Yahoo has confirmed that it is the victim of a cyber security breach affecting at least 500m accounts, perhaps the largest in history. Data breaches of email and social media accounts, retail stores, health insurance companies and even governments are now routine. The lesson to be learnt from the Yahoo breach may be that, when it comes to cyber security, we are not learning the right lessons.
Following major breaches, companies often deflect responsibility by pointing the finger at “state-sponsored actors”, as Yahoo did. Certainly, states do engage in this kind of activity and in some cases leave enough of a trail to be blamed.
But there is also reason to be sceptical of Yahoo’s claim. Presenting breaches as
nation-state attacks suggests that there was nothing the company could have done to defend its users. It is better PR to blame a foreign intelligence service than for a company to admit it lacked basic security features. It also puts companies on a stronger legal footing against users who may seek to sue them.
The trouble is that most cyber security breaches, including those by nations, exploit known vulnerabilities, such as where a patch was either not developed or deployed. Most breaches are preventable yet attacks continue to increase in number and scale. The woeful state of cyber security is, simply, a market failure.
The reasons are numerous and complex. Consumers are unable to make informed judgments about security when choosing where to entrust their information. Companies hesitate to share cyber threat information with industry competitors. Threats are distributed such that the relative probability that any one company will be the victim of a breach remains low. The bottom line is that companies do not have adequate economic incentive to invest in security infrastructure.
Governments must find ways to encourage companies to undertake more responsible practices. One way will be by developing liability mechanisms to impose costs on organisations that fail to protect customers’ data. And where the consequences of cyber security breaches are especially dire — networked medical devices or autonomous vehicles, for example — governments will need to enact robust regulatory standards to ensure safety.