Congress didn’t just make your data less safe — it has put national security at risk
With last week’s privacy vote, hackers now know where to learn a Senator’s darkest secrets or how to uncover U.S. military personnel travel plans, among other things.
Let’s say a three-star general and career intelligence officer books a trip online from Dulles to O’Hare for a 3-day conference. She scans her inbox and spots an email with the subject line: “Review the itinerary for your upcoming trip to Chicago!” After skimming the body of the email, she double-clicks the attached PDF, at which point sophisticated malware developed by a U.S. adversary’s intelligence organization imbeds itself and begins silently transmitting every file stored on the hard drive to a clandestine server, activating a system that monitors her future web and email activities, plus, for good measure, every keystroke she types.
This continues for over a year until the malware is discovered, but by that time the damage is done. The malicious software will have already collected volumes of sensitive information about the general’s family, her movements, as well as scattered bits of semi-classified information. How did the state-sponsored hackers learn of the general’s travel plans? That’s easy: Congress’s decision to rollback the FCC’s prohibition on broadband providers’ collection and sale of customer web histories basically handed nefarious actors a treasure map with a large “X” marking the treasure – in this case, the databases with the general’s private information.
It’s interesting to wonder when online privacy protection will become an issue with consistent bipartisan support, like improving education or ensuring veterans have access to proper healthcare. The prevention of national security threats is one area in which, during normal times, politicians tend to unite. That’s why it was surprising that a scenario like the one described above was never raised throughout the Congressional debates in recent weeks. While it’s true that cybersecurity and privacy issues are often so bound up that it’s difficult to see how one affects the other, in this case it’s clear that the decision to permit the mass collection of consumer behavioral data has grave national security implications. Here’s why.
The most common initial phase of a hacking episode relies on spear phishing, a term used to describe a hacker’s method of fooling a person into opening a malicious file or link. And the key to executing a successful spear phishing campaign is obtaining the information necessary to create the appearance that the hacker’s message originates from a legitimate source.
By allowing Internet service providers to not only collect but also share and sell the web histories of customers, Congress has graced the creation of thousands of databases containing the most valuable spear-phishing ammunition in modern history. For context, in 2015 the U.S. Office of Personnel Management (OPM) suffered a breach that exposed information on government workers like their prior residences and the contact information of friends and family.
At the time, security experts warned that this compromised data represents a “treasure trove” of information with which hackers can launch spear phishing attacks. But the sensitivity of data stolen from OPM doesn’t hold a candle to the information that would be exposed if a broadband provider were hacked and millions of web histories misappropriated. The severity is compounded because even assuming that the broadband providers cannot be hacked (which is nearly impossible), any number of entities with which they’ve shared web histories may be compromised. This sensitive information can and will be used against high-value targets, as well as citizens at every level.
Along with guiding hackers to our most private thoughts and valuable data, Congress’s decision also effectively shifted the authority to regulate online privacy into the hands of the Federal Trade Commission (FTC). Appointed by President Donald Trump, acting FTC Commissioner Maureen K. Ohlhausen has publicly stated that she believes market based-solutions to “varying consumer privacy preferences” is the appropriate path forward. In other words, the private sector should create tools to protect the information of privacy-concerned citizens.
This likely means that the rollback will lead to a boom for software companies offering security solutions – an online privacy microbubble. Selfishly, that’s good news for companies like ours that develop privacy protection tools for consumers. Of course, not everyone will take the necessary steps to protect themselves – and they shouldn’t have to.
It will only take one prominent attack using data created as a result of Congress’s recent action to understand the gravity of the decision. Here’s hoping they wake up before then.