Opinion - The Cambridge Cyber Summit

Here’s what went wrong for Equifax in those first 48 hours

John Carlin and David Newman
Key Points
  • The Equifax data breach was massive by any measure 143 million consumers were affected, which is nearly half of the U.S. population.
  • The breach included Social Security, driver's license and credit-card numbers.
  • There are a few key lessons here: Speed is of the utmost importance in responding and the response should never be part of the problem.
Here's what went wrong for Equifax in first 48 hours
Here's what went wrong for Equifax in first 48 hours

Once you got over the initial horror of Equifax's colossal data breach last week, the most surprising thing about the news was how unsurprising it really was.

While massive by any measure — the 143 million affected U.S. consumers represents nearly half the U.S. population — the Equifax breach, which included names, dates of birth, Social Security numbers, and (in some cases) driver's license and credit-card numbers, doesn't even rank among the three largest in recent years. Americans, unfortunately, are getting used to data breaches that involve populations equivalent to entire countries or even entire continents.

Homeland Security Advisor Tom Bossert and Palo Alto Networks CEO Mark McLaughlin headline the Cambridge Cyber Summit on Oct.4 in Boston. Click here for more information and tickets.

Equifax, though, seems to have made its own situation worse, spawning headlines such as "Equifax breach response turns dumpster fire." And that's where the most salient lesson for modern companies lies: Equifax learned the hard way that, in a data breach, there are always two potential scandals: the breach itself, and then the company's response.

The Equifax event offers pointers on both.

In a statement that was sure to be closely parsed, Equifax acknowledged the sheer scale of the breach and that the company had first discovered the breach on July 29, more than a month before going public. The company's stock is down 20 percent since the announcement.

It was hard to miss the irony, as many news reports pointed out, that the breach happened at a firm whose core business includes safeguarding sensitive personal information and selling credit monitoring services to customers whose data are exposed. That critical narrative was likely unavoidable—even as we still don't know exactly how the breach occurred, so it's hard to assess just how sophisticated the attack against Equifax was—but the reality is that, in today's threat environment, no business should consider itself immune from being hacked. That's why it's so important to have a well-considered response plan; and why companies in the future will learn from what Equifax did wrong.

The way this story played out in the first 48 hours offers important cautionary advice.

  • Lesson #1: The importance of speed. These types of major incidents require companies to sprint to a public response. Equifax is taking criticism for waiting six weeks to go public about the breach. It is too soon to know what considerations led to the delay. There are often sound reasons to get greater clarity about the incident, stop the intrusion, and mitigate the threat before going public—and six weeks may not actually be that long for an incident of this scale. But delaying notifications longer than necessary may expose customers to further harm and run afoul of a patchwork of breach notification laws across the U.S. and internationally. Waiting too long may also create additional risks and give rise to unanticipated headaches on new fronts. Consider the scrutiny being given to shares sold by Equifax executives in the time period after the date on which the breach was detected.
  • Lesson #2: The response should not add to the challenges. Equifax did a lot of things right in the wake of the incident, including offering credit monitoring services to every American and opening a dedicated call center to address concerns. But the company's initial offer to provide credit monitoring services drew immediate criticism from regulators and on social media because the process for signing up appeared to include a waiver on participation in a class action suit and consent to binding arbitration of any disputes related to the breach. (The company subsequently posted an FAQ that sought to reassure consumers that the language at issue would not be used to "limit [their] options" related to the breach.) The company also raised eyebrows because of security concerns regarding the site it created for consumers to learn if their information was affected. While too soon to assess the merits of these criticisms, it seems clear that the company was not expecting to have to issue a public defense of these actions and was caught flat-footed at the worst possible time.
  • Lesson #3: We need more secure identities online. There's also a lesson in the Equifax breach for our entire modern society: We need a better way to prove who we are online. Too often, the information exposed in the Equifax breach is all that is needed to unlock an account or to reset a password. We need to put an end to the days of relying on a limited universe of personal information to authenticate customer accounts. That information is simply not secure. In the near term, this will mean greater use of two-factor authentication (which is already offered by many major companies) so that even someone in possession of your personal information can't compromise your accounts without also gaining access to your phone or email account. But with sophisticated attackers already developing workarounds for two-factor authentication, we need to start shifting toward contextual approaches that validate access based on factors too diverse and subtle to be mimicked.
  • Lesson #4: Cybersecurity is a necessary investment. The Equifax breach shows—again—how central cybersecurity needs to be to any company that transacts business online. Nearly every week brings us another example of a company that has seen its core functionality undermined by a cyber attack; either a directed attack, which is apparently what happened to Equifax, or a scattershot incident, like the ransomware and malware that shut down parts of the operations of Maersk, the global shipping giant, for weeks and cost it upwards of $200 million. When it comes to cybersecurity, prevention is important—but so is resilience.

How can companies put themselves in position to move faster but also better? And how can they make sure that they take account of the latest developments in the field? It starts with developing a plan that is clear-eyed about weaknesses and vulnerabilities and informed by lessons learned from past incidents. From there, companies should test their plan regularly with the executives who will have to implement it and make it work. This preparation cannot be limited to taking the paper plan off the shelf and reading it over once year in a dimly lit conference room. Preparation must incorporate real-world exercises at which communications, legal, IT, and senior management executives are faced with the same kind of wrenching decisions and partial information that would be present in a real crisis and struggle with how to respond. And because government can help in these types of incidents, the preparation should also involve advance outreach to regulators and law enforcement who may be involved in an actual event. Companies should know who to call immediately if they suffer a breach, both inside and outside.

This may all sound like obvious advice, but a recent survey my firm conducted found that over 90 percent of companies do not consider themselves well prepared for a crisis, and even those that have a plan either lack key components or do not test those plans frequently enough to know whether they would actually work. Most businesses still don't invest in security at the level they should, given the risks they face. Even after years of increasingly high-profile—and even destructive—attacks on companies and governments across the world, too many organizations don't have a good plan for what happens if they become the target.

It should be clear by now — if it wasn't already — that there is no moat wide enough or wall high enough to prevent these incidents from happening. To acknowledge that, however, is not to say that there is nothing companies can do to mitigate the risk. Boards across the country saying "There but for the grace of God" should start asking questions now.

If they wait until the crisis hits, they won't like the answer.

Commentary by John P. Carlin and David Newman. Carlin was the assistant attorney general for the U.S. Department of Justice's National Security Division (NSD) and served as chief of staff and senior counsel to former FBI Director Robert S. Mueller, III, where he helped lead the FBI's evolution to meet growing and changing national security threats, including cyber threats. He currently chairs Morrison & Foerster's global risk and crisis management group and co-chairs its national security group. He is also the chair of the Aspen Institute's Cybersecurity & Technology Program and a CNBC contributor.

Newman is a former special assistant to the president, associate White House counsel, and director on the National Security Council staff. He is currently counsel at Morrison & Foerster LLP, where he represents clients in a wide variety of national security and global risk and crisis management issues.

For more insight from CNBC contributors, follow @CNBCopinion on Twitter.