The Heartland call to action doesn't go far enough

Heartland Payment Systems is doing the old “lemons into lemonade” trick by trying to turn news of their recent massive data breach into a Public Relations asset. For the next few weeks at least, anything that Heartland has to say on the topic will be news. It’s their fifteen minutes of fame, and it looks like they are trying to use it well.

 To credit of Heartland’s marketing department, Heartland President Robert O. Carr is doing the rounds talking to industry and government about stronger controls, more regulation, and greater information sharing. He points out the increasing success and frequency of cyber attacks and the need for more information sharing to prevent them in the future. And of course he talks about how Heartland is mostly secure and about the things that weren’t stolen, not the things that were.

He’s right about some things. He’s that attacks are on the rise, and he’s right that they are becoming more successful. And he’s also right that information sharing will help—but that’s not nearly enough and anyone who knows the problem knows that it’s not enough.

 

Do the analysis. Either the attack is from the outside through tainted software that slips through the inevitable holes in firewalls (we know about that—no information sharing needed) or—the current leading theory—it was an inside job (we know about that--likewise).

 

We also know that firewalls, intrusion detection systems, virus scanning software and security lockdowns don’t stop the top tier hackers and only slow the second tier hacker for a while. Top hackers make some of their money by directly attacking supposedly secure systems like Heartland’s and make the rest by selling their technology to the next tier once they’ve packaged and productized it. Criminal hacking is an industry, now.

 

We know that there is one and only one way to prevent insider attacks and that’s not by better background checks or internal security policies. It’s by having a provably secure architecture made from provably secure components that cannot be compromised, no matter how skilled the attacker. Until that day comes the Heartland Payment Systems of the world will be attacked, breached, and their CEOs will go on the road recommending inadequate remedial measures.