Chinese Indictments in Equifax Breach Show Need for Secure Digital Infrastructure, not Onerous Privacy Regulations, Says ITIF

February 10, 2020

WASHINGTON—Following news that the U.S. government has indicted four members of the Chinese military on charges of hacking into Equifax Inc. to steal the company’s trade secrets and sensitive personal information such as Social Security numbers on close to 150 million Americans, the Information Technology and Innovation Foundation (ITIF), released the following statement from ITIF Vice President Daniel Castro:

Today’s indictment shows that the ongoing debate about consumer data privacy has been muddled and misguided from the outset—focusing the blame on corporate victims rather than on the perpetrators of state-directed cyber espionage.

Many advocates are calling for data-protection laws that focus too much on expensive, bureaucratically onerous compliance mechanisms in the name of protecting consumers. While the private sector has more work to do to improve its cybersecurity practices, this case underscores that when the adversary is a state-backed military, there is little chance for the average company to be adequately prepared. Instead of requiring companies to waste money on expensive and not-terribly-effective regulatory compliance, we should focus on building more secure digital infrastructure—such as replacing Social Security numbers with secure electronic IDs—and we should invest more in cybersecurity research and workforce training.

The Justice Department should vigorously investigate the case at hand, and other U.S. allies should help hold China accountable for these kinds of attacks on commercial systems. This warrants a serious response, not just a slap on the wrist.