I keep getting this feeling when I read what most politicians say about issues that involve algorithms, data, and the internet: it’s not that their policies are necessarily bad, it’s that they sound like they have no idea what they’re talking about.
Case in point: US Senator Dick Blumenthal (D-CT), taking Uber to task last week at a Commerce Committee hearing. Blumenthal, who I believe once reported to his constituents and the public that he had served in Vietnam, when in fact, he hadn’t, was livid that Uber had not reported a security vulnerability to its users.
The vulnerability in question was hardly an Equifax-level data breach. In 2016, a group of hackers contacted Uber. Apparently, the company had left certain critical login credentials lying around on Github, giving the hackers access to personal data on 25 million riders and drivers. Uber paid the hackers $100,000, fixed the vulnerability, and that was that.
At the hearing, Blumenthal put on a clinic in livid sanctimony. Paying off the “blackmailers,” he declared, was “morally wrong and reprehensible.”
Bear with me here, because at this point I’ve only read one and a half books about cybersecurity. But isn’t paying off “blackmailers” like this the best way to encourage hackers to use their craft for legitimate ends?
Every major software system has Death Star-level vulnerabilities that its makers don’t know about. Smart companies pay handsome sums to hackers that inform them of these vulnerabilities, so that they can be fixed before they are discovered by the bad guys. From what I understand, many people make a living this way. Characterizing them as “blackmailers” seems like accusing airplane safety inspectors of sabotage.
I should say that I haven’t had time to investigate this much on my own. Maybe the hackers who reported the breach to Uber really were bad guys who held the data for ransom. But if they were, I think they would have asked for a lot more than $100,000. And it seems a lot more likely that Blumenthal has a dangerously antiquated perspective on cybersecurity.
After all, in the past, many companies would be so aghast at having imperfections in their software pointed out that they would threaten to sue the hackers who found them. Many others did not have bounty programs, or if they did, paid out very little in rewards. People with hacking skills had no financial incentive to devote their craft towards legitimate ends.
Maybe Uber technically should have disclosed the incident, and maybe one of you can tell me why. But maybe they didn’t do it because it wasn’t nearly the dramatic, morally fraught episode as Blumenthal’s alarmist language makes it seem.
Hauling Uber in for a talking-to seems like punishing the system for working exactly as it should, given how unsecure all of the software and hardware we use really is. Somebody who has more than one and a half books’ worth of knowledge about cybersecurity, please weigh in.