- While the US Justice Department has concluded that the Chinese military hacked into the credit-reporting service Equifax, it was the broken US political system that made such a hack possible.
- A combination of lobbying and ideological inflexibility has made it impossible for Congress to pass good federal privacy and cybersecurity legislation.
- Americans are electing politicians who let other countries steal our stuff. And some people seem fine with that.
- This is an opinion column. The thoughts expressed are those of the author.
- Visit Business Insider's homepage for more stories.
Sure, according to the Department of Justice, Chinese military hackers broke into the credit-reporting service Equifax in 2017, stealing the personal data of millions of Americans in one of the worst security breaches ever. According to the DOJ's complaint, they did this by exploiting a weakness in the dispute-resolution website within Equifax's system.
That alone, of course, is troubling. But what's even worse is that it was American corruption that made the whole thing easy.
You better believe China is trying to steal your stuff
China doesn't just use its military to steal trade secrets. It also uses it to steal anything that could be used to put pressure on a US citizen. It's accused, for example, of stealing personal information belonging to millions of government workers back in 2015. Chinese authorities put a lot of stock in surveillance, as evidenced by the massive surveillance state they've set up in their own country. They believe data is power.
This is why it is so upsetting that the US government has been so feckless when it comes to protecting our data. For years tech companies have been lobbying against privacy and cybersecurity legislation on a federal level. And that - combined with a Republican Party captured by a near-religious anti-regulatory mania - basically left a key under the mat for the Chinese military to walk right in and loot an American company.
What's more, corporate carelessness in data-breach situations basically goes unpunished, so there's no deterrent for stupid behavior. Equifax's stock took a hit after it announced the hacking (two months after it happened, I might add), but it has since fully recovered and then some. The breach was a blip.
The stock and the company also powered through a $575 million settlement with the Federal Trade Commission last July. And in the quarter following the announcement of the breach, Equifax reported quarterly revenue of $875.7 million, up 5% from the year before. The company made more money in 2018 than it did in 2017, and it made more in 2017 than it did in 2016.
No harm, no foul, no incentive for corporations to review their behavior when it comes to security.
The same thing happened when Facebook paid a $5 billion fine for its privacy violations. The quarter before the fine was announced Facebook made $15 billion in revenue and had already set aside $3 billion for the fine. If the government wants companies to change their behavior, maybe it should mete out some punishments that actually matter.
So it goes
Privacy and cybersecurity laws in this country are a mess, and that makes it easier for companies to be careless with our data. States have a range of laws requiring companies to report security breaches at a certain time, require the implementation of data-security measures, and allow state attorneys general to seek damages and monetary remedies.
And when those laws get tough, like the California Consumer Privacy Act, tech companies - and yes, Equifax will tell you it's a tech company - go into hyperdrive trying to weaken them. They do this, in part, by narrowing what qualifies as personal information, thus restricting when and for what consumers can invoke their rights to retribution or legal protection.
On the federal level cybersecurity and privacy regulations have been beaten back because of a one-two punch of lobbying and ideological intransigence. Take, for instance, the case of GOP Sen. Ron Johnson of Wisconsin, now head of the Senate Homeland Security and Governmental Affairs Committee. As Politico reported, Johnson has repeatedly blocked efforts to better protect our data.
In 2012, Johnson basically torpedoed bipartisan privacy and cybersecurity legislation on the basis that it was a regulatory overreach and bad for business.
He continues to make that argument in his committee, blocking legislation on everything from election security to the spread of encryption on personal devices. It doesn't matter what the question is; the answer is "no." Johnson and his ilk have spent so much time looking out for corporations that they've had little time to consider the implication for voters.
As Congress ties itself in knots trying to decide whether American tech companies need to be held accountable for undermining the public trust in everything from basic science to democracy (they should), the Chinese have already decided what they're going to do.
They're going to exploit the lack of consensus in Washington to build a database of information about every American. They will then figure out which ones are easy to exploit, aside from the obvious marks on Capitol Hill of course.
The lack of ideological or political flexibility that is preventing us from fighting back against this intrusion is an American problem. We can either vote for politicians with the ability to stand up to corporations and the willingness to cooperate and compromise, or we can let people like Johnson crack the door open and let the Chinese military walk in and steal our stuff.