Will U.S. Corporations Ever Take Cybersecurity Seriously?

Incentives still haven’t reached a tipping point, but Europe's new data protection regulation might help

Illustration of corporate logos with data information.
Illustration: Getty Images
Advertisement

It’s another month, and another major IT-related security problem has been uncovered. The latest, the security flaws discovered in Intel, AMD, and AMR chips that can allow the bypassing of operating system security protections are a bit different than most vulnerabilities. They are hardware rather than software-based, and their impacts are exceptionally widespread, impacting nearly every Intel processor made since the mid-1990s. Billions of chips in total could be affected.

Intel, in conjunction with AMD, ARM, operating system vendors, and others, has been working on software and firmware security updates to close the security holes, with mixed success. There were reports that Intel’s firmware update had a bug that needed fixing itself, and that there were problems with updates on some AMD-based machines. There is also a debate between Intel and Microsoft regarding whether some of the updates would result in a significant slowdown of a patched machine. Intel insists the fixes will likely cause minimal performance impacts for most users, while a Microsoft executive instead seemed to suggest that users might be better off not updating their machines if loss of performance was greater than the security gained.

Intel has not only been downplaying the performance impacts of the fixes, but the financial impacts as well, even going so far as to say the flaws will have no material impact on the company’s finances. That is rather amazing: billions of products sold with two fundamental security flaws that need urgent correction and the result isn’t seen as being material. It leads to the question of what would need to happen for an IT security issue to become material, not only to Intel, but to all U.S. corporations.

The IT security breach most in the U.S. news media before the Intel et al. chip flaw was the Equifax breach, where the personal credit information of some 145 million Americans was compromised. That breach, along with others at health insurance company Anthem and retailer Target spurred the U.S. Congress to hold multiple hearings, with politicians on both sides of the aisle promising that new laws would be quickly passed to force companies to protect citizens’ private data. I hope you didn’t hold your breath waiting for that to happen.

The only major proposed legislation so far is that offered last week by Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) that would hold large credit card companies accountable for data breaches of consumer information. They propose that the companies would face “a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer,” according to their press release.

The likelihood of the proposed legislation being passed is about zero. No one should be surprised, either. The current administration isn’t particularly interested in increasing business regulation; to be fair, given the numerous past massive data breaches, previous administrations, both Republican and Democrat, weren’t overly aggressive in applying the plethora of existing legislation [PDF] to penalize companies for data breaches.

It took 11 years before the U.S. Department of Health and Human Services fined a health service provider for a privacy violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), for example. That was still faster than the U.S. Securities and Exchange Commission, which took 15 years before it finally fined a financial institution for a data breach, something it has had the statutory power to do since 2000. Mad with power, the SEC actually managed to fine another financial institution in 2016, but none in 2017; everyone is waiting to see what, if anything, the SEC does in regard to the Equifax breach.

Even though U.S. government regulators routinely wimp out, one would think that the numerous class action lawsuits filed after a data breach would at least incentivize companies to take cybersecurity seriously. Anthem, for instance, agreed to pay $115 million to settle breach-related lawsuits against it. And then there are the stock market hits to consider as well, right?

Well, it turns out that even successful lawsuits (and many are not) and hits to a company’s share price inflict very little long-term damage after the initial crisis occurs. Even then, the total impact to a company’s bottom line is usually not material. The financial hit of Target’s 2013 data breach turned out to be only about 0.1 percent of its 2014 sales, hardly an incentive to change corporate behavior.

Back in 2004, security expert Bruce Schneier wrote a thoughtful essay for IEEE Computer titled, “Hacking the Business Climate for Network Security,” in which he argued persuasively that, “Real security improvement will only come through liability: holding software manufacturers accountable for the security and, more generally, the quality of their products.” His argument seems to have been taken more seriously in Europe, than in the U.S., however.

In May, the EU’s General Data Protection Regulation (GDPR) takes effect. The GDPR is meant to force companies to take EU citizens’ privacy and security concerns seriously. The incentives are the very significant financial penalties incurred for breaching its regulations, such as by not reporting a data breach within 72 hours of its discovery. GDPR fines can range up to 4 percent of annual global turnover or €20 Million (whichever is greater). That has, to say the least, gotten the attention of everyone doing business in the EU, especially U.S. tech companies.

Whether the GDPR will persuade U.S. corporations to take cybersecurity more seriously (or the U.S. government to start enforcing the legislation already on the books) remains to be seen, but one can always hope. Until then, we’ll all just have to put our faith in statements from corporate executives like Intel’s CEO Brian Krzanich, who claims that “Security is Job No. 1 for Intel and our industry.” Of course, it would be nice if those reassuring words were said and actions were taken to prevent a security breach or flaw occurred before they were discovered, not after.

The Computing Technology Newsletter

Biweekly newsletter about advances in hardware, software and systems.

About the Risk Factor blog

IEEE Spectrum’s risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.