Cyber Defense Review

Our Data is Not Secure

By CPT Blake Rhoades, MAJ Jim Twist | October 28, 2015

Our data is not secure. That is the attitude you should take when interacting with providers online or when providing data at a point of sale. We must take the position that important personal data will be compromised at some point and we should therefore be prepared to enact a plan to reduce our vulnerabilities from its loss. According to the 2015 Verizon data breach report, there were over 2100 confirmed data breaches (pg5). These malicious attacks are conducted against the full range of providers that we all interact with, to include health insurers, financial institutions, educational institutions, and specialty services.

There is an underground economy that supports the theft and re-sale of records in bulk. In our view, data compromise is now pervasive and we are collectively at increasing risk from multiple exposures being found in several different data sets. Consider some of the more high profile data breaches this year; Snapchat 4.5 million names and phone numbers, eBay database of 145 million users compromised, Sony Pictures, OPM databases containing 22 million detailed records, Excellus Blue Cross Blue Shield 10 million records of PII, Scottrade 4.5 million records. T-Mobile/Experian 15 million records, UCLA Health 4.5 million records, Army National Guard, 850,000 records. The lists go on and on. Think about all the business that we do online, large and small. We don’t even hear about all the breaches that happen on a continuous basis. The Identity Theft Resource Center is (www.idtheftcenter.org) just one source listing the exhaustive compilation of these breaches.   According to the Ponemon Institute, data breaches cost our economy $1.377 billion with an average cost of $217 per US record.

While there is strong economic incentive for the bad guys to steal large amounts of data and use it for fraudulent activities or for re-sale on the dark web, there are strong trends working to our disadvantage in the IT security sector. Here are some of the trends as identified by Mandiant, a security company from their report M-trends 2015, A View from the Front Lines. Organizations are reluctant to come forward with disclosure, as public attention exacerbates their lost business (69% of businesses are notified by an external agency). On average, a malicious actor is present in a network for 205 days before being discovered. That increases the time we are vulnerable and negatively impacts our ability to react to the breach. Compounding these issues are organizations reluctance to upgrade their IT infrastructure appropriately. It is a business decision for them. If they can make more money using old technology, they are much more likely to provide stopgap measures rather than modernize and secure their architecture. As the bad actors get more sophisticated, it becomes like child’s play to steal huge amounts of data, whether it’s Personal Identifying Information, Credit Card Numbers, Health Records, or Fingerprints.

Here are some shocking statistics from a prominent security provider. According to a 2011 Norton/Symantec study, the cost of global cybercrime was $114 billion annually1. With 431 million adult victims globally and at an annual price of $388 billion globally cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion).3 According to the Norton Cybercrime Report 2011 more than two thirds of online adults (69 percent) have been a victim of cybercrime in their lifetime. Every second 14 adults become a victim of cybercrime, resulting in more than one million cybercrime victims every day4.

Take the attitude that your data is not secure online. Be prepared to take action when you become aware of a compromise. Know who to call. Use the resources available from Personal Security Providers, US CERT, and others to limit your exposure and strengthen your online presence. Phishing is still the number one means of compromising organizations and personal systems. It’s your data.



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.