Professor Tyler Moore received an intriguing call from the congressional aide to US Senator Jeff Flake (R-AZ) Sept. 29.
Through word of mouth, the aide had learned Moore was an expert in cybersecurity and economic approaches to cybersercurity and was interested in having Moore testify at the congressional hearing on the recent Equifax data breach on Oct. 4.
This data breach exposed the names, Social Security numbers, birthdates and addresses of 143 million Americans. Some driver’s license numbers and credit card numbers were also released.
In his “Foundations of Cybersecurity” course, Moore had already been discussing the breach, Equifax’s response and potential harms. Still, when he received the official invitation to the hearing Monday, Oct. 2, he spent the day researching and writing up his testimony.
Moore presented along with the former Equifax CEO Richard Smith and Jamie Winterton, the director of Arizona State’s Global Security Initiative. Smith was given most of the hard questions, Moore said, and he and Winterton were there as independent sources about potential harms and solutions.
In his testimony, Moore focused on potential harms of the breach, some economic and some non-economic, and his recommendations for the future.
Along with the obvious economic harm of increased credit fraud with the large number of SSNs stolen, Moore brought up the potential for increased filing of fraudulent tax returns or even healthcare and entitlement fraud. On the non-economic side, harassment and stalking could also be an issue, as the data has individuals names and addresses, which harassers could use to their advantaged.
Tied to another recent breach, Moore said the Equifax breach could have national security implications. In 2015, the Office of Personnel Management (OPM) was breached, exposing the names and security clearances, along with other information, of many federal employees. While the perpetrators of the Equifax breach are unknown, if they were a foreign nation-state, which is implicated in the OPM breach, they could use the two breaches to find federal employees with a security clearance and bad credit ratings—which could be potentially turned against the US for financial gain.
He proposed three solutions: freezing credit by default, making harms of these breaches more transparent and moving away from the use of SSN. Currently, “the burden is on individual consumers to freeze their credit,” which prevents loans, credit cards or other applications using a SSN to be taken out without another form of identification, typically a PIN given when the account is frozen. Freezing an account also prevents searches of your credit and selling of your personal data to companies.
Requiring the harms of such breaches to be more publicly available, Moore believes, would help to prevent future breaches and our understanding of the cost of breaches. Currently, companies are only required to say what data they lost and notify customers. Moore believes companies should be compelled to report information on the harms that come from these breaches, for a “more accurate accounting of what the harms are, so they can potentially provide recompense to victims and further incentivise companies to have better security so this doesn’t happen.”
“As bad as this has been for Equifax, if they’re not responsible for all these other existing harms, they wouldn’t invest enough in security to prevent these harms,” Moore pointed out. Gaining the political capital to legislate this might be difficult, but if every company was forced to report harms, it wouldn’t be as damaging for individual companies.
For a long-term recommendation, Moore believes SSN should be replaced with something more secure and less static in case of future breaches. The 143 million affected by the breach cannot be all reissued new SSN, but if SSN were replaced with a PIN or password, this wouldn’t be as difficult.
For students, Moore recommended two things in response to the breach. First, students should consider freezing their credit, at all three credit bureaus. Equifax is offering free freezes as a result of the breach, but they will cost at the other two, Experian and TransUnion. These will freeze your credit and provide you with a PIN to unfreeze it whenever needed, although unfreezing it may also cost. According to Moore, freezing your credit is better than locking it, as locking it still allows the bureaus to sell your data and show it to inquiring parties, like a employer.
Second, Moore advised against credit-monitoring services, like LifeLock. These services monitor credit for any suspicious activity but do not prevent fraudulent accounts from being opened. The money used for LifeLock, Moore pointed out, could be used to freeze your credit.
After his testimony, Moore had an extensive Q & A with the Senate. He also received further written questions this week, about the costs and benefits of freezing credit by default, which left him believing the Senate may be considering legislating such a move.
The experience was “encouraging,” said Moore, as the two US Senators, Flake and Al Fraken (D-NY) asked “intelligent questions and seemed to understand the issues at play.” “Sometimes it’s easy to think our elected officials don’t know what they’re talking about, but in this case, these two senators did,” he finished. It was “surreal” to interact with Fraken, who Moore remembers from SNL skits when he was younger.
This opportunity allowed Moore to influence policy making, which he has been involved with before, in writing reports to the European Union and Department of Homeland Security, among others. Influencing policy is important to Moore as “the thing about cybersecurity is so much of what needs to be done to improve is a combination of technology and computer security approaches but also policy. So much goes beyond what we can do by designing technology.”
Currently Moore is researching the security issues in crypto-currency, like bitcoins, and developing long-term measures of cybersecurity, much like the GDP and other measures work for the economy.