no one else has been able to accomplish … you have brought Republicans and Democrats together in outrage, distress and frustration over what’s happened,”
You have to admit, there has not been very much that the Dems and Repubs have agreed on lately.
Rep. Markwayne Mullin (R-Okla.) told Smith that the company’s response should have been like a fire alarm on the wall, ready at a moment’s notice to be pulled. This is not humorous. This is about having a Cyber Incident Response Program, documented, trained and tested, and ready to be put into action when needed. CLEARLY, they failed at this one.
Some committee members admitted that Congress had failed, too. Attempts at passing a strong cyber security law have failed over the last several years. Political pressures have tended to produce very watered down attempts – often significantly weaker than many state laws and superseding those state laws. As a result, some Congress critters would not vote for a bill that effectively mandated weaker security than residents of their state already had.
Rep. Joe Barton (R-Tx) said that financial penalties were needed to make companies take security more seriously. If the penalty for a company like Equifax were say, only, five bucks a record compromised, that would be almost a billion dollars. At that cost, the economics would tilt in favor of spending money to avoid a breach.
Today, companies, for the most part, say I am sorry and maybe offer a year of credit monitoring. In the case of Equifax, that year of credit monitoring was from themselves, so the cost to provide it would be really, really small.
A friend of mine told me of a letter he got from the local state administrative court judge. The letter said that some jury duty records had been compromised. The breach, which included Socials, names and birth dates, was not done by a hacker, but rather by the court itself, posting the data publicly, by accident.
The letter went on to say that the recipient MIGHT want to contact one of the credit bureaus and put a fraud alert on their credit file. Helpfully, the court provided the phone numbers and web sites of the big three credit bureaus. They, clearly, didn’t feel responsible to make people whole at all. You MIGHT want to, they said. Nice.
I have no clue whether Joe Barton’s idea of fining companies (AND, I might add, the government should NOT exempt itself from these fines) will go anywhere, but for a Republican to propose fining businesses for lax security is an indication that Capitol Hill is not happy.
When asked at the hearing whether Equifax would pay the fees that the other two credit bureaus will charge those 145 million people to freeze their credit, Smith that they would not pay. I bet that wasn’t a popular answer.
When asked about several exec’s sale of a million plus dollars worth of Equifax stock, Smith said “They’re honorable men. They’re men of integrity,” – “I have no indication they had any knowledge of the breach at the time of the sale.” Interesting choice of words – I have no indication that they had any knowledge. Not a very strong refutation that they didn’t know.
In any case, Smith is scheduled to testify before two more committees this week, so the entertainment is not over.
But, seriously, these are very reasonable questions.
Can you assure your customers that you would know about a vulnerability in a web development framework (or some other similarly obscure software) and get it patched in a day or two, company wide? Smith said that the company’s policy is to deploy patches within two days.
What about responding? Does your company have a documented, trained and tested cyber incident response program that you can use, like pulling a fire alarm on the wall?
If you can’t answer the two questions in red any better than Equifax’s fired Chairman could (err, retired Chairman?), then this is probably a good time to fix that. Before it becomes a problem.
Information for this post came from the Los Angeles Times.