When Planes Fell From the Sky
The excellent ‘Notes from the Technology Underground’ has some personal recollections of “when planes fell from the sky:”
In the 1950s, planes crashed with alarming frequency into city neighborhoods near the Minneapolis-St. Paul airport. At least one devoured a house nearl where I now live, in Southwest Minneapolis. I heard from older neighbors about the time an airplane crashed in my neighborhood. It set me to thinking. Here’s my story on it…
While his story seems like one of incredible bad luck and improbability, it really isn’t so. In fact, my research shows that in the years 1950 through 1956, planes fell from the sky on south Minneapolis with astounding frequency — dramatic enough to make news, but not so unusual to be considered really exotic.
What Bill Gurstelle doesn’t talk about is how the airline industry stepped up and fixed the problems. It was an aggressive and purposeful embrace of transparency. Accidents got investigated, written up and talked about. Lessons were analyzed and taught. And air travel got safer. It reminds me of the bad old days of hiding vulnerability information and breach reports. We didn’t talk about buffer overflows, and from 1973 to 1996, there was no class fix for them. It was the same thing with breaches. Some people wanted to ‘save the organization from embarrassment.’ I’m so glad we in information security are past that, and are learning lessons from each other’s mistakes.
Photo from Washington State Historylink.
Adam, this is an excellent point. Strong, sustained attention to problems often produces a good solution to things that were just accepted as a “cost of business.” Other examples might include automobile safety (back when Nader was seen as a good guy) and early credit card liability issues.
One interesting thing to consider is the type of solution to the techno-social problems. Is the solution purely technical? Is there a difference between the source of the solution and the implementation of that solution (i.e. a new liability standard might be set by a single decision, but then implemented by myriad players).
The fun thing about these wide-spread lingering problems is that they span so many different levels of technology, economic incentives, organizational dynamics, etc. It would be a fun project to put together a set of them and build a typology to suggest where corrective change is easier or harder, and what policy options would be better in different situations.
Some people wanted to ‘save the organization from embarrassment.’ I’m so glad we in information security are past that, and are learning lessons from each other’s mistakes.
“Past that” might be too strong. Yes, we do now have breach laws in some states, most notably California’s SB 1386. Yes, this has changed the landscape. There are still people out there who want to ‘save the organization from embarassment,’ and the federal story has not yet been written. It might be worth keeping an eye on the new Congress to see what happens.
Oh, I just noticed this. The Cyber Security Industry Alliance ran a survey in 2006 on public perception of computer security issues.
https://www.csialliance.org/publications/surveys_and_polls/dci_survey_May2006/print/
Here’s the interesting part:
Anyone know if a campaign in 2006 actually did have someone raise breach bills as an issue?
@Allan:
As some of these outfits might have thought of it “The loss of your privacy is the cost of my doing business”. :^)
On the typology –> control points idea, it seems somewhat clear even at this early stage that encryption of data at rest outside the perimeter, and more thoughtful consideration of what to store in the first place would put a decent-sized dent in the problem. That is probably too technical a solution, where you are thinking more from a regulatory standpoint. This is one where the techies, regulators, and politicians need to work together. All would benefit from better data. In particular, I am frustrated by the seeming inability (or at least, difficulty) to tie real ID theft likelihoods to breaches. What could be done to get the data needed for this, while maintaining confidentiality and privacy for those whose records are involved, I wonder?
David,
I was being sarcastic about our lack of progress. Thanks for the second article; that’s fascinating and I’d missed it.
Adam:
I thought you might have been, but wasn’t sure. I’m still curious as to know whether breach laws were in fact an issue in any November 2006 campaign. Google news isn’t much help as far as I can tell.
CSIA puts out some interesting stuff, but one should always take a few grains of salt with research that comes from an industry group with clear benefits from certain findings.
Re: 2006. No hard data, but I would be surprised if none of the sponsors of any of the recent ID Theft bills (no matter how poorly thought out or ineffective) mentioned their efforts while campaigning. If you were looking for hard evidence, start with the Congressional Register and work backwards through campaign literature.