In the days following the Equifax breach announcement I have been talking with many people – clients, family & friends – about what they should be doing to ensure they are prepared for a possibility of their identity being stolen. Across all these conversations one theme became readily apparent: none of the dozens of people I spoke with (myself included) knew much about how the credit agencies operated, despite being highly educated and seemingly well-versed in being both an adult and a working professional. Some of them even work in the finance industry and still had only a rudimentary grasp of the seriousness of the Equifax breach. During one particular conversation, I thoroughly dismayed a colleague by making them aware that with the information stolen in this breach, someone could file a false tax return under their name and that it would take the wronged party quite a bit of effort to undo this fraudulent act. Further alarm was caused by the revelation that this was done through the IRS’s own website, and that this form of identity theft has been around for years.
How many systems do we use that we have no idea how they operate or how to fix them if they break?
To further illustrate this point, key companies and institutions are being hacked, not just because hackers are clever and determined (they are), but also that we, the system users, often don’t understand how things work, and frequently don’t take the time to understand because: (a) it’s hard, and (b) it’s working, so why bother? When this happens, security takes a powder and criminals walk in the door. Case in point: big four firm Deloitte recently announced that it was breached earlier this year. Ironic? Yes, but even more so now that it seems the reason they were breached was because they themselves were lax on security principles presumably espoused by an organization hired to audit security.
Need another example of a big system in wide use but poorly understood, and clearly not secure? Facebook is poised to release data to Congress that illustrates how Russian operators leveraged Facebook’s own advertising engine to exploit the political divisiveness of American culture as well as the ample influence it exerts over the millions of US voters who have been repeatedly bamboozled by fake news and thinly veiled propaganda. Facebook itself has stated numerous times it doesn’t have a good solution to the problem, and even with the integrity of the US democracy at stake, it still doesn’t know the extent of Russian influence in its own advertising space.
What’s my point? There’s an elephant in the room, and in this case, on the internet. We are at the mercy of numerous systems that we have no chance of understanding, and yet we entrust our lives to them. To be fair, we have been doing this for decades: we drive cars we can’t repair, we fly in planes we have no chance of piloting, and we use devices very, very few of us could fix, even with the totality of Google at our fingertips. In advanced civilizations, this is expected and required for us to progress. What we cannot, and must not do is abrogate our responsibility to be at once skeptical and open minded about the things we don’t understand. Even if we can’t comprehend how a system works, we should seek to understand how that system impacts the things that are important to us, and take an active role in ensuring that system won’t harm you or the things you care about. If it seems like too many systems have gone off the rails because not enough people cared or understood them to foresee the danger, it might be because some people are actually starting to talk about the elephant on the internet.
Image courtesy of TAW4 at FreeDigitalPhotos.net