About a third of US citizens had their private data and medical records stolen in early 2024 in a ransomware attack on United Healthcare -- yes, the same company whose CEO was recently murdered. Big important people are outraged.

How could this happen? The headline of the WSJ article is

Shun This Basic Cybersecurity Tactic and Become a Target for Hackers

A lack of multifactor authentication opened the door to cyberattacks at UnitedHealth Group and others

The Chair of the Senate Finance Committee, Ron Wyden, is demanding that various agency bureaucrats impose more security regulations on healthcare companies, particularly MFA. “In 2022, health care organizations reported over 600 breaches affecting nearly 42 million Americans” Apparently, the pattern of well over a breach a day on healthcare organizations wasn’t enough to get Sen Wyden to act.

None of these esteemed people seem to know that organizations that “use multi-factor authentication (MFA) and other cybersecurity best practices,” as Senator Wyden demands, don’t enjoy better cybersecurity. Even organizations like the NSA that set security standards can’t keep their own data secure! History clearly demonstrates that imposing yet more regulations and overhead on organizations will NOT make them more secure.

So what can be done? It’s simple: understand the real problem and solve it!

Cybersecurity

Cybersecurity is war. It’s like there are good guys in a castle who want to keep everything in the castle safe. There are bad guys wandering around outside the castle who want to get inside, figure out what’s valuable, and escape the castle.with as much stolen goods as possible. Naturally, the good guys want to build the walls high and thick, with carefully guarded doors. The guards at the doors examine the documents of each person who wants to enter and only lets good guys in. Anyone without proper documentation is turned away. That’s what cybersecurity is, except that the castle is a bunch of computers.

The people who think this way seem not to be aware that the bad guys figured out how to crack the castle’s defenses literally thousands of years ago. Ever hear of the Trojan Horse? You may want to look up an old Greek named Homer who wrote some good stuff about it.

The fact is, bad guys will find a way to get into the castle. They’re really good at tricking the castle’s employees. Maybe they’ll pay off one of them who needs some money. You can be sure that the highly motivated bad guys wandering around in the woods are thinking new thoughts about how to get in while the lawyers in charge of the castle security regulations are arguing about the right way to write about the new defensive technique the national bureau of castle bureaucrats voted in favor of at their last annual convention.

Let’s start with an assumption that none of the high-and-mighty security bureaucrats is willing to consider: bad guys will get into the castle; what can we do to stop them from doing bad things??

This thought, just by itself, is revolutionary to cybersecurity bureaucrats – and Senators, CEO’s, business school professors and the rest.

However novel the thought may be to all these grand people … it’s business as usual to exotic people like the ones who run high-end retail stores. And libraries! Even better, those places experience far fewer losses than the grand corporations and government organizations. The Tiffany store on New York’s Fifth Avenue is wonderful. It is chock-full of beautiful, expensive jewelry. Anyone can walk in and admire it; no MFA required! Go in there sometime and pay attention to the observant security guards and the ubiquitous cameras. While you are admiring the beautiful gemstones, the guards and cameras are admiring (in their own way) you. No one has ever gotten away with a grab-and-go attack; it may never have been tried. Why bother, when you know you’re going to get caught?

Can this be done in computer systems? Yes. It’s not only possible, it’s even been done. I personally know of companies that implement security this way, and products have even been developed to help. For such a thing to be widely used, thousands of august experts of cybersecurity would have to drastically change course, while mountains of useless regulations would need to be discarded. It’s not that hard! All that would have been needed with Daniel Ellsburg would have been for the guard at the door to check his briefcase before he walked out. For Edward Snowden or Chelsea Manning, it would have been easier: have systems monitoring the data access of employees and contractors, and flag when anything out of the ordinary happens, particularly when more data than usual is accessed, or data of a different kind. The flag would have been raised very early in their misadventures, and the theft would have been prevented.

With a ransomware attack of the kind that hit United Health, the principle is the same, except that it’s a computer program doing the accessing. The checking system shouldn’t care – by the time an access is requested, it’s electronic no matter whether initiated by a human or a program. Similarly with the ransomware itself – Ignoring the ridiculous experts, there are simple methods for recovering quickly from the lock-down implemented by the software.

Conclusion

MFA is a fashion-driven, ineffective response to data thefts.

No more evidence than the mania for MFA is needed to conclusively demonstrate that Computer Science is not a science. It’s roughly the same kind of thing as blood-letting was in medicine: always hurt, never cured and sometimes killed the patient.

The near-universal response to the largest theft of data in history by authorities and experts is to write more regulations and add yet more overhead to the ordinary use of computers … which, as history has shown, won’t make a dent in the problem, much less solve it.