Tim Culpan

Cybersecurity Needs Its Own Sarbanes-Oxley

Two decades ago, a cascade of accounting scandals in the US led to one of the most comprehensive packages of financial rules of the past century. Now, it’s time for regulators to act on escalating cybersecurity breaches to offer similar protections to consumers and investors.

Within the span of just two years, the names Enron, Tyco and Worldcom became synonymous with fraud, greed, and corporate excess. Executives had doctored financial reports, stolen money, and conspired to keep shareholders in the dark, all the while receiving “almost embarrassingly big” pay packages.

By the time it all came to light, investors had lost billions of dollars and regulators had shed credibility. That’s when Congress stepped in, with Senator Paul Sarbanes and Representative Michael G. Oxley sponsoring the bill that would bear their names.

Sarbanes-Oxley, or SOX, is a long and extensive set of regulations covering areas including the independence of auditors, enhanced financial disclosures, and obstructing an investigation.

One of the most potent parts, Section 302, forces executives to personally attest to the accuracy of their financial disclosures on a quarterly basis. It does so by requiring that a company officer certify that they’ve actually reviewed the report, and that it doesn’t contain any falsehoods. In other words, it removes “plausible deniability” loopholes that could allow C-level executives to commit fraud, or reign over a company where such misdeeds are carried out, while subsequently claiming innocence.

Today, the need for such accountability extends to data. Lawmakers should enact regulation that holds executives personally responsible for information security at the companies they run.

Three recent cases highlight just how crucial that it is.

Last month, an Australian mobile network subsidiary of Singapore Telecommunications Ltd. called Optus was hacked and the records of almost 10 million people stolen. Among the data accessed were customer names, dates of birth, email addresses, passport and drivers license numbers. In Australia, that’s enough information to potentially conduct identify theft under a points system used in the country for identity verification.

Revelations from the breach unveil two particularly disturbing facts about how Optus manages data. First, much of the information appears to be stored as plain-text, meaning there’s no attempt to encrypt or hide it. If a hacker can access the database, then they can read all that information easily. At a minimum, data should be hashed. This is a process that converts information by using mathematical formulas that cannot be easily reversed. It’s useful because a computer system can check whether information provided by a user matches what’s stored while keeping that data hidden.

Even worse, the information was breached through an application programming interface (API) — a portal for sharing data with developers — with Australia’s Home Affairs Minister Clare O’Neil saying that Optus had “effectively left the window open.” In summary, Optus stored the data poorly and failed to protect it adequately. The company said it will “vigorously defend” against a legal complaint that it failed to protect the personal information of customers.

Then there are revelations from Twitter Inc. whistleblower Peiter Zatko, commonly known as Mudge, who was hired as Security Lead in November 2020.

Among highlights from Mudge’s 84-page complaint is the allegation that many people within the company had too much power to read and change sensitive data. Its violation of the well-established principle of least privilege — limiting access to the minimum required for their job — was a major contributing factor in a July 2020 breach. In that hack, a 17-year-old and his friends managed to take control of accounts owned by Barack Obama, Bill Gates, Joe Biden, Elon Musk and Jeff Bezos.

What’s particularly egregious in the Twitter case is that senior executives at the social media company were not only aware of its many security failings, but that Mudge himself was warned against reporting them to the board of the directors. The 51-year-old, who is among the world’s most-respected cybersecurity experts, was fired in January. Twitter Chief Executive Officer Parag Agarwal later described the claims “as riddled with inconsistencies and inaccuracies, and presented without important context.”

Finally, we have a guilty verdict handed down last week against Joe Sullivan, the former security chief at Uber Technologies Inc. A California court found that he obstructed a government investigation and concealed a 2016 hack that led to the theft of personal data of 50 million customers and 7 million drivers.

Many take the Uber case as an example of a chief information security officer (CISO) being thrown under the bus for a massive breach. But it wasn’t the hack, or even any poor information security practices, that got Sullivan in trouble. He worked “to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” a US attorney said after the trial.

Hacks and breaches happen. They’re an unfortunate reality in modern society. Yet there are countless cases, including last year’s Colonial Pipeline hack, where best practices weren’t followed and executives weren’t held to account until after the damage had been done. Laws at both the state and federal level require companies to report hacks, but regulation is weak when it comes to ensuring such breaches don’t happen in the first place.

Time has come for preventative compliance to be prescribed and enforced.

Just as the US has Generally Accepted Accounting Principles — with SOX setting up the Public Company Accounting Oversight Board to help with compliance — the government should coordinate security standards and hold executives accountable. And since many CISOs are not taken seriously, or even ignored, the principal officers required to sign off need to include not just the security chief but the CEO too. The threat of jail will be a strong incentive to pay attention to how customer data are handled.

Although academics and industry professionals debate the most secure and cost-effective ways to protect data, there are best practices that most can agree on. The National Institute of Standards and Technology, for example, lists methods of hashing and encrypting data that have been tested and verified. Frameworks also exist for how to determine and allocate information-access privileges, maintain software, keep and store network logs, and delete data.

Even with an abundance of accepted practices already established, executives are neither required nor incentivized to ensure they’re applied.

Perhaps the threat of criminal prosecution will finally get corporate leaders to take information security seriously.