I've often heard techies say they wish politics could stay out of IT, but it looks like IT has found its way into politics this year. Hotels owned by Donald Trump, the Republican candidate currently polling No. 2 in a field of 14 GOPers, have reportedly been hit by a payment card-seeking cyberattack. This development could prompt political attacks along the lines of "How can Trump protect the U.S. from cyberattacks when he can't protect his own hotels?"
The initial report, from KrebsOnSecurity, identified the Trump Hotel Collection as the common point of purchase for quite a few bogus payment card charges. "Sources at several banks traced a pattern of fraudulent debit and credit card charges to accounts that had all been used at Trump hotels," the report said. "Sources in the financial industry say they have little doubt that Trump properties in several U.S. locations — including Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York — are dealing with a card breach that appears to extend back to at least February 2015." Trump issued a statement to KrebsOnSecurity that said that Trump's hotel staff "have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation."
This could simply prove to be just another in a laundry list of data breaches that are routinely hitting American companies. But given that Trump has campaigned on business acumen, this could lead to a very high-profile exploration of how little a company can do to prevent being breached.
Being PCI-compliant, installing and managing the latest security software and devices, diligently reviewing all logs and chasing down anomalies — these things are all great moves, but none will make a company invulnerable. I am personally deluged with news releases from companies claiming that some security tactic will deliver perfect security. Just on Wednesday, this claim hit my inbox (from a company that shall, for the moment, remain unidentified): "This means you can store HIPAA, PCI, PFI, PHI, PII and other sensitive data requiring compliance that may evolve over time, while always being certain the data is safe."
This is a security company, trying to convince prospects that it is sophisticated in the ways of protecting data, and it makes a statement that screams, "I know nothing about security or I am willing to blatantly lie in the hope that you know nothing about security."
I'm trying to remain objective, but I am admittedly a bit sick of large IT departments at retailers getting attacked because they were breached — as though that fact alone is proof of incompetence. And Visa hasn't exactly helped, with its periodic claim that no breached retailer was ever found to be PCI-compliant — implying that had they been compliant, the thieves would have failed. (Note: A more honest statement from the card brand would have been that most of the victim chains had indeed been PCI-compliant, courtesy of a QSA report approved by their processor and others, but that the compliance was yanked away after the breach when a second assessment managed to find something — anything — to allow the compliance to be retroactively yanked away.)
The point is that perfect security doesn’t exist and it's entirely possible that a company is doing everything that is reasonable to do and still be breached. And let's not play down the words "everything that is reasonable." What percentage of the IT budget can possibly be spent on security? Global cyberthieves may have close to unlimited budgets — and if they are being backed by government agents, you need not say "close to" — but the IT staff for a retailer, car company or hotel chain does not.
When security logs find thousands of breach attempts a day, how many is it reasonable to chase down? Although it is very awkward to be the CIO who has to explain to the board why the digital footprint of the successful attack hadn't been chased, it is far more awkward — and career-ending — why 42 IT people were chasing down phantom attackers, while the launch of a major revenue-intensive product was delayed because some IT staff was available.
But let's get back to Trump. If the (for the moment) No. 2 candidate is forced to defend these attacks either on the campaign trail or in the debates, it could lead to a meaningful discussion. It's easy for candidates to say that companies need to protect themselves against attacks, as though that is as simple as opening another factory. But when one of their own is victimized, it might generate a discussion that these attacks are not always possible to block.
It's often been said that, on the terrorism front, the U.S. gets minimal credit for the huge number of attacks halted or disrupted, but will be blamed for the one that gets through. There's something unfair about that.
Then again, political primary arguments rarely embrace nuance and reasonableness. And if anyone is going to change that, Donald Trump is probably the least likely candidate.
This article is published as part of the IDG Contributor Network. Want to Join?