Making Your Data Unreadable to Whoever Steals It Might Be the Only Way to Keep It Safe
John Podesta is an accomplished person of the Democrat persuasion who was a senior advisor to Presidents Bill Clinton and Barack Obama but, unless you follow politics like some people follow sports, it's likelier you recall his name for the drip-drip-drip release of his emails by Wikileaks during the 2016 presidential election while he was managing Hillary Clinton's campaign.
History turns on countless hinges, so a dozen other well-documented events could have gone differently to alter the outcome, but the hack of Podesta's emails is widely regarded as a key reason for Clinton's loss and Donald Trump's razor-thin victory margins in a few key swing states. Which is why the sibling founders of Virtru, a cybersecurity company, keep a photo of Podesta on the wall at their office. Their primary product is simple-to-use encryption app that makes data easily deciphered by the intended reader and a scrambled mess to anyone else.
"We have a John Podesta image in our office as a reminder about how important our work is,'' said John Ackerly, CEO of Virtru. He was a senior technology advisor to President George W. Bush at the time of the 9/11 attacks. His brother, Will, now CTO of Virtru, invented the Trusted Data Format used by the U.S. intelligence community to secure data in transit. Long brotherly discussions about their shared cyber-fatalism led them to found Virtru.
Years ago, when street crime was frighteningly commonplace, the comedian Steve Martin joked that the best defense against a mugger is to vomit on your cash. That punchline sums up what Virtru advises because, in all honesty, it's hard to keep data from a competent, patient, persistent hacker who wants it. North Korean hackers have stolen South Korea's war plans. The NSA has been hacked. If those organizations can't maintain air-tight cybersecurity, what are chance does an ordinary person or company have?
Your best move, say the Ackerly brothers, is to take every sensible precaution but, by installing their software, you have the Steve Martin option when the worst happens. An encrypted document without the encryption key is "thousands and thousands of encrypted blobs," said Will Ackerly.
So, what about that photo of John Podesta on the office wall? If Podesta and the Democrats had encrypted their emails, would we be reading the tweets of President Hillary Clinton now?
"That is a fantastic question,'' said John Ackerly who, clearly, had been considering his answer for a long time before he was asked. "I would just say that we may or may not have reached out to certain folks very early about the importance of data encryption, and if those people had used our software then that data that would still be protected today And it's a shame, a shame for society, that they did not take that simple action. But, you know, I feel personally responsible for not trying five more times to get them to take action. Which is a way of saying that this offer was available prior to the 2016 election. It sure was."
Error and carelessness are common factors in the high-profile hacks of Equifax, Uber, Yahoo, LinkedIn, U.S. Office of Personnel and too many others to bring to mind without a Google search. It seems data security baffles otherwise sophisticated people and institutions the way highways confuse small mammals. Perhaps we should not hope for better. Recently it was revealed that fundamental flaws in chip design makes every computer vulnerable. Maybe we cannot expect to keep data safely locked away even if we try harder.
The Ackerly brothers dismiss their cybersecurity competitors as "snake oil salesmen" for promising to keep data safely locked away. Even if that were possible, what would is the point of data you cannot safely share? Sharing makes data vulnerable but it is also what makes it valuable. Just ask Marc Benioff, CEO of Salesforce. In late 2016 his emails to Colin Powell, a member of the board (and perhaps more notably former chairman of the Joints Chief of Staff and Secretary of State), were hacked. The emails, titled "M&A Target Review" and quaintly labeled "confidential'' contained a list of 14 potential acquisition targets.
"Colin Powell had a very weak password," said Will Ackerly. "Every time you share data, or you create an email, you have to worry about both your own security systems and every single person with whom you share that data."
While the details of the hacks differ, the same thing happened to Snapchat CEO Evan Spiegel, whose emails to Sony Pictures CEO Michael Lynton, a member of Snapchat's board of directors, were released by North Koreans who hacked Sony.
Timothy Edgar, author of Beyond Snowden: Privacy, Mass Surveillance and the Struggle to Reform the NSA and a specialist on cybersecurity at Brown University, said the convenience of Virtru's software gives it a market advantage currently but that, in general, firms offering encryption-based security likely have a bright future.
"The idea you draw a line around your system and you've protected your data is long dead,'' he said. "Lots of sensitive data is the hands of third parties. If the South Korean military and the NSA are having problems keeping their data in their own hands, what chance do the rest of have? Encryption is the new baseline but ease of use is the key."
Not all the challenges to keeping important data secure are technical. As anyone who has received a call from their credit card company asking about an unusual charge knows, card issuers have sophisticated fraud detection programs. Their advertising makes it sound as though they do this because they love their customers but their legal liability for the charges is doubtless a big motivator.
By contrast, as the Equifax hack demonstrated, there is nearly no liability for losing even the most sensitive data. Under current law, it is even difficult for the people whose data Equifax lost to bring a class action lawsuit. If the hackers who stole your credit information from Equifax drain your bank account or take out a loan in your name, it's your problem, not Equifax's. You have to think they would have tried harder to protect your data if they were going to be stuck paying for the fallout from a hack.
"There is not a universal rule that you should be held harmless in a data breach and there probably should be,'' Edgar said.
The legal landscape is different in Europe and will be even more different in May, when the European Union's General Data Protection Rule takes effect. Under that rule, Equifax would have faced fines of up to 4 percent of its global revenue. That liability is likely to motivate companies that obtain and store personal data to encrypt it, Edgar reasoned.
"Encryption is growing slowly but I think it will grow even more after the EU adopts its data privacy rule,'' he said. "A lot of the culture of Silicon Valley is in for a shock with these new rules. They have been used to ignoring these rules or winking at them. Four percent of your revenue is a substantial chunk of change.''