Yesterday, Estonia was shaken by the news that the personal data of 700,000 Estonians was stolen from the customer database of one of the country’s largest corporations. While such incidents have occurred in the past and are likely to happen again, there are critical issues that demand attention.
Firstly, the Estonian Data Protection Agency has stated that, from a GDPR perspective, the company complied adequately, adhering to the data protection measures outlined in the law. However, this raises a fundamental concern. The GDPR (General Data Protection Regulation), though well-intentioned, reflects the mindset of analog thinkers. They fail to grasp that written regulations have limited efficacy in the realm of written code. It’s imperative to recognize that the digital landscape cannot be effectively governed using analog tools like regulations. Presently, users are burdened with the necessity of consenting to cookies with an extra click every time they visit a website, while data continues to be collected surreptitiously. In this scenario, nobody emerges victorious. Users are being annoyed, in addition to be screwed.
True data protection begins with data architecture which relies on strong specification. Similar to constructing a house, the process must commence with a technical blueprint once the concept is conceived. When designing a bank, considerations must include the placement and security measures of the main vault location, door, access control, and the selection of appropriate locks. However, any security measure loses its efficacy if the safe can be stolen by simply pulling it out through the back wall.
Secondly, reports from Thales and McKinsey & Company highlight a concerning trend: eCrime is on the rise, with criminals “harvesting” data, even if encrypted, for decryption at a later time when desired computational power becomes available. This poses a significant threat to the approximately 80% of global cybersecurity solutions reliant on RSA cryptography. However, even in the case of the recent Estonian data breach, the stolen data was not encrypted. This is deeply troubling. Many of us have entrusted our data to numerous platforms, internet banks, and online stores, only to discover that they may not be adequately safeguarding our information. While they may be technically compliant, compliance with regulations offers no assurance of genuine security.
It’s time to awaken from the illusion of cyber safety and prepare for a stark reality where AI swiftly identifies vulnerabilities in firewalls soon after their discovery elsewhere. Establishing robust data architecture and implementing modular cryptography capable of evolving over time while monitoring attack vectors is the only viable path toward achieving the cyber-secure digital world we all aspire to inhabit.