TENS OF MILLIONS of Americans have been affected by the theft of their personal information in the digital age. In a recent major data breach at Target stores, numbers and names were taken from about 40 million customers, and many millions more suffered compromises in other personal information such as e-mail addresses or phone numbers. The victims trusted their retail stores, their credit- and debit-card issuers, their banks, and such security measures as a four-digit personal identification numbers, to protect their information.
At least the credit- and debit-card system was somewhat understood by those who suffered in the Target scam, which siphoned data from the store card-swiping machines. Who understands the vulnerability of OpenSSL? This is a small piece of incredibly important software that is largely hidden from users. It protects encrypted data on Web sites and is in use around the world. Remember that little padlock you saw when you typed in a credit card number or personal information when making a purchase online? It meant “secure,” or safe, right? Wrong.
Last week, it was discovered that a bug had crept into OpenSSL that could allow intruders to read encrypted data contained in memory, such as passwords or credit cards. The bug has been called “Heartbleed” and could allow attackers to eavesdrop on communications, steal data and even impersonate users and Web services. Computer security expert Bruce Schneier called it “catastrophic” and said that on a scale of one to 10, “this is an 11.” News about the bug has sent people racing once again to protect themselves and change their passwords to avoid further damage or loss.
We’re tempted to say this ought to be a wake-up call, but we have already had so many wake-up calls. To put it bluntly: As a country and as a society, we have come to depend on a vast, interconnected system; if one small part fails, the impact is widespread. As noted in a forthcoming Atlantic Council report, the Internet was created to be based on trust, not security. Finances, news and social media, medical systems, universities, science, transportation, energy flows, national defense and almost anything else you can think of depend on it. Yet we continue to discover that it is vulnerable to theft, intrusion and disruption on an appalling scale.
If a tiny piece of malware could steal millions of credit card numbers at Target, or if a bug could make vulnerable the encryption offered by OpenSSL, then what should we think about whether it is safe or wise to control the electric grid via the Internet? We are living in an age of growing danger but reacting with complacency. The administration unveiled a useful initiative on Thursday, promising that sharing cyberthreat information among companies would not bring on antitrust liability. But this, and President Obama’s other measures, including his voluntary cybersecurity framework, represent only what is doable given a continued lack of a consensus in Congress and a failure in the private sector to take all threats more seriously. They are timid measures in the face of an epic heartburn that will be costly for us all.