Americans learned last week that nearly 3 million credit card numbers are vulnerable through a data breach of Michaels Craft Stores.
This was happening around the same time as medical records were being compromised at a South Sound health care system after just a few well-meaning employees mistakenly clicked on a link in an email they thought was from their corporate offices.
And it was after about 40 million payment card records and 70 million customer information records were stolen from Target in one of the largest cyber-thefts yet.
“The most secure way to interact with the Internet is to stay off of it,” said Lars Harvey, CEO of Tacoma-based cybersecurity firm IID. “Large organizations are playing defense. When you’re playing defense, you have to be right every time. A bad guy has to be right only once.”
Harvey spoke with The News Tribune last week about the constant drumbeat of data breaches. His interview has been condensed and edited.
Q: Should we all just go back to paying our bills by mailing checks?
A: That slows everything down. Don’t you hate being behind that one person in the checkout line who is writing a check? Checks aren’t any safer. I’ve had checks stolen out of my mailbox.
Q: It’s almost impossible to avoid conducting financial business electronically. What are regular people supposed to do?
A: There’s a lot of “we just have to deal with it.” We’re changing the entire way we deal with money. We’re going from paper money that you hold in your hand to electronic debits and credits. Consumers have to understand we’re dealing with large systems. It’s a big economy. We get a lot of convenience, and there’s a cost to that convenience. You cannot make perfect software. We have to accept that’s the nature of the automated computer society. And that’s real life too — you can build all the fences you want around Fort Knox, but someone could still find a way to break in.
Q: Your business’s signature product is a tool to allow large organizations to share cyber-threat information. So far, there’s no convincing evidence that people working in large organizations even use the phone to share information.
A: Businesses are concerned about talking to each other because of antitrust issues. Regular trust issues are big, too. I’m going to tell you this information that I don’t want the world knowing. Can I trust you? And that trust is tightly tied to fear of liability.
Let’s say I tell you some server somewhere is bad, and I’m wrong. But you take aggressive moves against that server and it’s running a 911 system. And the trail leads back to me. Companies don’t want to be on the hook for that.
That’s where legislation in the U.S. would be helpful. “Safe harbor” is the legal term. You’re doing this with good intent. Those laws don’t exist anywhere in a clear manner for companies. Right now there are no defined rules, really. Business people who share are doing it out of the goodness of their heart. They’re taking a risk. And even a small risk can have impact on value.
Q: I would imagine there are proprietary concerns about sharing information about your company’s security systems as well. But if I see a robber breaking into my house, I can describe the robber without describing my lock.
A: There’s also a mechanical problem: If you call your neighbor, that’s one person. Can you tell all of Tacoma? How does everyone know? They don’t. It’s a problem of scale: who you’re reaching out to, and how much information to convey. What if I have 600 pages of information to convey?
Three names works on the phone. What if it’s a million addresses? Can’t do that on the phone. And a million-line spreadsheet won’t go through most email.
Q: When will there be a strong enough business case to share information?
A: There is one now. Now, the companies are absorbing the losses. My card was compromised at Target and the bank replaced it. They’ll try to get Target to pay them, but they’re insuring customers right now.
Facebook has done for personal information sharing what needs to happen for security information sharing. You still have to build relationships on Facebook — choosing friends. Sharing information in the security world is the same. People who manage security are people. Companies are made of people. There are lawyers and corporate interests holding people back, because you have to be careful who you’re connecting to, but it comes down to people.Kathleen Cooper: 253-597-8546 email@example.com