Transparency Is Good for the Soul (of Our Profession)
In “Legislating Virtue,” Phill takes me to task for being unclear in “So, this, ummm, friend of mine, umm has a problem with security.” That’s fair. I’ve been saying similar things a lot, and I forget that I need to back up and frame it from time to time.
Phill spends a lot of his post arguing that there’s nothing a consumer can effectively do today. I agree, and think that disclosure will prime the market, and allow new companies to spring up and actually help with the immediate response.
Consumers aren’t my main point. Companies are. I want to try to be more clear in response to two of Phill’s points, conveniently marshalled into one paragraph:
The legislators certainly could have required disclosure of every imaginable security breach but that would only serve to embarass the companies involved, it would not achieve the legislator’s purpose of encouraging adoption of better security practices and stopping the disclosures taking place.
First, the embarrassment. When we are seeing many of these per month, the shock and embarrassment is lessened. It will take time, but many of the disclosures that seem to just happen will become normalized.
That’s not the whole story. Some of these disclosures won’t be normal, because companies will respond to the things that cause typical problems. We as professionals will be able to examine the security incident reports, and take lessons based on evidence. Is “wardriving” a big deal, or is it a sexy term that the press picks up on? Today, I have my opinion, you have yours, and neither of us has any data. If we had data, we could have better discussions. And if companies are required to reveal breaches, then we will have data. Getting that data is worth a little temporary embarrassment.
Really, what matters to me is that we have a flow of information coming from real incidents, and that’s something that’s new and important in the world of information security. Today, we simply don’t have data to drive decision making, and so we make decisions as best we can. I’d like for that to improve, and I think that mandatory disclosure of problems can help us improve.
I hope that clears up what I’m saying. A few more smaller points after the break.
(Photo: “Xray Metacarpal” of, posted by emptyset)
Central registries vs customer notices: Some people are suggesting that a central registry is cheaper, more effective, and less damaging to company reputations. While these are all true, I want the raw data. Access to raw data is powerful, and the redaction of that data to enhance company privacy will inevitably reduce its utility.
Sarbox, 1/2:
In practice it means that every corporate pen pusher at every company listed on the US markets has suddenly discovered that they give their request for the most trivial information the force of federal law by stating ‘this is a Sarbanes-Oxley requirement’.
Precisely. SarBox is what we get when we have no data with which to push back. If I can show that companies who have 12+ character passwords changed monthly suffer more breaches than companies with 9 character passwords changed quarterly, I can tell the accountant to stuff it. Today, we write down our passwords, and have weakly authenticated help desks that get social engineered me back into my account after I’m locked out.
Sarbox 2/2:
If companies who are attesting to the effectiveness of their controls are still having to report information leaks, what does that say about the process as a whole? (And can companies use that to push back on the ineffectiveness of the regulations, and their implementation by the audit firms?)
The FTC:
FTC statements about deceptive trade practices may make all of this moot. The FTC ‘case law’ is leaning towards the idea that if you claim to be secure, and you know you’re not, then your statement is deceptive. I’m not sure how to reconcile this with “we lost customer data, but don’t think anyone will exploit it.” It seems to me that your claims are still deceptive, but you rely on the kindness of strangers to protect your customers.
> The FTC ‘case law’ is leaning towards the idea that if you claim to be secure, and you know you’re not, then your statement is deceptive.
The statement isn’t so much deceptive, as ignorant. In practice, companies take on risks and manage those, for themselves and on behalf of the customers. They are not ‘secure’ because ‘secure’ implies either an absolute standard (doesn’t exist) or a self-defined standard which is risks based.
Companies that say they are secure should simply replace the security consultants with risk managers and replace the claims. I’m sure the FTC will understand the more enlightened approach of risk management if it was explained to them, and realise the futility of suing companies for ignorance.
(Arguably, if the FTC approach was to say “if you do not meet your own risk management policy, then you are at fault” then there would be more mileage. But that’s much more difficult to show.)
> SarBox is what we get when we have no data with which to push back.
Answer on the blog! Manual trackback: https://financialcryptography.com/mt/archives/000797.html