Georgia Provides an Object Lesson on Why Governments Are the Problem and Solution to Managing Privacy Threats

The Peach State is our home.  Headquartered here in the Atlanta Metro Area, Privacy Bee is proudly leading the charge when it comes to protecting the privacy of all Americans.  Since, as the old proverb teaches us, “charity begins at home”, Privacy Bee for Business is taking this opportunity to examine several recent data breaches perpetrated against the State of Georgia and by extension all citizens of the state.  The purpose of the examination is not to assign blame, or to direct scorn at our state government for its failures in managing privacy threats.  Rather, it is to help improve our home state by illustrating how what’s been happening here in the Peach State is a parable for what is happening, not just in the 49 other US states, but in nations around the world. It is the intention of this document to illuminate the path we all must follow to ensure all citizens of the world – individually and as organizations – are protected from the burgeoning threats of unsecured external data exploitation.

The ensuing paper shall work to its conclusion in three steps.  Step one focuses on the nuts and bolts of the attacks against Georgia governmental information systems over the past five years and explain how these attacks were able to succeed.  Step two examines how governmental postures – here in Georgia and across the rest of the US and the globe – contribute to the insecurity we all face as the risks continue to mount.  Step three defines how governments (and corporate governance) can act authoritatively to address and mitigate privacy threats.

Managing Privacy Threats – A Discipline in its Infancy

While it may seem as though the internet has been with us for a very long time now – especially for Gen Z professionals and many Millennials who never lived in the pre-internet age – in reality, globally networked computing is still very much in its infancy.  The wholesale migration of nearly all commerce and government from the brick-and-mortar world into the digital/cyber world occurred at lightning speed compared to most other advancements throughout human history.  As a result, the aggregation of personal data on the majority of the world’s nine billion inhabitants is breathtaking and unprecedented.  This vast pooling of sensitive personal data now enables a global wave of criminal activity sprawling in size, scope and variety.

According to A Brief History of the Internet published by the University System of Georgia, the modern internet began in the 1960s with the US Department of Defense’s first system of networked computers known as ARPANET (Advanced Research Projects Agency Network).  However, it wasn’t until January of 1983 and the invention of a standard way for disparate computer networks to communicate with one another – Transfer Control Protocol/Internetwork Protocol (TCP/IP) – that the internet as we know it today was born. 

Since that time, the volume of data housed in global networks has grown by orders of magnitude. Between the years of 2008 and 2020 alone, the volume of data grew from 1 zettabyte to almost 45 zettabytes.  For reference, a zettabyte is equal to one trillion gigabytes!  The following illustration comes from a conference paper written by Faculty of Computer System and Software Engineering at University of Malaysia, Khalid Adam Ismail Hammad and presented to the International Conference on Operations Excellence and Service Engineering in Orlando, Florida. 

While not all that data is personally identifiable information, the speed at which data collection continues to grow ensures that there are literal zettabytes of PII data stored across hundreds of thousands of systems.  It is not folly to surmise that all this private and sensitive data is not being well-protected by all or even most of the organizations that hold it. 

Add to this private data – collected during every interaction an individual has while navigating the internet for business or personal purposes – all the contextually significant information billions of people share across social media on a daily basis. 

The following graphic, included in Professor Hammad’s paper underscores the mind-boggling volume of social media data produced every sixty seconds.  And these numbers were derived nearly ten years ago.  Consider how much personally identifiable information humanity has revealed to the internet in the decade since these numbers were derived. 

As governmental and private organizations alike maintain individual pools of private data on their customers and/or constituencies, a wide range of security measures have been applied in attempts to protect the privacy of these peoples’ personal data as well as sensitive operational data.  The quality and completeness of these security measures varies widely from very strong to very weak.  Since there is no industry or regulatory standard in place to ensure basic, minimum privacy policies are observed and enforced, threat actors are able to exploit any target organization for myriad reasons they may have to do so. 

Whether their goals are to steal sensitive trade secrets, extort ransoms from deep pocketed corporations, advance a political/partisan agenda, exact revenge on governments or specific industries, steal identities to sell or exploit, or simply to engage in malicious mischief, different threat actors have differing motivations for exploiting unsecured, private data.  What’s clear is that in spite of the best cybersecurity efforts of the largest governments and corporations in the world, the problem of unsecured external data continues to persist.  Catastrophic data breaches continue to occur on a daily basis with wide ranging, negative consequences for individuals, businesses, governments and society at large. 

Let’s turn attention now to the object lesson to be derived from the State of Georgia.

Georgia’s Inadequate Record of Managing Privacy Threats

First, let’s make clear, Georgia is not an outlier when it comes to how well any governmental body addresses privacy concerns.  In fact, sadly, it is typical of how most US states address the challenge.  As is often the case when it comes to emerging technologies of any kind, the pace of innovation and the frequency of significant advancements tends to be far quicker than the pace of legal and regulatory oversight. 

Some states, most notably California, have begun adopting and enforcing muscular data privacy regulations like the Golden State’s California Consumer Privacy Act or CCPA and California Privacy Rights Act or CPRA.  These forward-thinking laws rightly identify data privacy as the gap in contemporary cyber security tactics and methodologies.  While currently, a dozen other states have followed California in adopting consumer data privacy laws – Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, and Delaware – the majority, including Georgia, have yet to do so.

So, it was not surprising that back in March of 2018, like so many other states, municipalities, and businesses large and small, the City of Atlanta was victim of a crippling ransomware attack.  The attack made national headlines as Atlanta’s role as an economic and transportation hub in the US was hobbled.  The extent and duration of the service outages resulting from the attack virtually shuttered governmental services and programs affecting millions of ATL metro constituents bringing utility, parking, court services and other critical governmental systems to a standstill.

It perhaps shouldn’t have come as a surprise to authorities who had been criticized in the days and months leading up to the attack.  Atlanta’s government had been made aware of its vulnerability by a January 2018 audit which uncovered 1,500 to 2,000 vulnerabilities in the city’s systems and suggested that the number of vulnerabilities had grown so large that workers grew complacent.  And while this particular attack, ultimately determined to be the work of Iranian hackers, was not the result of the phishing strategy now making up the majority of such systems breaches in the US, it was nevertheless regarded as the largest successful breach of security for a major American city by a threat actor. It affected more than six million people. 

By June 2018, four months after discovery, it was estimated that a full third of the software systems used by the city remained compromised and either fully or partially disabled.  The City of Atlanta allocated $2.7 million to IT services contractors to work on full restoration of their crippled information systems.  But that number was later revised as it was determined the city would need at least $9.5 million to regain normal operations.

As is the case with so many organizations victimized by information systems attacks and data breaches, the City of Atlanta went to significant expense to restore and then to further harden their cyber defenses.  Yet, the ability to prevent subsequent attacks remained an elusive goal to be pursued. 

Predictably, Georgia has again been victimized by a pair of cyber breaches of its data systems.  In February of 2024 (within two weeks of the writing of this paper), suburban Atlanta Fulton County Schools district was breached.  This caused interruptions to school email and communications systems causing students to be locked out of online learning tools, emails and other important systems.  At around the same time, also in Fulton County, a Fulton County Government spokesperson reported a “cybersecurity incident” which impacted an array of government services.  That spokesperson confirmed that County Government systems were a completely separate network than the school district. 

Investigations have yet to fully determine the details of how this occurred.  It is suspected that the Fulton School District breach was perpetrated by a student or group of students.  Fulton County Manager, Dick Anderson told the Atlanta Journal-Constitution that the County Government breach was the suspected result of a ransomware attack by a different threat actor. 

The venue for both these fresh attacks is of particular import for reasons to be explored in the next section of this document.

The Broader Failure of Governments in Managing Privacy Threats

As stated, step two of this exercise involves understanding how government inaction – and the incomplete patchwork of data privacy laws in the US – renders not only governmental institutions, but all of enterprise commerce vulnerable to a multiplying list of data breaches and threats of violence.

It is surely worth noting that the two brand-new attacks in Georgia occurred specifically in Fulton County.  While it has not yet been determined who is behind the February 2024 attacks, Fulton County itself is especially vulnerable to violent attack by threat actors with partisan motivations.  The national news is saturated with daily stories about the prosecution of former President Trump over his alleged election interference following the 2020 presidential election.  Fani Willis, the Fulton County prosecutor is heading this high-profile case after securing a grand jury indictment of the former president and 18 of his allies and staffers.  Defendants Sidney Powell and Kenneth Chesebro have already pled guilty and been sentenced.

Regardless of the veracity of the charges or where one falls on the ideological spectrum, it cannot be denied that there have been significant threats of violence issued by the most extreme members of the far right against Prosecutor Willis, her staff and the judges hearing these cases.  For example, Arthur Ray Hanson of Alabama was indicted for “transmitting interstate threats to injure Fulton County District Attorney Fani Willis and Fulton County Sheriff Patrick Labat because of their connections to the Fulton County, Georgia, investigation of former President Donald Trump” according to a US Justice Department release.  

Other Trump prosecutions in New York, Florida and Washington DC have all resulted in similar spikes in threats of physical violence against federal judges and other judiciary personnel.  In the currently, highly polarized political environment, such threats are becoming all too commonplace. 

Threats abound against workers in numerous fields where controversy serves to inflame political partisanship.  Threats against abortion providers, threats against firearms manufacturers, threats against healthcare researchers and workers over vaccines are just some of the elements comprising the rising tide of violence. 

The chart and data from CNN below illustrate the alarming rise of legitimate threats aimed at federal judges and prosecutors just in the last six years.  The explosive growth rate is astonishing.

CNN reviewed more than 500 federally prosecuted threats. Here’s what they found:

• At least 41% of all the cases across the decade were politically motivated.
• Nearly 95% of people prosecuted for making threats to public officials are male; the median age is 37.
• Politically motivated threats to public officials increased 178% during Trump’s presidency.
• Threats related to hot political topics like abortion or police brutality also skyrocketed during the Trump years, increasing by more than 300% from Obama’s second term.
• As the party in power, 16 Democrats received threats during Obama’s second term. This increased 169% with 43 GOP lawmakers threatened under Trump.

At the epicenter of a modern political controversy, Fulton County should expect to be a target for hackers, partisans and other threat actors.   It is also worth noting that not every threat actor will be compelled to visit violent harm on governmental agents.  Rather, they may focus their ire more diffusely on governmental agencies seeking to disrupt operations and strike a blow against their perceived enemies by proxy.

In any event, Georgia’s government is not alone in representing a target.  And not all threats are perpetuated by domestic political motivations.  Hostile foreign governments like Iran, North Korea and Russia for example, routinely probe and breach US government data systems to steal sensitive military secrets as well as to foment chaos such as election meddling and disruption of energy or telecommunications systems.  These types of attacks are routinely experienced by governmental agencies, utility companies and other strategic targets in what must rightfully be regarded as “cyber warfare”.

The fundamental shortcomings in our government and corporate security regimes are twofold.  First, as is the case with all cyber and information security practices, most organizations do not yet embrace the mission-critical role played by unsecured external data in the perpetration of these crimes.  Yet, it is beyond dispute that the top vector for data breaches within all cases continues to be Social Engineering.  Threat actors using context clues either purchased or simply scraped from free sources abundant on the internet, are crafting phishing attacks, doxxing attacks and other highly successful Social Engineering attacks. 

We’re at an existential tipping point as regards the need for a unified, organized, federal standard for data privacy to be applied to all organizations public and private.

The reason for the proliferation of these types of attacks is precisely because they virtually sidestep traditional cyber security practices like firewalls, encryption layers, endpoint protection, 2FA and others.  Why chip away at the walls of the keep when one can simply smooth talk the gatekeeper, spoofing their way to the inside?  Unless or until all info sec professionals – both in public and private sector – arrive at this epiphany, the breaches and violence will continue no matter how much budget is allocated to traditional cyber security processes.

This leads to the second fundamental shortcoming – the lack of consistency in regulatory and legislative action.  While AI promises to amplify the already unmitigated flow of Social Engineering attacks, governmental agencies and lawmakers are failing to meet the need for comprehensive guidelines, metrics, and enforcement mechanisms to ensure compliance with best practices for managing privacy threats.  As noted, some regulations have occurred at the state level beginning with California, and other states have borrowed California’s template to hastily deploy their own reasonable facsimiles.   With the majority of US states still operating in the absence of any regulatory structure, the effects of those states doing the work are diluted.  We’re at an existential tipping point as regards the need for a unified, organized, federal standard for data privacy to be applied to all organizations public and private.

The last legislation at the Federal level regarding personal data privacy was the Privacy Act of 1974, signed into law before the internet age.  Followed in 1996 by the HIPAA law which enunciated standards for how healthcare providers can use a patient’s personal health data – a very narrow slice of all the personal data possessed by any citizen. Few other federal privacy laws have been ratified since.  Visit Forbes for a list of the few, and wholly inadequate regulations issued at the Federal level.

All this leads to the question of “what can be done by our government to ensure private and public sector organizations apply and adhere to real, effective and achievable goals as pertaining to shrinking the Social Engineering Attack Surface. Doing so would certainly ensure a dramatic reduction in risks and threats surrounding unsecured external data.

Learn more in a Privacy Bee white paper about the Social Engineering Attack Surface to improve understanding of the challenges it poses and how to address actionable solutions while waiting for government to catch up to the threat.    

How Government (and Corporate Governance) can Address Mitigate and Manage Privacy Threats

The third and final step offered by this document is the revelation of actions that can and must be taken to successfully manage privacy threats.  As the wheels of government can move painfully slow, particularly in today’s polarized and dysfunctional political environment, this is one of the times when corporations and the private sector can step out ahead of our political leaders and effectuate sorely needed change.  The private sector obviously has a compelling profit motive for doing so.  At the same time, the relative quickness with which the private sector can act compels it to lead the way and hopefully our legislators and regulators will be salient enough to follow their lead and build a unified template to apply in the protection of our political systems’ integrity and our national security.

Understanding the Threat and Developing a Privacy Management Practice

Privacy Bee for Business published an exhaustive paper on Data Privacy Management Metrics & Key Performance Indicators which can be accessed here.  The document articulates a detailed framework for developing a full-throated strategy and deployment plan for a 21^st Century external data privacy management edifice.  One that can be formalized as part of a large enterprises’ Governance, Risk and Compliance (GRC) documents.  

The plan provides guidance on how to define the correct audiences within a large organization to include as key stakeholders.  How to arrive at the relevant metrics and reporting structures to inform these stakeholders sufficiently to manage privacy threats as a routing business function.  Then it elaborates on ways to define common metrics for external data privacy management – providing the insight external data privacy stakeholders and champions need to ask the right questions, arriving at the right metrics to succeed in the endeavor. 

Understanding the Cost of Inaction and the Benefit & ROI of Acting Decisively

One commonality between the public and private sector when it comes to taking action on any challenge is a singular focus on the costs associated with engaging and the return on investment into any activities engaged.  For the acute challenges of managing privacy threats, the stakes couldn’t possibly be higher.  Vast sums of money are vulnerable to loss via theft and the costs of mitigation after breaches/attacks have occurred.  More importantly, lives are at stake when it comes to protecting national security, disruption in public utilities that take down power grids or hobble critical public services, utilities and infrastructure.

Privacy Bee for Business has invested significantly in research supporting the positive cost benefit of applying an umbrella of data privacy management atop the entire cybersecurity ecosystem.  In a white paper titled, Cost Benefit Analysis Proves the Necessity of Business Privacy Management, Privacy Bee provides sturdy business cases illustrating the vast imbalance between the cost of implementing a solution to manage privacy threats and the costs associated with ignoring the threat and falling prey to breaches and other attacks.  When viewed side by side, it becomes exceedingly clear that avoiding managing privacy threats when the means to do so are affordable and effective amounts to fiscal malfeasance.

For the largest enterprise organizations as well as for governments with vast fiscal resources and responsibilities, the issue of return on investment is of paramount importance.  Global organizations, Fortune 100 companies and NGOs can move quickly to deploy this missing, mission critical piece of their information security apparatus, secure in the knowledge that the return will be significant on what represents a comparatively meager investment.   

In a tour-de-force white paper, Privacy Bee uses actionable data from actual, real-world organizations to build a fanatically detailed ROI calculation and business case.  With the average cost of a data breach in the US of $8.64 million in 2023 (Gartner) the paper titled, “Calculating the ROI into External Data Privacy Management Solutions”  delivers ROI figures the Federal Government and the world’s largest commercial enterprises can use to develop actionable plans for effective privacy management regulations.  The paper even breaks down the ROI into each threat type including identity theft, physical threats of violence/doxxing, social engineering data breaches using phishing and other strategies, even HR poaching and other productivity-sapping threats enabled by the lack of external data privacy management.

Conclusions

The object lesson provided by Georgia’s inability to protect itself from privacy-driven breaches and threats is a powerful one.  The dynamics at play in the Peach State are mirrored across all US states and even foreign governments.  The myopic posture and lack of emphasis on truly addressing the underlying causes of today’s most popular attack vector left Georgia vulnerable to repeated breaches – even after the first incident should have laid bare their shortcomings.  Our national government is suffering from this myopia writ large.  And we all stand to suffer truly damaging consequences – economic and geopolitical – if we continue to whistle past the privacy graveyard.  Let this document issue a clarion call for reform and for the application of a unified regulatory framework for the proper management and mitigation of privacy threats now and into the future.