"In the Room with Peter Bergen" transcript: Episode 22

Episode 22: How Hackers Stole Half of Americans’ Private Information — and Why

September 18, 2023

"In the Room with Peter Bergen" transcript: Episode 22

Episode 22: How Hackers Stole Half of Americans’ Private Information — and Why

The wild story of the ‘worst corporate data breach ever,’ the man who got blamed for it, and the sleuths who figured out who actually did it.

###

If you're in the United States and sitting next to somebody right now… there's pretty good odds that at least one of you was a victim of this:

ARCHIVAL Newscaster 1: Breaking news from the credit monitoring company, Equifax: Cyber thieves, making off with private information of 143 million Americans.

ARCHIVAL Newscaster 2: The hack could go down as among the biggest ever involving nearly half the U.S. population.

A heist of private data from almost half of all Americans — stolen from Equifax, one the nation’s biggest credit-monitoring companies. When news of the breach broke in 2017, it was a big deal — largely because of how private all that data is…

ARCHIVAL Newscaster 3: It's your name, social Security number, birthdate, driver's license, and addresses where you lived. Those who have been jeopardized by this hack will have to protect themselves for years, until they're dead.

The idea that cyber thieves snatched all the information needed to steal the identities of almost half the United States — and Equifax was to blame? This caused a lot of outrage and mockery and outraged mockery.

ARCHIVAL Stephen Colbert: There are things you can do to protect yourself, like set a freeze on your credit so thieves can't mess with it. But last week, people who tried to set up these freezes through Equifax, discovered they had to pay Equifax for the privilege of protecting themselves, so they made you pay them to protect you from them. That's not a credit rating agency. That's the mafia. [CROWD LAUGHS]

ARCHIVAL John Oliver: And that might make you angry. But the problem is that anger won't have much impact on Equifax because they make most of their money selling our data to businesses like banks. So in their eyes, We are not the consumer, we're the product. To think of it in terms of KFC, we are not the guy buying the 10 piece buckets — we're the fucking chickens.

The breach also sparked televised hearings, where the Equifax CEO, Richard Smith, got roasted by members of the U.S. Congress.

ARCHIVAL Elizabeth Warren: The whole thing is staggering.

That’s Senator Elizabeth Warren, turning up the heat on Smith.

ARCHIVAL Elizabeth Warren: Equifax should have the best data security in the industry, and instead, it has the worst, and I wanna understand why.

At the hearings, Smith blamed the breach on a failure to patch a software vulnerability. He blamed that failure on faulty technology and human error… and then he claimed that error came down to the mistake of one single human. That’s right. The CEO blamed the whole fiasco on just one guy. This is how Smith put it:

ARCHIVAL Richard Smith: The human error was the individual who was responsible for communicating in the organization to apply the patch… did not.

Needless to say Congress had a lot of questions about this particular individual.

ARCHIVAL Greg Walden: So does that mean that that individual knew that the software was there and it needed to be patched and did not communicate that to the team that does the patching?

ARCHIVAL Richard Smith: That is my understanding, sir.

ARCHIVAL Al Franken: I guess my question then is why is the security of 145 million Americans' personal information, all in the hands of one guy. Why is it all up to Gus? How did you put it in the hands of one guy to screw up?

That's former Senator Al Franken of Minnesota asking that last question. And the name he made up on the spot for the guy — Gus — kinda really caught on.

ARCHIVAL Jeff Flake: What should they have found when Gus failed to…

ARCHIVAL Al Franken: Even if you have two guys behind Gus…

ARCHIVAL Expert witness: Putting a whole patch management system on an individual um…

ARCHIVAL Jeff Flake: The person's name is Gus, I think.

ARCHIVAL Expert witness: I, uh, yes. Yes. Poor Gus. Let's think of him….

Go ahead. Think of Gus. Because, coming up in a few moments, you'll join me in the room with Gus himself.

Graeme Payne: National television, I have just been labeled as the person who caused the breach. And that's, that was like, holy shit. [PAYNE LAUGHS]

You'll also learn how exactly these hackers made off with your social security number — or the one belonging to the person sitting next to you — in what was one of the biggest data heists ever...

Mårten Mickos: Just like a physical heist or a bank robbery or whatever it's all about the planning. Planning your attack vector.

You'll meet the squad of FBI cyber detectives who exposed the cyber thieves…

Chad Hunt: Like the old school Hollywood movies where you've got the corkboard with the thumbtacks and the red string, that's when we started to have some ‘aha’ moments.

And you'll find out how this hack may fit into a vast and colossally ambitious campaign of digital espionage against the citizens of the United States...

Graeme Payne: My guess is it's sitting in a big data lake and they're matching all that information together to play a long game.

And you’ll hear how this titanic data disaster might just be the tip of the iceberg.

Mårten Mickos: We know of, about, nearly 2000 breaches happening every year. There are also breaches we don't know about. We must be ready that they have other information that we are not aware of having been stolen.

I'm Peter Bergen, and this is In The Room

[THEME MUSIC SURGES, THEN FADES]

You should start by understanding that, when it came to data security, Equifax in 2017 wasn’t exactly Fort Knox.

[PLAYFUL MUSIC PICKS UP]

After the breach, the U.S. Congress released a scathing, 96-page report that lambasted what it called a "culture of cybersecurity complacency" within the company.

The report says that one of the deepest reasons for this complacency was baked into the company's business model.

Credit bureaus like Equifax don't make money by keeping your private data secure. They make money by selling your data to whoever's buying. Often that somebody is a bank, wanting to know whether or not you're financially stable enough to borrow their money.

That's what those comedians were getting at with their chicken jokes:

ARCHIVAL Stephen Colbert: You aren't Equifax's customer, your Equifax's product. We're all like factory farm chickens going: “I love the free bird seed here. This place has great customer service.”

Equifax grew its profits by hoovering up the data of more and more people and selling it to more and more third parties. During CEO Richard Smith's tenure, Equifax bought up a bunch of other similar companies, each with their own giant databases of payroll, human resources, or consumer debt information — and each with their own legacy computer systems.

Equifax's stock price soared during this time period, but the Congressional report suggested that more effort and more money could've gone toward tightening data security, or upgrading all those old computer systems. This last bit will become important later. But first, I need you to meet Gus.

[MUSIC DROPS]

Peter Bergen: What do you have for breakfast? This is what all sound recordists ask everybody…

Graeme Payne: What did you have for breakfast? You don't say 1, 2, 3, test anymore?

Peter Bergen: Well, you can do that as well, but if you wanna put a sentence together, you say, ‘what do you have for breakfast?’

Graeme Payne: I had a fruit bowl.

It's not gonna shock you to learn that Gus's name isn't actually Gus. In fact, his name is Graeme. Graeme Payne. He was born in New Zealand, eats fruit for breakfast, and by 2017, he was one of several Chief Information Officers in charge of IT teams that ran a bunch of critical computer systems for Equifax in Atlanta, Georgia.

Graeme Payne: Corporate functions, finance, HR, sales, and marketing, so on. I had a team that was managing all those systems, including the dispute portal, which was the system that got hacked in the 2017 data breach.

Peter Bergen: So the dispute portal did what?

Graeme Payne: Under the Fair Credit Reporting Act of 1970, consumers have the right to dispute a potentially erroneous entry on the credit report.

Now I get that delving too much into the abstract details of a credit agency's computer system is gonna make you kinda bored… But hang with me for a minute because there's one thing about the dispute portal that got hacked at Equifax — that's actually sort of funny. This particular system only existed because of ANOTHER moment when Equifax, and companies like it, pissed off lots of other people.

[1960s MUSIC BEGINS]

Back in the late 1960s, before credit was reported as a standardized numerical score, Equifax and companies like it created vast files of information about a consumer or job-seeker's finances.

ARCHIVAL 1960s Newscaster 1: Along with a lot of other information, how long he has worked, where he works, how often has been fired, how much he drinks…

And the credit companies sold this information to lenders or other businesses willing to pay for it.

ARCHIVAL 1960s Newscaster 1: Sometimes this sort of information is abused. False facts get into the files and it is extremely hard to get them out.

Consumers had no choice about the information these companies gathered, no way to see it, and little recourse if errors in these secret files locked them out of getting a loan or getting hired.

[1960s MUSIC SOURS, FADES]

Consumer advocates complained, and the U.S. Congress listened, holding hearings in 1968.

ARCHIVAL 1960s Newscaster 2: The presence of private and unregulated dossiers on every man, woman, and child in the United States poses numerous and intrinsic threats to individual privacy.

And so the Fair Credit Reporting Act passed in 1970. It's the reason you can request a copy of your credit report and dispute any of the stuff that doesn’t seem accurate.

[MUSIC BRIEFLY INTENSIFIES]

Nowadays at Equifax, these disputes mostly get resolved over the phone or online, through a dispute portal — one of the many systems that Payne oversaw.

Graeme Payne: About a million different transactions were being lodged a month.

Peter Bergen: So, people basically saying, ‘Hey, you've got my credit score wrong,’ went to this dispute portal to file a complaint.

Graeme Payne: Correct, yeah, that's right.

[EERIE, PULSING MUSIC BEGINS]

And parts of this dispute portal system date back to the 1970s. This was the system the Equifax hackers attacked. You can think of it as a complaint department window, cut into the side of the house of Equifax.

And in March of 2017, Equifax got a message saying that a program that the portal used to talk to the Internet had a vulnerability — a vulnerability that attackers might use to stage a break-in. This message was a nationwide mass email alert sent out by the Department of Homeland Security. Essentially the message should have told Equifax that its complaint window had a broken lock.

Not long after getting this message, Equifax ran a scan to see if this vulnerable application was anywhere in its systems. Somehow this scan missed the dispute portal. This was the technical failure that the Equifax CEO told Congress about. And so the lock on that window... stayed broken.

Graeme Payne: The first thing you do as an attacker is, you wanna find that broken lock. Cuz this house has lots of different windows, lots of different locks. So you've gotta kind of scan the perimeter and look around and maybe you even try a few locks. So once you find that one, ‘Oh, this one's broken, got a way in.’ You can now use that, get inside and now you can start poking around.

Besides the hackers themselves, there aren't many people who have as personal an understanding of how this heist went down than Graeme Payne. He actually still talks about it a lot, as a case study, in his current job as a cybersecurity advisor.

Graeme Payne: In the Equifax case, now we go in and we tip toe our way in and we're gonna start looking around and we're looking for places where there'd be a lot of valuable information. And we may not know where all those exist right now, but we're gonna, sit there and we're gonna watch and listen and observe and that gives us indication where we need to focus next.

Once inside, the hackers observed that this dispute portal software, ancient by modern standards, had another big weakness. Current best practices for big corporate software environments keep applications and databases as separated from each other as possible.

But because it was so old and hadn't been properly updated — the dispute portal application didn't follow current best practices… and it allowed the hackers who got inside to easily connect to many, many more unrelated systems within Equifax. Back to the house analogy again, it was like stealing from one unlocked room after another.

Graeme Payne: So after a period of time of kind of watching and listening, they moved across rooms and they actually found a file which had some passwords on it. And then they were able to leverage that to get access to more systems. Go to that room where the most valuable thing is. Maybe it's the bedroom where all the jewels are, right? We go to the bedroom, we find all the jewels, and we grab those, we start taking those out, and we're gonna take a few at a time.

And as it turns out, smuggling the jewels out was pretty easy. That's because there was another hole in Equifax's security. A system that was supposed to monitor digital traffic coming in and out of the company’s systems … hadn’t been updated and stopped working.

Graeme Payne: The equivalent would be like, you have a, a camera focused on your front door, but it's not turned on.

Which meant that the hackers were able to stay inside Equifax's house for 76 days, unlocking rooms, boosting valuables, and hustling them out the front door, with nothing showing up on the surveillance system. Until somebody finally remembered to reactivate that monitoring system.

Graeme Payne: And the camera all of a sudden lit up and, we saw bad things happening. We saw a lot of data being extracted from the system, and that was a red flag.

Peter Bergen: At what point did people start freaking out?

Graeme Payne: Within about another 24 to 48 hours, we started to run some more scans and did some analysis and it looked like, you know, this had been going on for several months, and now we're just starting to get concerned.

Peter Bergen: When did you understand the scale of the breach? I mean, after all, this is nearly half of America's names, birthdates, social security numbers, et cetera, their credit history.

Graeme Payne: Yeah, I think by probably the second week, now I was like, ‘oh,’ um, now I kind of got the ‘oh, crap’ moment.

Peter Bergen: What was this like for you personally?

Graeme Payne: I mean, literally probably the busiest period of my professional life. So at this point, virtually no one knew. We were all sworn to secrecy. We had to sign NDAs. Weren't allowed to tell our families or anything.

Peter Bergen: When it went public, I mean, I think it was fair to say it was a giant shit storm, right?

Graeme Payne: It was, yeah. I had some, some of my team that was at a security conference in San Francisco and when the news came out, they were so worried they covered up their name tags cuz they didn't wanna see anyone, their association with Equifax…. At our downtown headquarters in Atlanta, people were in the streets spitting at employees walking in and out of the building.

Peter Bergen: Wow.

Graeme Payne: It was, yeah, it was pretty bad.

Amid all this blowback, several of Equifax's top executives, including the CEO Richard Smith, took the opportunity to retire. It was a comfortable landing for Smith, who left with a compensation package in excess of $90 million. And one day before Smith was set to testify in front of Congress, the shitstorm… blew back on Graeme Payne.

Graeme Payne: I got called into this office and lo and behold, the chief HR officer and another HR person was sitting there, which you know, your heart takes a jump. If you’re meeting with two HR people, it's probably not a good thing. [GRAME LAUGHS] They basically said, look, unfortunately we need to tell you that you’re being terminated effective immediately. And I said, ‘why?’ And they said, because of the investigation we've conducted into the breach. And I said, surely you can tell me more than that. And they said, well, we're not sure what we can tell you. And I said, come on, you owe me more than that. And then they said, well, it was because you didn't forward an email. And I go, what are you talking about? What do you mean? What email? And they said, we can't say anything more. And it all became pretty clear the next day when, um, Rick Smith, who had just retired as the CEO of the company testified to Congress.

Peter Bergen: Were you listening to this testimony?

Graeme Payne: I watched it. I'd just been terminated, so I had plenty of time. [BOTH LAUGH] Um, I was, I was in my living room watching it on TV, on my couch. The testimony went on a little bit and then he started to get some questions. And so then one of the questions was, ‘so, why didn't the people that were supposed to patch the system, why didn't they patch it?’

Graeme Payne: And he said, well, because the person responsible for forwarding an email about the breach didn't forward the email. And that was when I was going, holy shit, [PAYNE LAUGHS] on national television, I have just been labeled as the person who didn't forward the email who caused the breach. It was mind blowing, [PAYNE LAUGHS] to be honest.

Peter Bergen: Why were you singled out?

Graeme Payne: Well, I was the CIO of the system that got attacked, but I think I was just a convenient scapegoat.

The Congressional report pointed out that the email containing the Department of Homeland Security's warning about the software vulnerability… landed in the inbox of 430 other people inside Equifax. And none of them got fired. The report described Payne's firing as a "gratuitous" “public relations move.”

Graeme Payne: It was a convenient excuse to be able to blame someone probably high enough in the organization to be able to say, we've dealt with that and action's been taken.

Peter Bergen: I had a great former boss who said, the day always begins with a search for who to blame. [BOTH LAUGH]

Peter Bergen: So, there was a Congressional report about the breach that concluded, quote “the data breach could have been prevented” and it blamed, quote “a culture of cybersecurity complacency at Equifax.” Was Equifax complacent?

Graeme Payne: You think about a credit reporting agency. We handled data on a lot of people. It's a lot of really rich data that is very attractive to criminals and others. We were getting attacked 10,000 times a week.

Peter Bergen: Wow.

Graeme Payne: One of the challenges you have as a company protecting your systems is you've gotta be right a hundred percent of the time, and the attacker only has to be right only 1% of the time and find that one hole, that loose latch on a window to be able to get into the house.

Peter Bergen: Yeah.

Graeme Payne: I do think there were areas where we probably put the pursuit of growth and new products and things like that ahead of maybe protecting data. And there were certainly areas where I felt we were underinvesting.

Peter Bergen: That seems a pretty damning assessment given the fact that the whole company is all about people's personal data. [PETER LAUGHS] Right?

Graeme Payne: Right.

Peter Bergen: It's not like, I dunno, I'm trying to, it's not like my neighborhood hardware store, which I mean they're not keeping data that is so personal that it would be a big deal if it was hacked.

Graeme Payne: Right, I mean, security should have been our number one priority. You could say they were complacent because, you know, it was important. it was probably in the top three to five priorities, but it wasn't the number one priority.

[MUSIC SHIFTS]

The people called to come in and solve the crime weren't really interested in who at the company left that digital window unlocked.

Chad Hunt: We're gonna do what we do and investigate the crime, regardless of whether or not you did what you could to protect your house.

That's Chad Hunt, he's in charge of a team of investigators in the FBI’s field office in Atlanta, known as the Cyber Squad.

Chad Hunt: So if you have fallen asleep on the couch and forgot to lock the door and left the windows unlocked, and somebody kinda looked and said, ‘Oh, Peter's asleep.’ And they tiptoed in and took his TV, took his laptop, and took everything out. He should not have fallen asleep and not locked the door. But if he did that, we're still going to come when he calls. Our job as law enforcement is to investigate crimes and find the people who did it.

The Cyber Squad gets called in to solve all kinds of digital crimes: data theft, ransomware attacks, busting online scammers or drug dealers. And — I know — names like Chad Hunt and the Cyber Squad sound like something straight out of a Marvel movie. But character-wise, if Hunt had comicbook movie analogue, it could only be that really clean cut federal agent, Phil Coulson, Marvel's most understated badass:

ARCHIVAL Iron Man 2:

Agent Coulson: If you attempt to leave, or play any games, I will taze you and watch Supernanny while you drool into the carpet. Ok?

Tony Stark: I think I got it, yeah.

With his close-cropped hair and button down shirt, I actually think Hunt even looks a little bit like Agent Coulson. But the idea that his squad solving this huge heist might make fodder for Hollywood or TV leaves him bemused.

Chad Hunt: [HUNT LAUGHS] I can't speak for everybody in the Cyber Squad, but a lot of us don't want to be in the spotlight. A lot of the folks like just to do their work, and make a huge impact and go about their lives. So my guess is a lot of them would not want the TV show, but it would certainly make a great episode on a TV show, if somebody else were to go to Hollywood with the story.

Peter Bergen: How did you find out about the Equifax data heist?

Chad Hunt: We spend a lot of time at the FBI and at FBI Atlanta building proactive relationships before something happens. And Equifax was no exception. We had an ongoing dialogue with them, so when it came time for them to notify us, they just called us directly and said, we've had an incident.

Peter Bergen: Did they understand how big the incident was?

Chad Hunt: I think at the time they were starting to get their arms around it.

Hunt said a breach this big was an immediate, top priority for his team.

Chad Hunt: They dropped what they were doing, uh, worked nights and weekends. We had a little mini war room where we had a whiteboard going with, okay, here's where the legal process is, who's responsible for what, here's some of the overlaps happening.

In some other cases, his squad has needed to run out and actually collar criminals as they tried to physically destroy computer evidence.

Chad Hunt: A guy literally threw his laptop out the window and it landed in a tree. There was another case that, again, is not related to this one, where the actors actually decided to burn the laptop.

But in this case, the attackers had worked hard to cover their tracks. There wasn't a name or physical location to stake out or, a guy with a burnt laptop to arrest.

Chad Hunt: They went through, in this case, a whole bunch of different computers, to hide where they were coming from. They don't always think or expect that law enforcement will go to the effort to take a look at what's on that computer. And then they definitely don't think that we'll take a look at the next computer behind that one and the next one behind that one.

Peter Bergen: It sounds like a sort of Agatha Christie, Sherlock Holmes kind of....

Chad Hunt: Oh, for sure. You start eliminating the possible and what is ever left over, however, improbable has to be it.

As the squad kept working away, one particularly improbable aspect of the mystery had everyone asking the same question…. Why was none of the data from the breach showing up on the black market?

Chad Hunt: If you're thinking about what you would do with 145 million people's records, you know, their identities. If you had stolen them, my first gut is that this is a criminal act, right? That somebody's gonna steal these and use these for identity theft, they're gonna do a whole bunch of things criminals do with this. So we immediately started to look for this information being sold on the dark net marketplaces, fanned out to the cybercriminal underground to see if any, there was any chatter about this. We just weren't seeing anybody talking about it. We weren't seeing any of the data being sold out there, which is unusual.

Some aspects of this case are still on-going, so there was only so much Hunt could tell us. But he did tell us that to mask their location, the hackers had routed their attack through a sprawling series of servers owned by third parties located all over the world. The Cyber Squad painstakingly requested access to one computer after another in foreign countries and gradually began to connect the dots.

Chad Hunt: We started to see connections. Like the old school Hollywood movies where you've got the, uh, corkboard with the thumbtacks and the red string. Here's a, a computer address that's of interest, oh it showed up here and here and here. They were about 40 of them in about 20 different countries. We'll keep pulling, pulling the threads until we get to what we need to. So as more and more of those metaphorical like red strings started to attach to the thumbtacks, that's when we started to have some aha moments.

Peter Bergen: How did you solve the mystery?

Chad Hunt: We just kept pulling on threads that got us closer and closer to what ultimately ended up being the four, uh, PLA members that we indicted,

Peter Bergen: And what is the PLA?

Chad Hunt: The People's Liberation Army of China.

This discovery — that the Chinese military had done the hack — was a big enough deal that the U.S. Attorney General at the time, William Barr, announced the indictments on TV.

ARCHIVAL William Barr: This was one of the largest data breaches in history.

And Barr also noted that this wasn’t the first big hack from China.

ARCHIVAL William Barr: For years, we have witnessed China's voracious appetite for the personal data of Americans, including the theft of personnel records from the Office of Personnel management. The intrusion into Marriott hotels and Anthem health insurance companies, and now the wholesale theft of credit and other information from Equifax.

None of the hackers charged in the Equifax heist have been arrested yet.So it’s possible, likely even, that they and others are still out there, hard at work.

Chad Hunt: So you can take a look at the OPM breach, the Anthem breach, Marriott. And if you add to that, the data that comes from Equifax, that's a very interesting, rich, data set that you could explore for a variety of reasons.

Peter Bergen: I'm fascinated by the OPM, Office of Personnel Management. Most Americans have never heard of it, but that is the repository of more than 20 million current and former federal employees that the Chinese got access to. And then in combination with this, Equifax, with this very useful information about half the population. Why would the Chinese be interested in this?

Chad Hunt: You can put your hat on and think like a bad guy. Like what would you do if you wanted to recruit somebody? If you wanted to recruit somebody to work for your government? You can imagine looking at people's healthcare information, look at their credit history, look at where they may stay and travel to. If you found somebody who had not so good credit, who might be sick, you know, have a lot of debt. And if you found that, for example, they traveled to certain hotels you could arrange to meet a person there, you know, accidentally bump into them at the restaurant and say, ‘Hey, you look like you're not doing so well today.’ And have a conversation that leads to, like, ‘I bet you could use some money. How would you like to work for us?’ So you can imagine if you're trying to recruit a human to work for you as a foreign government, that kind of data would help you pinpoint some potential targets.

Remember how the Department of Homeland Security sent out that mass email trying to warn Equifax that the lock it was using was broken? The part of Homeland Security that's responsible for doing that now is called the Cybersecurity and Infrastructure Security Agency, or CISA.

Not too long ago CISA's director, Jen Easterly was on the show. And she talked to me about what this new kind of espionage means for Americans. America’s rivals aren't just hacking the U.S. government, or its employees — they're also hacking private American companies and millions of American civilians. And Easterly says the humongous scale of China's recent hacks suggest they've stopped being subtle about it.

Jen Easterly: It's not a secret, right? They're going after data in our government, going after major corporations.

Peter Bergen: I mean, in a sense the Chinese were being pretty smart. Cause it's one thing to try and penetrate the Pentagon, but, uh, Office of Personal Management probably was not particularly well defended. I mean, they're looking for the weakest link at every time, right?

Jen Easterly: Yeah, of course. I mean that one it's a pretty lucrative target.

And Easterly says ultimately the solution is not going to come from just indicting Chinese spies or demanding their government change its ways. Instead, she says more of the burden for security needs to be shifted onto the institutions that actually store your digital valuables: the companies providing you access to stuff like credit, communications, transportation, or healthcare.

Jen Easterly: So the vast majority of all of that is not owned by the federal government. It's owned by the private sector. It's not gonna be sustainable to continue to try and bend the behavior of these actors or to try and arrest them or to get them to adhere to norms. So we have to take a different approach. The first is getting technology companies to build safer tech, to build technology that is secure by design when it comes off the manufacturing shelf. These features should be seamlessly baked in, in the same way that you get in your car and you have the seatbelt and you have the airbags, and you have the anti-lock brakes and the crumple zones.

The second is this idea of corporate cyber responsibility. Leaders need to recognize that they own cyber risk just as they own all types of other risks. We have to have leaders from the top who are embracing this as their responsibility because it's the safety of their clients, it's their reputation. And quite frankly, if you're a critical infrastructure owner or operator, it's national security.

Peter Bergen: And the way to do that is to make CEOs and board members more accountable. This should be front and center of what they're worried about and thinking about.

Jen Easterly: A hundred percent. Totally agree with that. We all have to play a role collectively in our defense.

Easterly's point is not that your private data is specifically vital to America's collective defense. Her point is that China seems to be doing something a bit like what Google Maps does when they take a picture of your house. Google Maps doesn't specifically care about your house. But Google built — and is still building — a map so vast and so detailed that any time anyone wants to find ANY house, there's a picture of it… waiting in the system.

China's giant data heists would allow it to build something like Google Maps… but for human beings, using stolen data about your travel habits, health history, and finances — along with that mother lode of identity data that Graeme Payne got blamed for losing at Equifax.

Graeme Payne: My guess is it's sitting in a big data lake in China, and they're matching all that information together to play a long game.

Your private data is only really a treasure to you. But a reservoir full of the whole country's private data… amounts to a national treasure. One with national security implications. So how do we get companies that are sitting on still more troves of digital valuables to start treating them less like stuff at a flea market and more like assets in a bank?

We spoke recently with somebody whose whole job is helping companies to do exactly that.

Mårten Mickos: I'm Mårten Mickos. I'm the CEO of HackerOne, and we are a company that brings together ethical hackers of the world to help companies find software vulnerabilities so they can be fixed.

Mickos was born in Finland, lives in the United States, and his company oversees a community of what's known as "white hat hackers."

Mårten Mickos: They have the same skill, to dig into systems and find the ways in, but then they act in an ethical manner.

And HackerOne connects these hackers with organizations that want to find out whether the locks on their digital windows are broken. The company often does this by setting up what's known as "bug bounties."

Mårten Mickos: It's an interesting model. We open up our software and invite people to test it, and if they find something that's wrong, we will reward them with money. And the amount of money is a function of how severe the vulnerability is, like what the effect would be if it were to be exploited by a criminal. So you can get a hundred dollars for a find, you can get a thousand dollars, and you can get a hundred thousand dollars for a single find if it is really, really serious to the business.

It’s a helpful enough arrangement that even Equifax has become a customer.

Mårten Mickos: We run a program for them to look for vulnerabilities and fix them quickly so that they cannot be exploited by criminals or any adversaries in the world.

So to people like Mickos, the title "hacker" isn't a bad one.

Mårten Mickos: Hackers are the ones who have a curiosity about how systems work, who are trying to figure out and outsmart systems and understand them. And that is why they are so well equipped to find the deficiencies of systems as well.

One fundamental deficiency that particularly irks Mickos is the peculiar American phenomenon of making Social Security numbers the key to identity.

Mårten Mickos: We have a weird situation in my mind, that we see the social security number as a secret code, like a password to your identity. And I think it was a mistake to let it become that. It should have been devised as just an identifier that anybody can share with anybody because it just tells who the person is, but it doesn't reveal anything about the person. Then at some point, government agencies and others started using it as a password. And it leads to a lot of side effects where it's expensive to protect it.

Expensive and — now — maybe pointless. After the Equifax breach, it’s probably safest to assume that your Social Security number is compromised. Which leads us to another fundamental cybersecurity deficiency Mickos wants to fix. He says private companies sitting on huge troves of your digital valuables simply don’t have enough incentive to keep your stuff safe.

Mårten Mickos: We have chosen a society of capitalism and we have companies that strive for the greatest profits and greatest growth. And that is what Equifax did. So in a way, you could say they were rational. They were looking to maximize profits and spending as little money as they could. Many now consider this situation where government needs to step in with mandates, and say, ‘you have to take good care of cybersecurity, otherwise you're not allowed to operate in this business.’ And this is how society has dealt with dangerous chemicals, with pharmaceuticals, with nuclear and other energy forms. In the world of software, it is so new, we are so new to it that society hasn't figured out how to govern it and regulate it in a proper way. I think we all can agree that consumers cannot carry that burden themselves.

You aren't expected to carry the burden of making sure that the bank holding your life savings is safe from thieves — there are laws for that. Mickos thinks similar regulations need to cover the keepers of your digital valuables too.

In the wake of what Wired magazine called the "worst corporate data breach ever," Equifax says it's gotten religion. It voluntarily spent $1.5 billion on improved security, brought more than 600 cyber security specialists on staff, and overhauled its management structure so that the chief information security officer reports directly to the CEO.

But Mickos is saying this kind stuff shouldn’t be voluntary. He also thinks the culture of data-rich companies needs updating. Mickos says there's a tendency in these companies to frame data breaches in terms of all the other attacks that they did repel. Remember how Graeme Payne of Equifax described it:

Graeme Payne: We were getting attacked 10,000 times a week.

... and that needs to become a thing of the past.

Mårten Mickos: I don't want to dismiss anybody who was on the defense team at Equifax. But let's remember that the nature of software is that whatever you do once, you can do a million times at the same time. So having a million attacks or a gazillion attacks isn't news in itself. Pilots need to stay in, in the air all the time until they land and the plane has to come down because they're landing it and for no other reason. And, that needs to happen their whole career and for most it does. We know of about nearly 2000 breaches happening every year. There are also breaches we don't know about. Let's be clear. There could be a nation state that has infiltrated some database that we didn't realize. So we must be ready that they have other information that we are not aware of having been stolen.

Which is why Mårten Mickos thinks we should expect all major nations are doing something along the lines of what China’s doing.

Mårten Mickos: We must assume so. Whether it's true or not, we must still assume so. If somebody came to me and said, ‘Mårten, I can prove that there's no nation state actors in the whole world,’ I would say, ‘Okay, that would be great. I will still be prepared.’

Take it from a guy who, like everyone in Finland, knows plenty about preparing for the worst. The Russians have invaded Finland twice in the last century. Just like every adult man in Finland, Mickos was conscripted into a military that stands ever ready to defend against the next time.

Mårten Mickos: I'm an officer in the reserve of the Finnish navy. They made me a mine layer officer, which is something I had no particular interest in, but that's not the point.

The point is, in the physical world, doing the hard, boring work of preparing for existential threats has to be taken care of before you can go on with the rest of your life. Mickos says that we live in a world where cyber threats are no different. They’re existential.

Mårten Mickos: And when you face that reality, then you can do your military service or your cybersecurity service, and you know it's for a good purpose. And when a really bad breach happens, you are not taken by surprise. In order to have a calm and wonderful, peaceful life, you have to prepare for some really bad things.

###

If you’d like to learn more about the issues we discussed in this episode, we recommend Dark Territory: The Secret History of Cyber Warby Fred Kaplan. It’s available on Audible.

And, I’ve got a favor to ask: if you enjoy listening toIn the Room with Peter Bergen, please tell a friend. And take a moment to give us a nice rating — or maybe even write a kind review — on your favorite podcast app.

CREDITS:

IN THE ROOM WITH PETER BERGEN is an Audible Original.

Produced by Audible Studios and FRESH PRODUCE MEDIA

This episode was produced by Erik German, with help from Luke Cregan.

Our executive producer is Alison Craiglow.

Katie McMurran is our technical director.

Our staff also includes Alexandra Salomon, Laura Tillman, Holly DeMuth, Jamila Huxtable, and Sandy Melara.

Theme music is by Joel Pickard.

Our Executive Producers for Fresh Produce are Colin Moore, Jason Ross, and Joe Killian.

Our Head of Development is Julian Ambler

Our Head of Production is Elena Bawiec.

Eliza Lambert is our Supervising Producer.