In 2019, an estimated 28 million Canadians were affected by at least one of the country’s 680 reported data breaches.i That’s over 70% of the Canadian population – this is a major problem particularly as the world becomes more digital.
Transparency and Changing Regulations
In late 2018, Canadian businesses became subject to new regulation that required them to report the breach of any personal information they were holding. Previously, this had only been done on a voluntary basis. The new law also put stiff penalties in place for companies who failed to comply. What resulted was the amount of breaches reported went up by 6 times in one year – from just over 100 breaches to 680.ii Clearly, organizations have been experiencing this issue for some time, but they were not reporting it until compelled to do so.
Centralized Information
Organizations stockpile information about all of us. They keep this information in central repositories and rely on it for every aspect of their business. The more they can integrate and centralize the information, the better they perform. Think of a customer service agent who has access to your transactions with the company and can provide you a better experience or a physician who has access to your entire medical history enabling them to make better decisions.
But an inherent problem with centralization is that a single point of failure can cause personal information to be compromised on a massive scale. A person who has legitimate access can have it stolen or they can perpetrate the theft themselves. Centralized data also opens itself up to external threats that can focus efforts on hacking a single source.
Systems
The systems that currently house centralized information can be extremely complicated and are overseen by individuals who have varying levels of understanding about how they actually work and their vulnerabilities. People within the organization can easily make mistakes with systems and accidentally expose information, or they can be criminal and actively steal the information for extended periods of time undetected.
Since each organization relies on information to function, they each collect and store your information for future use. This introduces another problem – your information may be stored with hundreds of different organizations, all using different technologies, security measures, employing different people, etc. resulting in an individual being vulnerable to the least secure organization they deal with.
There are also market incentives that push companies to build systems faster, often reducing time upfront for testing and security hardening.
Current Solutions
To stop breaches from happening today, organizations employ two broad methods: 1) prevention, and 2) detection & response. Prevention involves building stronger safeguards to prevent unauthorized access, while detection & response is about identifying issues quicker to limit the impact.
Over the past several years, the prevailing sentiment from cybersecurity experts has been a recommended shift from prevention towards more detection & response. With research finding that most breaches are not preventable, an organization should focus efforts on detecting the breach earlier.iii
Some organizations have been more progressive, such as Oracle introducing a next-generation cloud solution that relies on autonomy to remove user errors and malicious activity.iv However, storing information in a centralized cloud is a new technology for many companies and a simple misconfiguration could cause massive data breaches. For example, Capital One, who hosted its information on the Amazon platform AWS, had information from over 100 million customers compromised after a “cloud misconfiguration”, including 1 million Canadian social insurance numbers.v
Artificial Intelligence is also entering the cybersecurity space, with algorithms that utilize machine learning to improve over time to better detect data breaches. These will definitely improve beyond any current methods of detection, but they won’t eliminate it. Organizations will still need to decide on a permissible false-positive rate, should they choose to adopt the technology at all.
Overall, none of these methods offer a full-proof solution to the problem of securing our data.
THE DecentralizatioN OPTION
Something far more radical is needed: in order to stop all of our information from being stolen from centralized data repositories, we need to remove the centralized data repositories without degrading services.
This requires a new model that utilizes blockchain technology, a decentralized ledger that would remove the need and ability for an organization to store or have unlimited access to your information. Rather, you would control your own information: who can see it, what they are allowed to see, and when they can see it, all while the blockchain ensures the information is valid. Through public and private keys, access to your information can only be granted by you.
As a result, there would no longer be central repositories to be hacked. There is still a risk for an individual’s information to be compromised if their private key was found out, but it would be limited to the single person. There are no centralized keys that would gain anyone access to all the information.
Blockchain technologies are also expanding with new capabilities and services. For example, public blockchains rely on the idea of a public ledger that allow anyone to see at least some basic information in order to confirm its validity. A concept called Zero-Knowledge Proofs, eliminates revealing any information about a transaction, other than that it is valid. An example is where you are applying for a new credit card. Today, you need to provide significant personal information including bank balances, credit scores, and personally identifiable information. With blockchain and zero-proofs, you can demonstrate you meet the credit card company’s requirements without ever giving them any of this information.vi
Roadmap to Making this A Reality
This model introduces significant change and would face resistance from organizations that utilize their large data sets to remain competitive. To introduce a decentralized model of encrypted information could come about in a few different ways. First, if the number of citizens impacted by data breaches continues to overwhelm the country, it would be feasible that regulation would be put in place forcing organizations to adopt security policies that would require such a solution. Another option would be that an organization which was devastated by a breach may seek this type of solution to restore credibility. To make this type of technology a widespread norm, a critical mass of demand by the public would be required.
In any case, the current model of each organization collecting and storing your information centrally will continue to experience data breaches until information is no longer centralized.
i https://globalnews.ca/news/6116444/canadians-affected-by-data-breach-privacy-commissioner/
ii https://www.priv.gc.ca/en/blog/20191031/
iii http://www.gartner.com/document/3183622
iv https://www.youtube.com/watch?v=lIgGrDQb2OQ
v https://threatpost.com/aws-arrest-data-breach-capital-one/146758/
vi https://www.ibm.com/blogs/blockchain/2019/01/privacy-in-blockchain-collaboration-with-zero-knowledge-proofs/
Strategy in the Age of Decentralization 