Consumer Data Security and the Credit Bureaus

Statement of Chris Jaikaran Analyst in Cybersecurity Policy Before Committee on Banking, Housing, and Urban Affairs U.S. Senate Hearing on “Consumer Data Security and the Credit Bureaus” October 17, 2017 Congressional Research Service https://crsreports.congress.gov TE10021 Congressional Research Service 1 Introduction Chairman Crapo, Ranking Member Brown, and Members of the Committee, thank you for the opportunity to testify on consumer data security and the credit bureaus. My name is Chris Jaikaran and I am an Analyst in Cybersecurity Policy at the Congressional Research Service. In this role, I research and analyze cybersecurity issues and their policy implications–including issues of data security, protection and management. My testimony today will include discussion of data security as an element of cybersecurity and risk management, analysis and a case study on how data breaches occur, a description of cyber incident response, and possible options for Congress to address data security and data protection. My testimony today is based solely on publicly available information and CRS analysis. Cybersecurity and Data Security An increasingly used catch-phrase among industry analysts is that today “all companies are technology companies,” or “all companies are data companies.”1 This concept reflects the role that information technology (IT) and data play in enabling the modern business practices that allow companies to compete and thrive in the marketplace. This reliance on IT and data also creates risk for corporate leadership to manage. Adequately controlling that risk is an objective of cybersecurity.2 Data security is an element of cybersecurity. At the most basic level, cybersecurity is the security of cyberspace, which includes not just data, but the networks, hardware, software, services, and infrastructure that data relies upon. It is also important to note that data does not exist by itself, but is created, manipulated and used by people. Consequently, cybersecurity is not just the security of data, hardware, software, infrastructure, networks and services—but also the human users of cyberspace. Computer scientists view data security through three attributes:    Confidentiality: that the data is only known to authorized parties. A data breach is an example of how confidentiality is breached, while encryption is a tool used to ensure confidentiality. Integrity: that the data is known to the authorized parties as intended. Data manipulation is an example of how integrity is breached, while there are data checking technologies, such as blockchain, to ensure that one can verify the integrity of data. Availability: that the data is available to authorized parties when they choose. Ransomware attacks availability, while backups are a tool that ensures availability of data. Nathaniel Fink, “Cybersecurity for a New America: What’s Next for the Cybersecurity Community,” conference keynote, March 20, 2017, at https://youtu.be/wfMpUpxNPAg. Avi Gesser, Gabriel Rosenberg, and Matt Kelly, “Cybersecurity and Data Management,” webinar, Davis Polk & Wardwell LLP, October 11, 2017. 2 Risk may be managed by avoiding the risk, controlling the risk, transferring the risk, or accepting the risk. DHS Risk Steering Committee, “DHS Risk Lexicon,” report, September 2010, at https://www.dhs.gov/sites/default/files/publications/dhs-risklexicon-2010_0.pdf. 1 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 2 Related to integrity is the concept of authentication, an attribute that one can verify that data is from a trusted source. The Internet was built using technologies that assumed the trust of its users, but as the Internet has grown into a global network, anonymity and the manipulation of data have proliferated.3 As an element of cybersecurity, data security involves risk management. Absolute security is not obtainable, so managing the risks which would impair security is generally considered to be the goal. In order to evaluate risk, managers need to understand the threats the enterprises may face, the vulnerabilities the enterprise has, and the consequences of an incident.4 Threats are generally considered to be the gamut of potential human attackers. Such attackers include nation-state actors, criminals and insiders to the network. Depending on the data an entity houses, and the services it provides, the realm of attackers may change from one day to the next, sometimes even driven by events in the news. Vulnerabilities exist in software the moment it is shipped to users. Adding additional software to a growing enterprise creates complexities that can lead to further potential vulnerabilities. Some software vulnerabilities are known the day they are shipped and are catalogued in the Common Vulnerabilities and Exposures database with risk assessments enumerated in the National Vulnerabilities Database.5 Others are discovered later. Vulnerabilities that are discovered but not disclosed to the vendor so they may be patched are called 0-days (zero or “oh” days). However, 0-day vulnerabilities do not necessarily create a large risk for enterprises. In addition to a vulnerability being present on a system, it must be exploited to cause some impact. The exploitation of a vulnerability may be so difficult that an entity’s risk of falling victim to that 0-day is low. Despite 0-days being a threat, most cybersecurity incidents occur through attackers exploiting known vulnerabilities for which the entity has not deployed a patch.6 Consequences may vary based on the business of an entity, the data that entity houses, and the stakeholder community for the entity. Consequences are also multi-dimensional. The loss of data may inhibit business practices, but may also lead to reputational loss, enforcement actions, payments to stakeholders, or other impacts. An entity may be able to better predict consequences through understanding the data in its possession. Using a data model or framework can help an entity identify attributes of its data. Such attributes include: where data is acquired; what other data the entity generates from acquired data; what types (both descriptively and by file type) of data is acquired or generated; how the entity will use and access data; how the data will be shared with other parties; where data is stored, accessed, and transmitted; and what policies exist for data retention and data disposal. Such a data model is essentially an architecture of the entity’s data, similar to the network architecture of their IT systems or the blueprints for their building. The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Framework) provides functions, activities and categories in a common format to assist entities in thinking through cybersecurity issues and identifying resources to assist in completing activities. 7 (Some of these activities include asset management, data security, and detection processes.) However, the Cybersecurity Framework is not the only reference for organizations to consider 3 CRS In Focus IF10559, Cybersecurity: An Introduction, by Chris Jaikaran. Davis Hake, “Threat, Vulnerability, Consequence,” interview with The Cipher Brief, December 15, 2015, at https://www.thecipherbrief.com/threat-vulnerability-consequence. 5 https://cve.mitre.org. https://nvd.nist.gov. 6 Jory Heckman, “Hackers Not Yet Pulling Out Big Guns for Data Breaches, NSA Official Warns,” Federal News Radio article, October 18, 2016, at https://federalnewsradio.com/technology/2016/10/hackers-not-yet-pulling-big-guns-data-breaches-nsaofficial-warns/. 7 NIST, “Cybersecurity Framework,” webpage, at https://www.nist.gov/cyberframework. 4 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 3 using, or a document which they can only use exclusively. The Center for Internet Security, the International Standards Organization, and ISACA also publish cybersecurity frameworks which an entity may use in conjunction with or in replacement of the NIST Cybersecurity Framework.8 The Anatomy of a Breach The recent breach of Equifax provides a timely case study on how breaches occur.9 While a single command may be executed at a speed fast enough for the computer to process it, full attacks are done by humans, and as such, occur at human speed. Breaches can be understood through an attack framework.10 First, an attacker examines the target. Through this examination the attacker learns about the target system. This examination is both online and off. Business cards provide the naming convention for user accounts on the system (in the form of email addresses), while digital tools can provide information on services running on Internet-facing services. In the case of Equifax, scans of their credit report dispute website may discover that Apache Struts was an available service and that it was running under a vulnerable version.11 Second, an attacker exploits a vulnerability. This initial exploitation provides the entryway for an attacker into the system or network. As stated earlier, vulnerabilities themselves do not necessarily create a significant risk scenario for an enterprise, but an exploitation of that vulnerability may. In some cases, a single vulnerability is required to gain access, while in others multiple vulnerabilities may be used to create an effective exploit. In the case of Equifax, a vulnerability in an earlier version of Apache Struts allowed for remote code execution.12 NIST deemed this type of vulnerability as critical, and the Apache Foundation patched it and provided an additional work around.13 At the time it was patched, it was also added to penetration testing software so that system administrators could test to see if they were still vulnerable to exploitation.14 Third, after the initial exploitation, attackers entrench into the system. By entrenching into a system, attackers are discovering more about the network they have penetrated. In this phase, they gain access to additional systems in that network, escalate their privileges so that they have further access, and acquire additional credentials. In the case of Equifax, how attackers entrenched into the system is publicly 8 Cybersecurity frameworks from these organizations can be found at https://www.cisecurity.org/controls/; https://www.iso.org/standard/54533.html ; and http://www.isaca.org/cobit/pages/default.aspx. ISACA was previously known as the Information Systems Audit and Control Association, but now goes by its acronym only. 9 Information on the Equifax breach is derived from testimony provided by former CEO Richard Smith before the U.S. Senate Committee on Banking, Housing, and Urban Affairs. Richard Smith, “Prepared Testimony of Richard Smith,” testimony, October 4, 2017, at https://www.banking.senate.gov/public/_cache/files/da2d3277-d6f4-493a-ad88c809781f7011/F143CC8431E6CD31C86ADB64041FB31B.smith-testimony-10-4-17.pdf. 10 The framework presented in this testimony is based on previous analysis by CRS. Further case studies are available via CRS Recorded Event WRE00157, Cybersecurity: Anatomy of a Breach, by Chris Jaikaran. 11 Apache Struts is a developer framework which allows for common programming languages, such as Java, to be used to develop user facing web applications. It is open source software maintained by the Apache Software Foundation, https://struts.apache.org/. 12 CVE, “CVE-2017-5638,” data base entry, at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638. 13 NIST, “CVE-201705638 Detail,” webpage, March 10, 2017, at https://nvd.nist.gov/vuln/detail/CVE-2017-5638. Apache Foundation, “S2-045,” webpage, at https://struts.apache.org/docs/s2-045.html. 14 The exploitation of CVE-2017-5638 was added to the Metasploit Framework. https://github.com/rapid7/metasploitframework/issues/8064. CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 4 unknown. However, many instances of Apache Struts run on web servers with default administrative credentials, which may have provided the next step for an attacker to entrench into the system.15 While he was the Chief of the National Security Agency’s Tailored Access Operations unit, current White House Cybersecurity Coordinator Rob Joyce said that “you know the things you intend to have in your network, we look for the things that are actually in your network.”16 This summarizes the relationship between defenders and attackers. Defenders know what they acquired, deployed and intend to have on their network, while attackers know the vulnerabilities and what else is running on that network. Exploiting vulnerabilities and entrenching into systems takes advantage of this asymmetric knowledge. Fourth, after gaining access, attackers can then execute steps to achieve their objectives. These objectives could be to compromise the confidentiality of the data by stealing it. Confidentiality is not only compromised by theft, but also by access. This distinction is referred to as exposure versus exfiltration. Data is exposed when an unauthorized party may access it on an entity’s network, but it is exfiltrated when they take it off that network. This relationship is akin to perusing books in a library but only checking out one. All the books are exposed to a patron, but only the borrowed book is exfiltrated. The integrity of data may be compromised by altering the data in a system. Alternatively, the availability of the data may be compromised by deleting it or otherwise making it unavailable (e.g., through encrypting data in a ransomware attack). In the case of Equifax, it appears that over 145 million people had their data exposed, while some had their dispute documents (which contain personally identifiable information) and credit card information exfiltrated. Finally, the attackers would exit on their terms. After achieving their objectives, the attackers would seek to leave the system so that they may have access again at a later date, or to cover evidence of their activities. Deleting log files, adding connections to network whitelists and creating credentials are examples of activities an attacker would undergo to exit the compromised system on their terms. In the case of Equifax, it is unknown from publicly available sources what attackers did in this phase. By understanding how attacks occur through such a framework, system defenders could develop defensein-depth strategies to mitigate breaches. Defense-in-depth is an approach which uses layered countermeasures to defend against cybersecurity risks throughout a network.17 Countermeasures could be layered to address each phase of an attack so that defenders are quickly alerted to attacks and can take actions to prevent further damage to their enterprise. Cybersecurity Incident Response Cybersecurity incident response describes when system administrators seek to confirm the attack, discover information about it, and mitigate against it. The response as described below is from the breached entity’s perspective, and does not discuss government response options. Incident response is not limited to the time immediately following an attack, however. Before an attack, response planning, training, and exercising can occur. Response planning helps an organization think though its risks and how it will respond to those risks, train its personnel on how to respond to attacks, Hector Monsegur, “How to Fight Hackers, with Former Black-Hat Hacker Hector Monsegur,” podcast, October 2, 2017, at https://lifehacker.com/how-to-protect-yourself-from-hackers-with-hector-monse-1819075906. 16 Rob Joyce, “USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State Hackers,” conference talk, January 28, 2016, at https://www.youtube.com/watch?v=bDJb8WOJYdA. 17 Industrial Control Systems Cyber Emergency Response Team, “Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies,” report, September 2016, at https://ics-cert.uscert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf. 15 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 5 and practice its response to build confidence in staff and management as to the organization’s capability and capacity to manage incidents. For incident response, staff is not limited to just IT personnel. Response planning should also include, among others, communications staff that are able to craft messages to both internal and external stakeholders, legal teams who can help with reporting and compliance requirements, and management and corporate boards who are accountable for the operations of a corporation. There will be a delay between the discovery of an attack and public notification of that attack because analysis of what transpired will need to be conducted. This analysis will inform the entity of how they were breached and what data or systems were compromised. This type of analysis may be conducted by the entity itself, a business partner of the entity, government response teams and law enforcement. With a variety of potential forensic investigators, determining how they will coordinate in their response and how they will share information among one another is a factor that can be determined during the planning and training phase. With information on how the breach happened and the extent of the breach, the entity can proceed to mitigate its affects. These two phases need not occur in succession, but may be able to occur concurrently. Finally, the organization can improve their data security and response planning by learning from their efforts and applying insights gained. Potential Options for Congress Three options for Congress are presented below to generate discussion. They are not recommendations from CRS. Given time constraints, these options are provided with limited policy discussion and are not exhaustive. Authorize a Federal Agency to Examine for Information Security Congress can authorize a federal agency to engage in supervisory examinations of the credit reporting agencies (CRAs) for compliance with the safeguards rule.18 As an example, the Consumer Financial Protection Board (CFPB) has broad authority to bring enforcement cases against corporations for unfair and deceptive business practices. CRS research could not identify an enforcement case or issued guidance where CFPB sought to address information security. This may be because CFPB has an express prohibition against issuing rules concerning information security and bringing enforcement actions against an entity concerning information security. Instead, the authority to issue a standard for the protection of nonpublic personal information, and enforce that standard, is retained by the Federal Trade Commission (FTC).19 The FTC issued the safeguards rule in 2002 pursuant to the authority referenced above and is currently seeking public comment on an update.20 Instead of engaging with CRAs after a cybersecurity incident, CFPB has the authority to supervise CRAs prior to an incident occurring.21 Congress could explicitly authorize CFPB to examine CRAs for their adherence to the safeguards rule, as promulgated by the FTC. The dialogue created by CFPB and a CRA could lead to greater understanding of the cybersecurity risk faced by the CRAs and allow CRAs with deficiencies to correct their data security measures prior to referral to FTC for enforcement action. As this 18 16 C.F.R. §314 15 U.S.C. §6801, §6804, §6805. 20 16 C.F.R. §314. https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule. 21 12 U.S.C. §5514. 19 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 6 is not an activity CFPB currently engages in during an examination, a new program may need to be established in the CFPB to recruit the talent to manage such a technical examination.22 Regulate Personal Data Collection and Use Congress could regulate the collection, use, and retention of data regardless of the type of entity housing that data. The European Union has such a regulation known as the General Data Protection Regulation (GDPR), and Canada is in the process of updating their Personal Information Protection and Electronics Document Act (PIPEDA).23 In proactively regulating data, Congress can establish data use requirements. Some of those requirements may include what data may be collected, how data must be stored (e.g., encryption, location, etc.), the consumer’s rights to collection and use of data about them, and under which circumstances data may be shared with other parties. While the United States does not have an overarching law governing data use, U.S. agencies have promulgated guidance on data protection. 24 Require Data Transparency Congress could require CRAs, or any entity that profits from consumer data, to identify and disclose their data model to consumers. Disclosure of all elements of the model may not be necessary (i.e., where data is stored). However, some elements such as where data is acquired, how it is used, and what other data the entity generates about the consumer may provide consumers with additional information and affect their decisions in the marketplace. For example, if a consumer knew that a CRA acquired data from a company they have a business relationship with, they may choose to limit their interactions with that company or seek out an opt-out/opt-in form from that business to limit how their data may be shared. Conclusion Thank you for the opportunity to testify today. I look forward to your questions. If you require further analysis of these options, or other policy issues before Congress, my colleagues and I at the CRS stand ready to assist you. 22 Current CFPB examination procedures may be found online at https://www.consumerfinance.gov/policycompliance/guidance/supervision-examinations/. 23 http://www.eugdpr.org/ . https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-informationprotection-and-electronic-documents-act-pipeda/. 24 FTC, “Protecting Personal Information,” guide, October 2016, at https://www.ftc.gov/system/files/documents/plainlanguage/pdf-0136_proteting-personal-information.pdf. CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service Disclaimer This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material. CRS TESTIMONY Prepared for Congress ————————————————————————————————— TE10021 7