Hacks and data breaches continue to make headlines—including during the presidential election—but that hasn't seemed to worry consumers, or even many policymakers.
M.S. Krishnan, the Accenture Professor of Computer Information at the University of Michigan's Ross School of Business, says that while security breaches haven't changed consumer behavior, it's time for a cybersecurity summit.
Krishnan, who is also professor of technology and operations and associate dean of executive education and global initiatives at Ross, takes a look at three stories to watch for in 2017:
- Reporting cybersecurity breaches isn't enough. There should be more follow-through on the consumer consequences of a breach.
- People are unlikely to change their online habits despite reports of breaches.
- Expect more calls for a national cybersecurity summit.
Q: There were several reports of hacks, data breaches and personal information exposed in 2016. Why isn't this getting more attention, both from industry and the media?
Krishnan: I think the breaches themselves are getting attention, but what's not getting attention is the impact. We hear about when customer information is hacked from a retailer, but nobody really connects the dots into any outcomes, like how many of those people subsequently were victims of identity theft. I think the story needs to be told of what happens after a security breach because we still don't really know. There needs to be more follow-through and this can be done. Retailers know which customers have been exposed and they can investigate to see if they've suffered identity theft, a lower credit score, etc.
Q: It's suspected that Russia was behind hacking that attempted to influence the U.S. presidential election. Indeed, the U.S. intelligence community says this did happen. Is it time for some kind of national summit on cybersecurity?
Krishnan: The link between hacking and the outcome of the presidential election appeared to be relatively weak initially, as the concern was more about hacking at the polling booths. However it seems that a broader assessment of hacking and information management is bringing new evidence on the impact of hacking. Given the extent to which digital technology has permeated our social and professional lives, it's clear to me that we need to create more awareness and discussion around this topic. We need to have a cybersecurity summit. I'm very worried about the financial infrastructure of the country. So much is stored digitally it raises the risk of a coordinated cyberattack that could freeze the financial system. I'm not against financial technology (known as fintech). It gives people flexibility and saves time and energy. But it does open up more avenues for security breaches and I think this has to be addressed at the national security level. We are already hearing about cases where innocent people are sometimes being duped and robbed with money taken from their bank accounts because they do not understand security related rules. The other great area of concern is the vulnerability of the power grid to hackers.
Q: Have these breaches reached the point where they're affecting consumer behavior? If not, when does it reach that point?
Krishnan: Not really. It will only affect behavior if there's a clear connection between breaches and direct consequences for people. So far I haven't seen that. People, especially those in their later teens to mid-30s, are becoming even more casual about sharing information about themselves. Millennials want personalization, and to do that they have to share information. Again, that opens up more risk and is a reason we should have a national summit on cybersecurity.
Q: Why does it seem that the U.S. does not lead, or cannot lead, in cybersecurity innovation? It seems like we are getting hacked by countries and foreign entities that are at least perceived as less sophisticated than we are supposed to be.
Krishnan: I won't say that the U.S. is not one of the leaders in cybersecurity. We need to understand that in cybersecurity, something becomes news only if there is a break and it is known. There is no publicity when our agencies prevent a cyberattack.
For example, breaking into the iPhone of people involved in the California shooting last year in the face of Apple's reluctance to help in breaking open the phone is one of the very few cases where U.S. law enforcement made one of their successes public. The U.S. is the richest country in the world in terms of resources, influence, knowledge and wealth; hence, the incentives for bad actors breaking into U.S. systems are much greater. The U.S. and Israel have always been among the top countries in cybersecurity software and innovation. Preventing cyberattacks is a dynamic challenge in a race between the attackers, who constantly evolve their methods, and defenders who try to be proactive in their approach. It's also worth noting that some high-profile breaches, like the DNC hacking, came about not because the government wasn't doing its job, but because the organization or its employees were lax. Sloppiness in the policies and procedures and the choice of the systems or platforms to host information can make hacking easy or difficult.