When a 24-year old U.S. citizen living in Turkey can infiltrate not one but two of America’s largest communication networks while the rest of the world sleeps, something in the world of data security is amiss. 

The latest AT&T hack involved the theft of calls and texts of over 100 million AT&T customers. Although the stolen files contained no personal data or text content, the hacker demonstrated how a reverse-lookup program could easily connect the call and text message metadata to the names of family members, colleagues, and, in some cases, a user’s general location and movements. Stopping short of issuing an apology, AT&T simply acknowledged regret for the incident and casually slipped in the fact that disclosure of the data breach was delayed for two months by the FBI and Department of Justice.

AT&T is one of many organizations that tout “cyber resilience” — a buzzword strategy that shows how well a company or government agency can anticipate, withstand, recover from, and adapt to cyber-attacks. With cyber-attacks rising dramatically in the past year — as the AT&T debacle illustrates — the term is now synonymous with embarrassing system vulnerabilities.

Some experts are resigned to the current landscape of perpetual data breaches, suggesting that cyberattacks are inevitable and that a prevention mindset should be dumped in favor of one focused on cyber resilience. This passive approach ensures that organizations stay alive and profitable, but it does little, if anything, to address the most critical issue — protecting the valuable personal information of American citizens.

America needs to rethink data security from the ground up. Although having the resources and contingency plans in place to recover from a hack or digital meltdown is important, an entirely different approach — one focused on decentralizing data ownership and control from the outset — should also be implemented. This approach — known as data sovereignty or, more broadly, digital sovereignty — refers to an individual’s right to control, maintain, and monetize their digital footprint.

Americans should care about data sovereignty for two pressing reasons. First, taking back control over one’s data assets could provide individuals with the opportunity to monetize their own data. Reclaiming this economic self-determination would shift power away from the small number of “data monarchs” who control much of the world’s information and reshape the “asymmetrical marketplace” where individuals know very little about how much their data is worth and how it is used compared to the companies that leach and profit from that data.

Artificial intelligence (AI) has exacerbated this asymmetry. The quest to ingest as much information as possible — without permission from or compensation for technology users — has skewed this opaque marketplace further in favor of those few data monarchs. One case in point: social media platform Reddit is planning to sell user comments to Google and other companies to the tune of more than $200 million to feed AI projects. Reddit users will not receive a cent, nor do they have the option to sell, broker, or license their commentary data. But they should.

A Reddit user on noted in January that Reddit was selling user data to Google — shortly after it stopped allowing users to opt out of data sharing. Source: Reddit

The second reason why Americans should care about data sovereignty is privacy, which could have an outsized impact on the 2024 presidential election. If the 2018 Cambridge Analytica scandal taught us anything it was how the powerful trifecta of data, analytics, and political persuasion can influence American electoral politics. In that incident, Facebook micro-targeted its users to influence their voting preferences, and while social media users technically gave consent to Facebook, that consent was obtained through a type of contract of adhesion where no opportunity was given to users to negotiate the terms of data usage.

Self-sovereignty over data could add a layer of protection to shield individuals from shrouded political manipulation and protect American society from unethical practices that influence democratic processes. On the other hand, if American citizens or politicians want to compete for influenceability, then it should literally be on their own terms.

Data sovereignty and indigenous data sovereignty defined by the National Library of Medicine. Source: The National Library of Medicine

Data sovereignty — which is inherently decentralized — is also a commonsense solution to vulnerable cyber resilience strategies. Instead of storing information in the cloud or in a centralized database, data control could be managed at the individual level and secured by post quantum blockchain encryption. If the AT&T data breach wasn’t enough proof, another example that underscores the need to shift towards decentralized data governance is the recent CrowdStrike software update, which not only caused global systems to crash, but also revealed how interconnected and homogenized data security software offerings have become.

Related: Ethereum ETFs are coming — Here’s what you need to know

Americans can have their data and eat it too. How? For starters, cybersecurity experts and policymakers should consider studying instances where data sovereignty is thriving. For example, the self-sovereign mindset has seen considerable uptake by Indigenous groups, who are staunchly advocating for control over their census, health, social services, and environmental data. Studying how the Indigenous world is practicing data sovereignty and governing the use of their own personal information would be an informative case study and potential new technology or regulatory sandbox opportunity for digital economic zones.

Additionally, legislators should reboot efforts to compel tech companies to disclose the value of their users’ data and advocate for new legislation that curtails organizations’ ability to offer data use contracts that extinguish the negotiating power of users. The DASHBOARD Act, which tackled the data valuation issue, was a bipartisan legislative effort introduced in 2019 that has since stalled. Nevertheless, state privacy laws are gaining traction: 18 states have enacted privacy statutes tailored to a more user-centric approach. These efforts are clearly heading in the right direction, as some state laws, like the California Consumer Privacy Act (CCPA), give residents the right to opt-out of the sale or sharing of their personal information.

Finally, entrepreneurs should continue experimenting with the design of blockchain-enabled data sovereignty platforms, products, and services and the creation of post quantum-secured, distributed international data spaces that are designed for individuals, not corporations.

Ultimately, America needs a new approach to data security — one that favors decentralization and self-determination and that disfavors complacency and resignation to the power of the few.

Agnes Gambill West is an affiliate senior research fellow with the Mercatus Center at George Mason University. She's the co-chair of the North Carolina Blockchain Initiative, an appointee to the North Carolina Innovation Council, and serves on the Business and Consumer Payments Advisory Council for the Federal Reserve Bank of Richmond. She has experience working as a proprietary trader and is the co-founder of an Ethereum-based blockchain payments company. She received a JD from University of North Carolina School of Law, an LLM from Duke University School of Law, and an MSc from Oxford University.