Tuesday, February 10, 2015

Claim: Anthem Was Right Not to Encrypt. No U.S. Business Will Be Able to Defend Against Foreign State Attacks

I am not a tech expert, but the sentiments expressed below are exactly what I've been thinking since the news of the Anthem hack.  To wit, what U.S. company can be expected to guard against sophisticated attacks from foreign countries?  It seems highly unrealistic and myopic to me.  The bottom line is that in our digital world, regular data leaks and hacks are just going to be as common as getting spam in your inbox.  It is what it is and we have to learn how to deal with it. But an expectation that it will never happen is just not reasonable. 

This is a very compelling excerpt from Fred Trotter writing at the Health Care Blog
... Anthem was right, and the Internet is wrong. Or at least, Anthem should be “presumed innocent” on the issue. More importantly, by creating buzz around this issue, reporters are missing the real story: that multinational hacking forces are targeting large healthcare institutions. ...
Encryption is a mechanism that ensures that data is useless without a key, much in the same way that your car is made useless without a car key. Given this analogy, what has apparently happened to Anthem is the security equivalent to a car-jacking. 
When someone uses a gun to threaten a person into handing over both the car and the car keys needed to make that care useless, no one says “well that car manufacturer needs to invest in more secure keys”.
In general, systems that rely on keys to protect assets are useless once the bad guy gets ahold of the keys. Apparently, whoever hacked Anthem was able to crack the system open enough to gain “programmer access”. Without knowing precisely what that means, it is fair to assume that even in a given system implementing “encryption-at-rest”, the programmers have the keys. Typically it is the programmer that hands out the keys.
Most of the time, hackers seek to “go around” encryption. Suggesting that we use more encryption or suggesting that we should use it differently is only useful when “going around it” is not simple. In this case, that is what happened. ...
Anthem has a responsibility, under HIPAA, to ensure that records remain accessible. That is much easier to do with unencrypted data. The fact that this data was not encrypted means very little. There is little that would have stopped a hacker with the level of access that these hackers achieved. Encryption probably would not have helped.
By focusing on the encryption at rest issue, the mainstream press is missing the main story here. If indeed Anthem was targeted by sophisticated international hackers, then there is little that could have been done to stop them. In fact, assuming international actors where involved, this is not as much as failure for Anthem as a failure of the NSA, who is the government agency tasked with both protecting US resources and attacking other nations resources.
As much as the NSA has been criticized for surveilling americans, it is their failure to protect against foreign hackers that should be frequent news. Currently, the NSA continues to employ a strategy where they do not give US companies all of the information that they could use to protect themselves, but instead reserve some information to ensure that they can break into foreign computer systems. This is a point that Snowden, and other critics like Bruce Schneier continue hammer: the NSA makes it easy to spy, for themselves and for others too.
It is fine to be outraged at Anthem and I am sure they could have done more, but I can assure you that no insurance company or hospital in the United States is prepared to defend against nation-state level attacks on our infrastructure. In fact, Anthem is to be applauded for detecting and cutting off the attack that it did find. ...