In August, personal information belonging to fifty million prospective, current, and former T-Mobile customers was stolen, marking the mobile carrier’s third customer data breach in two years.
T-Mobile isn’t unique: dozens of well-known brands, as well as hundreds of lesser-known companies, have experienced data breaches in recent years. Although these breaches are embarrassing, T-Mobile and its peers appear to consider them little more than a cost of doing business.
However, the consequences of leaving data vulnerable are more serious than most companies realize. In addition to exposing consumers to potential fraud and identity theft, data breaches are deeply injurious to national security.
Matthew Pottinger, former Deputy U.S. National Security Advisor, warned in August that China is now able to compile a “dossier” on every American adult. In 2015, China hacked health insurance provider Anthem, exfiltrating data belonging to almost eighty million people. China also accessed the Office of Personal Management databases, seizing sensitive data including the security clearance forms belonging to current and former federal employees. About 150 million records were stolen when China hacked Equifax in 2017, and an additional 500 million records were compromised following a Marriot hack in 2018. China has since made a habit of obtaining increasingly personal data, such as DNA information, from healthcare providers, biotechnology firms, and pharmaceutical companies. Intelligence officials have estimated that 80 percent of Americans have had all their personal data stolen—perhaps an exaggeration, but likely not far from the truth.
The potential uses for the stolen consumer data extend far beyond counterintelligence and research purposes. The stolen data could be (or, more likely, already has been) used to inform spearphishing attacks, aid the coercion of intelligence personnel, or help identify potential spies. Such sinister use cases aren’t without precedent. Foreign Policy reported last year that, almost a decade ago, Chinese intelligence used its vast collection of stolen datasets to identify undercover American operatives entering Europe and Africa.
China’s cyber capabilities have strengthened significantly over the last decade. The Chinese government has spent years and billions of dollars developing some of the most advanced data synthesis and analysis technologies and methodologies in the world to surveil its own citizens. These techniques are useful not only for evaluating data gathered domestically, but also data stolen from the United States. When geopolitical adversaries have both large amounts of personal data and sophisticated analysis tools, the impact on national security can be particularly acute. This month, The New York Times suggested that artificial intelligence and facial recognition are partially responsible for the recent loss of dozens of C.I.A. informants.
In the United States, by contrast, data is held by private entities such as Google, Amazon, Facebook, and other major consumer-facing companies. The U.S. government, constrained by strong civil liberties protections provided by the Constitution, has engaged less often in the kind of wholesale acquisition of personal data that is common in authoritarian countries.
These asymmetries, combined with the U.S. government’s history of patchy and often inconsistent cyber strategy, and exacerbated by the frequent intelligence community leadership and policy changes that accompany each new presidential administration, mean that America is giving adversaries a significant economic and military advantage. As data science continues to advance, this disparity will only become more prominent.
So, how can the national security risks of consumer data exposures be mitigated? Unfortunately, the gatekeepers of consumer data—companies—have little incentive to increase investments in their own resiliency. It is not clear that falling victim to a breach is meaningfully more expensive than paying for the additional cybersecurity that would have prevented it. Thus, there’s an argument to be made that fines for cyber breaches should be more consequential to companies’ bottom line. Greater fines, though, not only encourage companies to be less forthcoming about data breaches but are also fruitless if reporting and disclosure requirements remain weak.
At the national level, there is an evolving and confusing patchwork of disclosure laws, as states adopt different standards. This lack of coherence not only disadvantages consumers, who are confused and exhausted by often vague and unhelpful breach notifications, but also constitutes a key weakness in U.S. cybersecurity strategy.
There is also currently no federal cybersecurity breach disclosure law, meaning that the United States struggles to identify the scope, frequency, and severity of data breaches. A bill that would require disclosure of cyber incidents at federal agencies, government contractors, and critical infrastructure owners (like T-Mobile), the Cyber Incident Notification Act of 2021, was introduced earlier this year. Related provisions passed recently by the House as part of the National Defense Authorization Act would have similar consequences. While these bills would be a good first step, many of the companies that hold vast troves of consumer data would be outside the scope of either law, and therefore continue to have no federally-imposed obligation to disclose data breaches.
U.S. cyber policy continues to focus on critical infrastructure and other traditional sectors with obvious cyber vulnerabilities, while overlooking breaches with the greatest potential for consumer data theft. Although important, such a narrow focus is insufficient. National cyber policy needs to reflect the reality that intrusions can be damaging no matter where they happen.
Maya Villasenor is a computer science student at Columbia University and a former intern in the Digital and Cyberspace Policy program.