When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
War at Home: How U.S. Corporations are on the Front Lines of the Silent War on Privacy
Jarrett Kolthoff | May 20th, 2020
The four individuals who were identified and indicted by the Trump Administration in relation to the Equifax breach from 2017 are yet another example of the overt collection efforts by the Chinese government to steal Americans’ sensitive personal information and privacy. The openness of the U.S. government to share these examples should help bring the reality of cyber threats to the forefront in corporate boardrooms and research universities. I would like to highlight that these particular attacks were conducted for a different goal – espionage.
Silent War on Privacy
As a former Special Agent, in U.S. Army Counterintelligence, I understand there are profound and far-reaching implications of these carefully coordinated and expertly executed cyberattacks. It’s a known fact that nation-state bad actors aren’t just exploiting American companies for their own financial gain, the attackers are digging for information that they will almost certainly use to put lives at risk.
The DOJ announcement publicly cited what we in the industry have known for a long time – China has carried out successful, elaborate and potentially ongoing cyberattacks against American citizens for some time. This compromised information was never specifically seen on the Dark Web or sold by known cybercriminals – this indicates a nation-state both in the sophistication and secrecy of the attack, and in that the attackers’ motive is not for financial gain.
The scale of this incident is a terrifying reminder that American companies and organizations cannot passively sit back and assume their liability is limited to their bottom line. A foreign government now has the personal information of nearly 150 million Americans. This includes known habits, medical records, complete financial history and facial recognition that would allow the Chinese government to monitor the location and activity of an American visiting that country, or any online activity via social media. This information can be extremely useful in influencing campaigns and elections – and the policy implications thereafter.
Private datasets continue to contain more invasive information on individuals. In most cases, this data is collected without explicit authorization. It’s particularly troubling that companies like Clearview AI are collecting and selling similar types of data to dozens, if not hundreds, of American corporations, law enforcement agencies and foreign governments. A breach or disclosure to a hostile government of this kind of information doesn’t represent a minor inconvenience for victims, as might be the case with a credit card number. Access to these comprehensive datasets can result in a severe breach of consumer privacy, making it impossible for an individual to remain anonymous. If companies and organizations accept such potentially invasive data, they must also accept their position as being on the front lines in the battle for data security and keeping Americans’ private lives private.
The combined compromised datasets of the Anthem, Marriott and Equifax breaches, along with others, greatly assist nation-states in identifying vulnerable individuals who are likely targets within American organizations. These could be employees with high debt, with a hidden past, and/or who can gain physical access to your internal network – people the agent handlers can recruit through pressure tactics, putting even more information and people at risk. This is the cyber equivalent of “spotting and assessing” for source-targeting and for identifying U.S. personnel operating overseas.
When cyber espionage becomes part of the conversation – as I know from my time as a counterintelligence agent and now working with corporate America – the issue becomes one of national security that can endanger America’s competitive advantage. American corporations, alongside U.S. intelligence agencies, are primarily responsible for protecting and defending our most critical national assets.
The Department of Justice absolutely did the right thing in taking a more aggressive posture against a nation-state for its attack on our national security and in unmasking the individuals and governments behind it. My hope is this is just the first of many steps the U.S. will take to protect American lives and corporate intellectual property from this active cyber warfare activity by adversarial nation-states.
The Equifax breach, and numerous others, were terrible events. Now that the stakes of this issue are becoming clearer to more Americans, we can use these as a cornerstone to reinforce a commitment to privacy and data security and ensure American companies and universities take the right steps to protect their information at all costs. This is a “clarion call” for Board Members and Chief Executives to demand more to protect the information for which they are responsible. It is a matter of national security.
What specific measures can individuals take to protect their privacy in the face of increasing surveillance by U.S. corporations?
Individuals can take several measures to protect their privacy, such as using a virtual private network (VPN) to encrypt their internet traffic, adjusting privacy settings on social media accounts, using privacy-focused search engines, and being cautious of what personal information they share online.
How do U.S. corporations justify the collection and use of personal data without explicit consent from individuals?
U.S. corporations often justify the collection and use of personal data without explicit consent by claiming that they have legitimate business interests or that individuals have implicitly consented by using their products or services. They also argue that collecting data allows them to improve their products and services, provide targeted advertising, and prevent fraud.
Are there any regulations or legal frameworks in place to hold U.S. corporations accountable for violating individuals' privacy rights?
Yes, there are several regulations and legal frameworks in place to hold U.S. corporations accountable for violating individuals' privacy rights. These include the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States, and the Federal Trade Commission (FTC) Act, which prohibits unfair and deceptive practices. However, enforcement of these regulations can vary and may not always result in significant penalties or consequences for corporations.
Stay Connected With SpearTip
Inside the SOC Newsletter
View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
ShadowSpear Platform
Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
ShadowSpear Demo
Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.
