Shostack + Friends Blog Archive


There Outta be a Law

schoolhouse-rock.jpgA reader wrote in to ask why I’m not more forcefully advocating new laws around information security. After all, we report on hundreds of failures with deeply unfortunate consequences for people. Those people have little say in how their data is stored, so shouldn’t we have a law to protect them?

We probably should, and I have advocated for a law that puts strict privacy requirements around data issued by or validated by the government. I think that’s a more reasonable tradeoff between free speech and privacy than a more general privacy law.

At the same time, I’m hesitant to create a general purpose data security law, because I don’t know what it should say. The very broad and general provisions of Sarbanes Oxley are quite challenging to interpret. [Spelling corrected, thanks Ian!] A more specific law creates lock-in for solutions that will be sub-optimal because we don’t yet know what the best things to do are. (I had a conversation about this with S.L.–his company needs to get a lot of products certified under the “Common Criteria,” but they don’t think they get a lot of value from the process.) Changing the CC process is hard and slow. Since we don’t yet have a good picture of how breaches occur, its too early to be writing laws that require more than disclosure, and a probably a right to recover damages for privacy violations, even if they’re not fiscally damaging.

[Update: Don’t miss Alex Hutton’s great comment on the effects of regulation on the regulated.]

4 comments on "There Outta be a Law"

  • What, if anything, do you think of the European Unions privacy regulations?

  • Alex Hutton says:

    Not to sound too libertarian, but another very good reason not to write laws or involve the government is competency. Have you ever tried to deal with government exmaniers/auditors/regulators?
    Think of failed guidances of the past. A new technology, say, IDS comes out. The government gives “guidance” that suggests that (financial institutions) should “have controls in place that detect intrusions (I’m quoting from memory so forgive me, but the specific guidance I’m thinking of pretty much spells out that you will have IDS).
    How many successful IDS deployments have you seen in banks, credit unions or insurance companies? I find that either the amount of data is so great that IDS becomes solely a tool for forensic analysis after the fact, or, if the organization is small, IDS becomes a pretty good waste of $500 per month to line the pockets of some MSSP. Not to rant on IDS – my point is that if the government gets too specific – budgets tend to be spent on meeting the minimum requirements rather than implementing processes or other controls that may have an actual impact!
    Furthermore, government auditors are generally under-educated. State auditors have been known to run around demanding that mid-sized financials have “Risk Assessments” performed. What ends up happening? Two guys with CISSPs and a laptop run a Nessus scan and the Financial presents the raw, unverified output as a Risk Assessment – and the state accepts that! Their incapability to use the proper nomenclature (don’t get me started on the auditors use of terms like “threat”, “vulnerability” and “risk” – either incorrectly or interchangeably) or understanding of the benefits behind their own demands is aggravating. “We’ll demand that you run through this hoop, but we won’t ask you of what benefit it was to your organization.”

  • Adam says:

    What you say is deeply motivating when I say things like “a law that puts strict privacy requirements around data issued by or validated by the government.”
    This allows businesses to choose if they’re going to be affected by privacy law or not. If not, you can use whatever name you want, and the privacy impact is up to you. If they do rely on government, they have to take the red tape with the ID card.

  • Alex Hutton says:

    If you’ve written about it before, forgive me for not seeing it, but I think I’d need you to elaborate further on “data issued or validated”.
    By data issued, I suppose you are primarly alluding to SS#?
    By “data validated” I’m not sure I follow you. Are you concerned with data validation or the validation of risk analysis/controls capabilities?

Comments are closed.