Shostack + Friends Blog Archive

 

Response to Ken Belva on Transparency & Breaches

Over at bloginfosec, Ken Belva takes issue with my claim that “security breaches are good for you,” in the aptly titled “Why security breaches are still bad for you…

His summary and response are well thought out, and I’d like to respond to a few of his points. This is a long post because I think these issues deserve more than a flip response.

Some of this breach information, while important, may not be best suited for direct public disclosure. Shostack’s best counter argument is point one: if breaches really do not create much of an impact, what’s the harm of disclosing the details of the breach? Well my reply is that it’s generally bad business practice to disclose the details of one’s operations: one should not engage in practices which may diminish one’s source of competitive advantage.

On the specifics of the disclosure in information security, I agree there are times that secrecy can be a useful part of a process. I usually follow Swire on this: the value of secrecy depends on risk to the attacker to pierce the secrecy, and is often mis-estimated, as I discussed in “Friday Star Wars: Open Design.”

To the broader point of discussing competitive advantage, I look to Honda’s discussion of their manufacturing techniques, or WalMart’s discussion of their lean operations. These companies talk regularly about the source of their competitive advantages. Talking about operations doesn’t generally impact competitive advantage.

Most importantly, I’m unaware of anyone getting sustainable competitive advantage from information security operations. I know companies who are getting operational efficiency, which, all else equal, leads to advantage. You can borrow money more cheaply, you can price your products better, and you can derive advantage from these things. That’s not the same as a sustainable competitive advantage.

Rather than direct and inconsistent corporate/government breach disclosures, a more apt way to do it is as following: by law, a breached organization must report the breaches to a centralized authorized repository which will collect specific details of the breach in order to begin to amass worthwhile breach statistic for both public and private use. The specifics of what must be reported are universal standards required by all breach filers.

Up to here, I mostly agree–I do appreciate the competition to create good reporting standards.

Most specifics are kept confidential, but the relevant information about each particular breach is publicly disclosed depending upon the nature (category of severity) of the breach. An additional independent body (which could already exist) should have oversight of this centralized breach repository. The repository should be audited by an additional third party to ensure accuracy of information. The aggregated information should be tabulated, scrubbed of any organizational specifics and released publicly so that all organizations and individuals may benefit.

I don’t agree here. This is quite similar to Schwartz and Janger’s model 4 from their Notification of Data Security Breaches Michigan Law Review paper. My issues with that are around the need for innovative research. We are at the inception of a new field, with a great deal of exciting work being done. I know of no better way to stifle new research than to hand control of the data to a government agency. We are seeing great research (and some not so great). We are seeing people apply legal, economic, media, and security perspectives to the data, and new things keep emerging from that. To hand exclusive access to a central agency, absent real harms from the data being widely available, seems unjustified.

Worse, I fear regulatory capture, where a few very interested parties work closely with the central repository to set rules for access that will slow the research and emergence of better analysis.

Freely available data, with low transactional barriers to acquisition will lead to more research, more competition to do great research, and more competition to perform actionable research.

Yes, this is a change, and change can be hard on those of us who have been working under a set of known rules. We can do better, and owe it to our employers and our profession to do so.