Tyler Moore, Tandy Endowed Assistant Professor of Cyber Security and Information Assurance, testified Wednesday before U.S. senators in Washington D.C. regarding the topic Equifax: Continuing to Monitor Data-Broker Cybersecurity.

Here is Moore’s prepared statement he presented Oct. 4, 2017, to the U.S. Senate Committee of the Judiciary’s Subcommittee on Privacy, Technology and the Law:

“Good afternoon. Chairman Flake, Ranking Member Franken, members of the committee: Thank you for the opportunity to speak with you today on this matter. I am the Tandy Assistant Professor of Cyber Security at The University of Tulsa. I have studied cybersecurity for nearly two decades, and my current research focuses on measuring cybercriminal activity and studying the economic incentives that affect cybersecurity decisions and outcomes.

The recent breach of 145.5 million American consumers’ personal information is deeply troubling. It stands out even among prior high-profile breaches not only for the number of Americans affected, but also for the data disclosed: Social Security numbers, addresses and credit histories.

I teach my students that a loss of confidentiality is so damaging because it is irreversible. There is no available countermeasure to make a cybercriminal “unsee” the stolen data. Consumers’ information has been compromised, now and forever. And unlike prior breaches where financial information such as credit card numbers have been compromised, it is simply not practical for 145.5 million Americans to be reissued new Social Security numbers, let alone change the home address for their mortgages.

In my brief remarks today, I will describe some of the opportunities for misuse of the breached data by malevolent actors. Then I will discuss who is impacted by the breach and what market failures are at play. Finally, I will conclude by outlining some policy options going forward.

The most straightforward potential harm emanating from this breach is new credit account fraud; cybercriminals could profit by taking out new credit cards, mortgages, etc. New account fraud is pernicious because people often don’t find out that they were victimized until they are denied credit due to a lowered credit score from the fraudulently opened accounts. This is only the tip of the iceberg. Social Security numbers and addresses also can be misused by filing fraudulent tax returns en masse. In recent years, the IRS has lost billions of dollars to criminals filing for fake tax refunds using only Social Security numbers and addresses. Expect attempted tax filing fraud to spike in the coming years. As a consequence of this latest data breach, healthcare and entitlement fraud also are susceptible to rise.

The potential for harm goes beyond frauds perpetrated by profit-motivated cybercriminals. Because the breached data includes current physical addresses, victims of stalking and harassment could be tracked down by assailants who previously were unable to identify their targets’ whereabouts. Lastly, there is a national security threat if the stolen data were obtained by hostile foreign governments. For instance, by connecting the breached data with the prior breach at the Office of Personnel Management, foreign powers could identify federal workers who may have financial problems uncovered by their credit reports, identify private residences, or more easily impersonate workers with security clearances.

Taking a step back from the myriad potential harms, it is useful to make some observations. First, many of the harms discussed affect people and organizations beyond Equifax. This includes not only the individuals whose data was compromised. It also includes other financial institutions and healthcare organizations that may experience increased fraud. It includes the U.S. government, whose national security may be weakened and whose tax fraud bill may be higher. These are examples of a market failure called a negative externality. When third parties are harmed by the security decisions taken by others, the incentive to invest in countermeasures is weakened. This, in turn, can lead to mismanagement of risk by organizations that are responsible for protecting data confidentiality.

Second, another lurking market failure is the information asymmetry that exists about the true extent and cost of harms. At this point, we know that Social Security numbers and credit reports have been breached. But we don’t know how much new fraud has occurred or will be enabled, how many consumer’s credit scores will be wrongly downgraded as a result of fraud, how much harassment takes place or how many national security secrets will be compromised. Without an accurate assessment of these costs and who is affected, it is difficult to devise a rational response that encourages more secure outcomes.

Third, we should be mindful of the indirect costs associated with this breach. If people reduce their online participation or their engagement with the financial system because of an erosion of trust, for example, the total drag on the economy could far exceed the direct costs from the harms just presented. In prior research measuring the costs of cybercrime, my colleagues and I found that cybercrimes often resemble copper thefts. Just as the sums spent to repair streetlights whose copper wiring has been stripped and resold often far exceeds the criminals’ profits, so do the indirect costs associated with cybercrime dwarf the direct costs.

So, what should we do? Thus far, the main defense available to consumers is to freeze their credit. This is a good start, but it falls short in that most of the harms outlined above would not be stopped by placing a credit freeze.

In the near term, steps should be taken (1) to increase consumers’ control over how their data is used and (2) to promote transparency about realized harms. In terms of controlling access to credit reports, we need a comprehensive approach that changes from today’s practice of allowing access by default to the more secure approach of denying access by default. In a world where bad actors already know most everyone’s name, Social Security number and address, we cannot continue with a system where authentication is based solely on information that has been compromised.

To make a ‘default deny’ system workable, private industry should be challenged to innovate by creating ways to make the process of “unfreezing” as frictionless as possible. Eliminating or reducing fees for credit locks and unlocks is a start. Organizations who profit from collecting personal financial data should not be rewarded financially for failing to protect that data.

The current system of security freezes, while workable for motivated consumers with the financial means to pay, needs to be simplified if it is going to be adopted by everyone. The lightest touch policy intervention is to require that credit be frozen by default, thereby incentivizing credit bureaus and data brokers to design more secure and usable authentication procedures.

By promoting transparency about the true prevalence and cost of realized harms, we could correct the information asymmetry described above. Companies should be required to disclose breaches of confidentiality as well as the occurrence of fraud, complaints about unauthorized access and how other parties are affected. By gathering this information, firms would gain greater insight into the true costs of cyber insecurity, thereby encouraging more investment when necessary. And policy makers would get a better sense of the true magnitude of the negative externalities at play, which could inform subsequent policy interventions.

Over the longer term, we must move to a more secure way of authenticating people than Social Security numbers and what credit bureaus offer today. Now that all this data has been disclosed, there is no going back. Again, we should look to the private sector to take the lead in innovating new technologies. But there remains a significant coordinating role for government. The National Strategy for Trusted Identities in Cyberspace was a good start, and NIST’s Trusted Identities Group continues the push today for the private sector to develop stronger identification and authentication mechanisms. More effort should be devoted to developing robust procedures that respect privacy and can be used by all Americans.

Finally, we must also work to improve resilience to cyberattacks. Perfect security is not possible, but we can take steps to limit the damage attacks cause and to recover more quickly and completely from them. A system that relies on static, unchangeable information like Social Security numbers for authentication is inherently fragile. When breaches do occur, the affected organization should respond in a way that gives affected consumers transparent access to reliable information on how they are impacted and clearly lay out meaningful actions that can be taken to mitigate risks. A robust response can help prevent a damaging loss of consumer confidence.”

The University of Tulsa Tandy School of Computer Science is researching how to improve nuclear reactor cybersecurity. TU is partnering with Washington State University and Pacific Northwest National Lab to conduct the research with a grant from the U.S. Department of Energy — one of only three distributed at the national level. See the project summary.

Associate Professor of Computer Science Mauricio Papa and graduate students Zachary Hill (BS ’15, MS ’17) and Will Nichols (BS ’16) are designing a nuclear reactor model to study its operations and potential security threats. The design simulates WSU’s on-site nuclear reactor, which the faculty-student team visited in 2017.

“Math, models and theoretical applications are used for simulation with distributed controllers and a network that allows messages to be sent back and forth,” Papa said.

TU’s nuclear reactor simulator in development is an inexpensive option for emulating a real network with the ability to test multiple scenarios. Papa said one of the biggest challenges of studying nuclear reactors is their age — the last nuclear reactor constructed in the United States went online in the 1970s, and most haven’t transitioned yet from analog to digital controls.

“Going digital would allow all controllers to be monitored on a network,” Papa said. “And since our simulator is already connected to a network, we can play with “what if” scenarios and cyberattacks and see what kind of effect it’s going to have on the actual reactor.”

Nichols, an electrical and computer engineering master’s student, focuses on the theoretical cybersecurity analysis of the Nuclear Radiation Center at WSU through the use of hybrid Attack Graphs. He reviews a list of every possible cyber physical element in the system to brainstorm how to change the reactor’s operations. The changes are coded as exploits and help identify unwanted activity with the reactor.

“It gives me an interesting edge into the cybersecurity industry,” Nichols said. Looking at physical elements of a reactor for my research is pretty rare.”

Hill, a first-year computer science doctoral student, is responsible for designing the simulation and will soon integrate the Attack Graphs Nichols developed.

“I made the simulation, and now we are going to see how we can break it,” Hill said. “If someone were to get into the network, hopefully we can catch what they’re doing and not let them cause disruption to the reactor’s operation or in the most extreme case, actual damage to the reactor.”

Papa said students interested in applied cybersecurity are in high demand because of the skill level of specialization required and its application to other critical infrastructures such as energy and oil and gas.

University of Tulsa Assistant Professor Tyler Moore (BS ’04) has been named a Cybersecurity Fellow by the New America Cybersecurity Initiative. The distinction is a one-year, nonresident joint project between New America’s Open Technology Institute and International Security program. Fellows will participate in the Cybersecurity Initiative’s research or write a policy paper on current topics in the cybersecurity industry. Research areas include the cybersecurity workforce, cyberattack financial risk management and vulnerabilities markets.

Moore is the Tandy Assistant Professor of Cyber Security and Information Assurance in TU’s Tandy School of Computer Science. His research focuses on the economics of information security, cybercrime measurement and the development of policy for strengthening security. Moore directs the Security Economics Lab at TU and serves as director of StopBadware, a nonprofit anti-malware organization. He earned bachelor’s degrees in computer science and applied mathematics from TU as well as a doctorate from the University of Cambridge.