Thinking outside the box about the Equifax breach

Gus Hurwitz had a thoughtful post about the Equifax breach on the American Enterprise Institute blog.

(Full disclosure: Like most techies, I flirt with Libertarianism but basically don’t think much of it.  Living in Washington DC, which effectively has no government, has taught me a lot about the limitations of the philosophy)

Instead of piling on to Equifax, and pummeling them for not having had better security practices, he instead points out that breaches are quite mundane, and that the vectors whereby breaches occur are quite mundane.  In this case, it sounds as if yet another contractor allowed yet another intrusion because of yet another failure to apply known patches.

What Hurwitz points out, in essence is that the occurrence of these “outlying” events is almost certain in systems of enough size and complexity.  Your one server will almost never go down.  Your 10,000-server farm is certain to have numerous servers down at any point in time.

To put it another way, the attackers on a system like Equifax’ don’t have to coordinate.  They can all try at various times and in various ways, and eventually they will succeed.

The defenders, on the other hand, being a centralized group with a castle and a moat, have to be perfect in their defense or the enemy will get in.  Centralized systems have a very hard time fighting decentralized systems.

So Hurwitz asks an interesting question: how can we make the defense of a system like Equifax’ be more decentralized?

One answer is: notify a consumer when their credit data gets pinged, and require the consumer to affirm that the ping was genuine.

I just signed up, in the wake of the breach, for a service that does just that.  Unfortunately, the service is only alive for 90 days and doesn’t auto-renew.  So I have to remember to do so.  Yet another attack surface.  But better than nothing.

Why not have such a service be the default?