Canadian Cyber Security Journal
Filed under: TechTalk

How not to spend the new $2.5 billion cybersecurity budget

As the Biden administration’s first year in office moves into the rearview mirror, the political headwinds facing spending plans are mounting. However, while much of the spending inside the “Build Back Better” legislative framework is proving to be politically divisive, one area which gets rare bipartisan support is the need to bolster our nation’s cybersecurity efforts. Based on the commitments outlined within the infrastructure bill and aspects of the Build Back Better Act, federal security spending will see a boost of almost $2.5 billion going forward.

With our nation’s federal agencies facing an increasingly existential threat from cyberattacks, this is fantastic news for Americans, but it does come with an important caveat. More spending does not necessarily equal better security. As they work to secure our nation’s digital infrastructure better, federal organizations must not waste billions of taxpayer dollars on reactive cybersecurity solutions that, in the private sector, have left many organizations with less security and more complex tools to manage.

Instead, spending needs to go towards proactive security measures that stop attacks from happening in the first place. One element of this more challenging but ultimately vital goal involves fighting personalized security threats by securing personally identifiable information belonging to federal agency staff and contractors.

PII is already driving the majority of cyberattacks. The practice of customizing phishing emails to specific individuals using PII, such as their names, job titles, and personal contact details (aka “spear-phishing”), is behind at least 70% of government breaches and upwards of 90% of all cyber attacks. It is also the likely cause of some of the recent past’s most notorious and nationally disruptive attacks, including the Colonial Pipeline hack.

While it is widely known that an immense quantity of private information is flowing into the hands of a small number of tech companies, the fact that a similar volume of equally personal information ends up in the hands of third parties, including cybercriminals, through data brokers, is less well recognized. Although there is a groundswell of legislation protecting individuals in some states and jurisdictions, federally speaking, PII receives scant protection. As a result, a multibillion-dollar industry has sprung up, known as data brokerage, to exploit the easy accessibility of Americans’ PII.

Data brokers do not necessarily intend to increase the risk of organizations falling victim to cybercrime. But they do so nonetheless, thanks to the way that their business model works. Data broker firms, namely companies like Experian, Equifax, Acxiom and Epsilon, scrape PII data from sources such as social media pages, voter records databases and other public registries. This information, which typically includes people’s names, marital status, home addresses and work emails, is then collated into profiles that are offered for sale to third parties. Acxiom alone holds information on more than 500 million individuals and conducts more than 50 trillion “transactions” per year.

A data broker’s ideal customer is any organization looking to better target offers to customers, but unfortunately, brokers rarely vet or audit how the information they provide is used. As a result, nothing stops this information from being weaponized within social engineering scams or matched to information obtained on the dark web to crack passwords and gain direct malicious network access.

In response, federal organizations need to bolster data privacy among their staff and contractors, making PII security a priority through training and equipping staff with tools to reduce their PII exposure automatically.

An urgent issue

With Americans inadvertently placing more of their information online than ever, stopping the compounding phishing risk this creates for federal agencies is an urgent task. Between 2019 and 2021, DeleteMe noted that the amount of client PII available on data broker websites grew by 150%. As a result, before federal agencies spend billions of dollars bringing their cybersecurity defenses up to speed, they need to assess whether their staff and contractor PII is putting them at risk.

Enjoy this article? Don’t forget to share.