A number of recent, high-profile data breaches and cyberattacks on U.S. digital infrastructure, networks, and critical infrastructure have made data privacy top-of-mind for the federal government. In light of recent attacks, including the Solarwinds breach, the Colonial Pipeline breach, and the very recent Kaseya breach – on Independence Day, no less – data privacy and the security and protection of digital repositories and networks that house said data, have recaptured the federal government’s attention.
This is reflected in the recent cybersecurity Executive Order from the Biden Administration, which dictates that federal government agencies must not only regulate how they collect, preserve, and share sensitive data, but also how they protect data against cyber threats.
The GovCyberHub recently sat down with IBM Security’s Cynthia Luu, Senior Product Marketing Manager supporting data privacy, to discuss how cybersecurity professionals can securely share and store sensitive data, and how federal government agencies can implement zero trust architectures to prevent and protect against data breaches.
GovCyberHub (GCH): Data privacy legislation has, for the most part, been left to the states to sort out. Out of 29 state bills that have been proposed, only four bills have been signed into law. If states maintain this slow drip pace, are Americans at risk of being outpaced by the growing sophistication of malicious threat actors? Will there be a point when federal government intervention is necessary?
Cynthia Luu: The short answers are, “Yes, and yes!” Data is the world’s fastest-growing commodity. The ongoing digital transformation is rapidly accelerating the volumes of data shared online and businesses are finding new and innovative ways to monetize personal data. The Equifax data breach exposed the personal information of 145 million Americans and was further evidence that personal data is a very valuable asset that is frequently targeted by bad actors.
IBM experts have often remarked that personal data is a gold mine, both for legitimate business but also for criminal enterprises as well.
Most would be surprised how two to three seemingly innocuous pieces of personal data can track and identify someone with a very high degree of accuracy. The current data collection and sharing practices threaten American safety and erode the general sense of private information. In fact, most Americans have given up on the concept of “privacy,” which is a dangerous proposition for our country.
However, federal law could establish the framework for personal data collection, sharing, and protection. The law often takes years to catch up but, unfortunately, we don’t have that luxury. The inability to protect personal data threatens our physical safety as well as our digital identities. Federal privacy law is one of many core measures that will hold companies accountable while we continue to keep pace with the digital revolution. The objective of federal intervention is to foster a free enterprise without eroding civil liberties. All while protecting Americans from threats and attacks from bad actors. A tall order indeed, but one the federal government can fulfill.
GCH: This year marked the third anniversary of the EU’s adoption of the GDPR, one of the most comprehensive data privacy regulations in the world. Three years later, what has the reporting revealed about GDPR’s implementation, compliance, and effectiveness? What’s worked?
Cynthia Luu: GDPR put organizations on notice that the status quo of “we are sorry and here is a free service for a year or free product as consolation” was no longer going to be tolerated. IBM experts have seen this shift it is really impacting how seriously data privacy is being taken throughout the entire industry.
“Federal law could establish the framework for personal data collection, sharing, and protection. The law often takes years to catch up but, unfortunately, we don’t have that luxury.” – Cynthia Luu
GDPR has elevated data privacy to the attention of the C-Suite. Organizations used to keep as much personal data as they could collect. Now they are asking if the benefits of keeping sensitive data are worth the risk. There has been an increase in funding and the creation of privacy offices to handle GDPR requirements.
GCH: What hasn’t worked?
Cynthia Luu: It’s not a shortcoming of GDPR, but sensitive data is still stored in too many places. It may seem obvious, but our experts often warn organizations that they need to stay on top of their data storage solutions especially when legislation like the GDPR can hold them accountable for breaches.
“Most would be surprised how two to three seemingly innocuous pieces of personal data can track and identify someone with a very high degree of accuracy.” – Cynthia Luu
Organizations cannot protect sensitive data if they do not know where the data is in their system.
GCH: Would the U.S. benefit from a single-standard approach to data privacy, similar to the GDPR? Or do the data privacy needs of the American people require a more tailored framework?
Cynthia Luu: There are 50 states, D.C., and five major territories that could all enact their own data privacy regulations. But it could be a nightmare for regulators, courts, and organizations to reconcile and enforce 56 different sets of privacy regulations. Though a single-standard approach for the US could be more efficient for all organizations, it may be many years until a federal privacy law appears.
After the California Consumer Privacy Act (CCPA) passed in 2018, multiple states proposed similar legislation to protect consumers in their states. The CCPA itself has been updated by the California Privacy Rights Act, with additional privacy protections, passed in November of 2020. Until a federal law emerges, our experts urge organizations to consider adopting the most stringent U.S. state legislation signed into law to be prepared for any federal law that passes.
GCH: In 2020, the U.S. experienced one of the largest data breaches in history, with massive cyberattacks on SolarWinds, Microsoft, and VMware. What can federal government agencies do to prevent data breaches from occurring on their systems? What data security solutions or applications does the federal government implement to prevent, detect, and respond to these types of attacks?
Cynthia Luu: The recommendation is to adopt a data-centric zero trust approach and IBM is providing both guidance and facilitating strategic decisions with our clients on improving their zero trust posture
“IBM experts recommend agencies utilize endpoint protection, two-factor authentication, pen testing, data encryption, and network segmentation solutions to prevent breaches.” – Cynthia Luu
Specifically, regarding data breaches, organizations need to focus on data at rest in large, well-organized structures or unstructured repositories, as these are the primary targets of bad actors.
Key to protecting data at rest are: First, having a classification scheme and clear data ownership, and second, having robust capabilities for sensitive data discovery in classification. The latter has been a challenge historically because of false positives and keeping track of data as it moves. However, this can be addressed with modern classification capabilities that are more efficient and an approach that is incremental based on classification.
To put it all together, IBM experts recommend agencies utilize endpoint protection, two-factor authentication, pen testing, data encryption, and network segmentation solutions to prevent breaches. They also must continuously scan systems for sensitive data and implement database and file system protection on the databases and repositories that contain sensitive data.
GCH: How would government agencies benefit from adopting zero trust architectures for their data privacy systems and initiatives?
Cynthia Luu: Zero trust can be a data-centric approach. Improving zero trust posture and implementing policy enforcement points close to data at rest will inherently strengthen data privacy by reducing inappropriate use of data by unauthorized actors.
While it is incredibly useful, I’d be remiss not to emphasize that zero trust is not a product or any one thing it is just a framework. A zero trust approach aims to wrap security around every user, every device, every connection – every time. With a secure-first mindset, any agency would benefit and stay out of the headlines.