Political Cost of Data Leaks: Data Security in the Crosshairs
Domestic and international politics have invaded the field of data security, and the COVID-19 pandemic has only added to this invasion. Shane O’Donnell a partner & Chief Audit Executive at The Mako Group and Sean Griffin, a member at Dykema explains how security leaders can safeguard their crucial IT infrastructure in this new era of data security and navigate foreign and domestic politically motivated leaks.
Like it or not, domestic and international politics have invaded the field of data security. Of course, COVID-19 has assisted this invasion, but other political factors from the upcoming US election to this summer’s Black Lives Matter protests have played a part. Data security professionals must therefore keep an eye not only on their IT infrastructure but the practical consequences of recent political actions.
Foreign and Domestic Politically Motivated Leaks
From abroad, we must address dangers posed by Advanced Persistent Threats (APTs)— state-sponsored hackers that attack US companies in the hopes of sowing political, technological, or financial disruption. APTs have been fairly indiscriminate in their targeting, but healthcare companies were a favorite APT target, as foreign governments sought to extract data relating to healthcare research; security officials in the United States, the United Kingdom, and Canada recently announced that a Russian APT called APT29 is targeting organizations involved in national and international COVID-19 responses.
Domestic political concerns also bring data security implications. Recently, a New York law firm suffered a ransomware attack wherein the attackers promised to leak information from the firm’s servers pertaining to President Trump if their demands were not met. In 2017, the Chinese government allegedly hacked a law firm’s server and published personal information belonging to the firm’s client, a dissident; a court recently denied the law firm’s motion to dismiss the dissident’s suit against it.
Law enforcement officials have contributed to data insecurity. This summer, the New York Police Department’s union tweeted a picture of a computer screen showing personally identifiable information of New York mayor Bill de Blasio’s daughter, Chiara, after she was arrested during a Black Lives Matter protest. Shortly thereafter, police officers in Norman, Oklahoma posted a city council member’s address after she proposed a police budget cut; days later, the member’s neighbor was assaulted by an assailant who allegedly made a political threat.
Also, an arsonist reportedly firebombed the Maricopa County Democratic Party headquarters in Phoenix, Arizona on or about June 24. Democratic County Chairman Steven Slugocki was quoted as saying, “Our computers, our phones, our tablets, our printers, everything to get out the vote was destroyed in the fire last night. . . It’s a devastating loss for us.” This incident shows not only the political nature of data security incidents but also the need to take physical security and technological measures into account.
These leaks and breaches come at a cost to government activities. Currently, governments are asking their citizens to trust them with more of their personal information, including their location data, to combat COVID-19 and other ills. In part to shore up public trust, various states have imposed limits on law enforcement agencies’ use of personal information, and the federal government may follow suit. The police union’s privacy leak represents the sort of disclosure that could undermine the public trust necessary for governmental contact tracing to work.
In light of the foregoing, we can expect two things. First, we can expect the trend of politically motivated leaks to continue, as they have for years. Second, in light of governments’ and government-affiliated entities’ accidental and/or intentional disclosures of public information, we can expect lawmakers to focus on data security for government entities going forward.