Former Yahoo CEO: Stronger Defense Couldn't Stop BreachesMarissa Mayer Testifies on the Challenges of Halting State-Backed Persistent Attacks
The former CEO of Yahoo, which had 3 billion records exposed in a 2013 data breach and another 500,000 in a separate 2014 breach, testified at a Senate hearing that it's tough for any corporation to defend against cyberattacks backed by nation-states.
See Also: Dynamic Detection for Dynamic Threats
"Even robust defenses and prosecutors aren't sufficient to protect against the state-sponsored attack, especially when they're extremely sophisticated and persistent," Marissa Mayer testified.
Last month, Yahoo reported its entire user base of 3 billion accounts was compromised in an August 2013 data breach. While the breach had been previously disclosed, the count of victims is triple Yahoo's December 2016 estimate that 1 billion accounts were compromised (see Yahoo: 3 Billion Accounts Breached in 2013).
Meyer stepped down as CEO of Yahoo earlier this year when Verizon Communications bought the social media company in June for $4.5 billion.
In response to Mayer's comment, Sen. Bill Nelson, the Florida Democrat and ranking member of the Senate Commerce, Science and Transportation Committee, which held the hearing, said: "That's an admission you are not protected against state actors," prompting the senator to ask what Yahoo is doing about it.
A top executive at Yahoo's new owner, Verizon Communications Chief Privacy Officer Karen Zacharia, said that companies such as hers must adopt technologies and processes to improve security as the threat rapidly evolves. She also said business and government must work together to tackle this problem, including working to enact a national data breach notification law.
Zacharia's answer didn't quite satisfy Nelson. "That's a good intention, but it's going to take more," Nelson said. "It's going to take an attitude change among companies such as yours that we've got to go to extreme limits to protect our customers' privacy."
A few minutes later, Sen. Roger Wicker, R-Miss., asked all of those testifying, including the interim and former CEOs of Equifax, Paulino de Rego Barros Jr. and Richard Smith, as well as Entrust Datacard CEO Todd Wilkinson, if they took issue with Nelson's contention that a "mere company" cannot withstand persistent attacks from state-backed hackers without the help of the National Security Agency. The executives remained mute.
Mayer was a reluctant witness. After reportedly declining a request to testify, the panel issued a subpoena to compel her to appear (see Life After Yahoo: Mayer Forced to Testify Before Senate).
Mayer told the committee that Yahoo learned of a state-sponsored attack on its system in late 2014, and promptly reported it to law enforcement and notified users who were impacted by the hack.
"We now know that Russian intelligence officers and state-sponsored hackers were responsible for highly complex and sophisticated attacks on Yahoo's systems," she said, based on the March 15 indictment charging four individuals in connection with the 2014 hack (see Russian Spies, Two Others, Indicted in Yahoo Hack). So far, no nation-state connection to the much larger 2013 breach has been revealed.
Mayer told the committee that Yahoo fell victim to the breaches despite devoting substantial resources to security in an attempt to stay ahead of sophisticated and constantly evolving threats.
During her tenure as CEO, she said, Yahoo roughly doubled its internal security staff and made significant investments in its leadership and team. Among those hired, she said: security specialists focused on threat investigations, e-crimes, product security, risk management and offensive engineering. The company adopted a comprehensive information security program designed to enhance its policies, procedures and controls based on the National Institute of Standards and Technology's cybersecurity framework, she said.
Shrouded in Mystery
Those remarks prompted Committee Chairman John Thune, R-S.D., to ask Mayer why, despite these investments, Yahoo failed to detect the massive 2013 breach for three years. Mayer answered that such attacks are complex and persistent and the understanding of the facts behind them evolve over time. Indeed, the former CEO said, much of the facts behind the breaches remain shrouded in mystery.
To this day, she said, security experts have been unable to identify the specific intrusions that led to the breaches: "We don't exactly understand how the act was perpetrated."