Wednesday, January 21, 2015

Layoffs at eBay - The Indirect Economic Impact of Heartbleed and Other Cybersecurity Issues

???

It sometimes takes a lot longer than it should for society to fully grasp the impact of cybersecurity issues on real human lives, and just how far it extends.  In fact, nobody can claim to know just how serious cybersecurity issues can be from the standpoint of a societal impact, but once it hits home, we pause for a moment and say "Wow!  I get it."

Soon after we discovered the Heartbleed bug, I got a few requests (perhaps demands) from websites I frequent to change my password, and one of them was eBay, who, while they claimed they were not affected by Heartbleed, suffered a major breach of their password database due to attackers gaining access to employee login credentials.

It is perhaps only coincidental that this happened so close to the Heartbleed discovery, but what got me thinking about this, and a potential connection, was the breach of Community Health Systems 6 months after our discovery of Heathbleed, where millions of patient records were stolen.  According to a story that came out later, the breach was caused by an attacker who decrypted some traffic on an affected OpenSSL connection with an unpatched router, and then used discovered passwords and login information to access other systems. 

Again, the eBay situation may be a coincidence, but keep in mind that attackers are very clever, and it does not take an enormous amount of effort to find out who works at eBay, then simply cyberstalk the person who may very well use login credentials on other sites, which may indeed be affected by Heartbleed, to access systems at eBay.  We all know that, while we have all (hopefully) gotten better at choosing longer passwords with numbers, letters, symbols, and such, that we still end up reusing passwords on multiple systems.  That is why password-based attacks are so scalable.  You break it once, and you break it just about everywhere.

Yes, this is all theory, but certainly a reasonable hypothesis.  Regardless of the verity of this, however, eBay has announced that they will layoff 2,400 employees (7 percent of its global workforce), and, in part (quoting the CEO, John Donahoe) "The core auction site eBay runs has not recovered from the negative effects of asking all users to reset their passwords last May...eBay's loyal customers are back, but our more occasional customers have not returned, Donahoe admitted."

That really sucks big time for eBay, and the employees.  Granted, they will find new jobs in a bustling technological economy, but what is striking is that a company that is quite well established is clearly affected...as in losing significant numbers of customers affected...by cybersecurity issues.  Ultimately, a growing concerned citizenry, many of whom are just beginning to emerge from under the covers because the big bad boogie man they have feared in an Internet fraught with cybersecurity challenges has caused them to panic at the mere mention of stolen financial information, are now reconsidering their emergence from the cozy comfort of their luddite-yet-secure existence.

I am reminded of some discussions I have had with friends who have worked in airline safety for many years, who spoke of the value of the FAA forcing safety requirements down aircraft manufacturers throats so early on in the growth of air travel.  In the earliest days, soon after the Wright Brothers faithful first flight at Kitty Hawk, people emerged from all sorts of places with crazy ideas of how airplanes should be built...and, died trying to convince the world of their ill-conceived airborne deathtraps.  If the aircraft industry had not been reigned in and forced to build safe and effective air machines, it is not likely that air travel would have become a reality.  The same can be said for the nuclear industry, automotive industry, pharmaceutical industry...and many more.  Safe and effective was (and is) the key to growth and adoption.

We are now at a very significant crossroad in the information age.  We now rely on it for our everyday existence, and the emergence of rich applications and experiences as the Internet of Things continues to grow means that we will continue to see lots of growth...but it also means that we will have lots of choices when it comes to what we choose to include in our technologically dependent lives...and competition is good...no doubt.  What the eBay layoff is now telling me (us) is that, despite being a longtime player in the world of online commerce, users will indeed drop you like a hot potato if they perceive cybersecurity risks being too high...and there are indeed plenty of choices out there...and perhaps those choices that do not have cybersecurity issues associated with them may be more enticing.

The bottom line is this: businesses cannot afford the risk of not being secure anymore.  It's time to take this a lot more seriously, and perhaps it will ultimately take regulatory and legislative pressure to force businesses to get in line...and especially if it starts affecting economic matters.  That is ultimately what had to happen for the airline, nuclear, automotive, pharmaceutical, and several other industries.  While many try to argue that regulation stifles growth, I really have not seen any empirical evidence supporting that claim, and all of the industries I mentioned have managed to not only grow, but grow very quickly and make lots of money doing so.

I am sorry about the layoffs at eBay.  Perhaps this may be the first of many hard economic lessons regarding cybersecurity.