BreachExchange mailing list archives
Re: CEOs deserve jail for data breaches [LONG]
From: Rich Kulawiec <rsk () gsp org>
Date: Wed, 9 Apr 2008 12:36:32 -0400
Sorry, too much coffee. On Wed, Apr 09, 2008 at 09:26:33AM -0400, Allan Friedman wrote:
The only reason to advocate this sort of measure is if we have concrete proof that the personal-punishment type laws are more effective than the other alternatives that have been discussed on this list, including *effective* liability models or a shared culture of openness and communication to prevent future breaches.
That's a really good point. Which I'm now about to disagree with. ;-) Well, in part at least. Let me give it my best shot. I'll argue that unless people are held *personally* accountable -- in both a civil and criminal sense -- there's no incentive for them to make any effort. Why should the executives of TJX (to re-use my favorite example) make the slightest effort to address security issues when they know, up front, that in the worst (likely) scenario, they can walk away -- with their bloated salaries, their obscene bonuses, their golden parachutes -- and start doing it again somewhere else? All they have to do is use the word processor macro that prints out "we take the privacy of our customers seriously", look suitably grave at the press conference, and quietly slink off. The people are the top of these companies are the ones who have accepted full personal responsibility for everything that happens in those companies on their watch. And we're letting them (mostly) off the hook, so we shouldn't be surprised that they repeat the behavior: it's very profitable. After all: it's not *their* data. Why should they care? (Let me note in passing that expecting Cxx level executives to take on this responsibility is expecting a lot. But that's the deal: anyone who's not up to that is free to decline such a position. But IF they accept it, and IF they accept the enormous rewards that typically go with it, then they have also -- whether they realize it or not -- accepted the responsibility. Nobody rides for free.) As I watch this list, and the "Pogo Was Right" web site, and all the other resources that we probably all watch, and I consider the impact that data protection legislation and enforcement has had to date, I'm reminded of a line from Marcus Ranum's brilliant "The Six Dumbest Ideas in Security": "If it was going to work, it would have worked by now." I submit that what we (the collective societal "we") are doing isn't working, and that it's probably not going to work. If you buy that assertion (and I'm sure some do, some don't), then the question arises: "okay, fine, let's do something different...what?" Which brings me back to: "Somebody's got to go to prison." Agent Sadusky, "National Treasure" which is starting to be my favorite quote of the month. I do recognize though, (to your point and that of others) that vigorous criminal prosecution will probably cause problems with disclosure. I'll counter that by saying we already have those problems: disclosures are delayed, minimized, obfuscated, wallpapered, and everything else possible to pretend they don't exist or don't have significant impact. And that laundry list just accounts for intentional actions: some disclosures don't happen because they don't know...or don't want to know. So I conclude that voluntary disclosure is at best a weak mechanism -- nice to have, but not one we should primarily rely on. So let me suggest a couple of possible approaches around this, approaches which I think address the problem that increased personal accountability could well decrease the inclination to be open. I'll begin by citing the Kulawiec Iceberg Principle: For every breach reported by an organization, there are ten more they're aware of. For every breach an organization's aware of, there are ten more they don't know about. (Hey, I thought it up, I'm sticking my name on it. Get your own. ;-) More seriously, if someone beat me to it, let me know and I'll pummeXXXXgive them appropriate credit.) I came up with that because it seems to match observations. The repeated pattern of disclosures which start at X, escalate to 2X, then 5X, then 10X, argues for the first part. The non-disclosures in cases where there are obviously severe problems argues for the second. A timely example: Flawed Security Lets Sprint Accounts Get Easily Hijacked http://consumerist.com/376845/flawed-security-lets-sprint-accounts-get-easily-hijacked followed up by (and thanks to Paul Ferguson for noting this): Flawed Sprint Security Worse Than We Thought http://consumerist.com/377617/flawed-sprint-security-worse-than-we-thought and both of which very likely related back to: Sprint Twiddles Thumbs While 12-Year Customers Get Scammed For $2,500 http://consumerist.com/374199/sprint-twiddles-thumbs-while-12+year-customers-get-scammed-for-2500 No disclosure yet from Sprint. But there's obviously a problem here, and I'd be really surprised if it *hadn't* been exploited. The fact that this is emerging from discussions on a consumer advocacy web site and not from Sprint corporate is telling. Either they know (in which case they're not being forthright) or they don't know (in which case they may not be very good at what they're doing). My point? My point in going through all this is that we need mechanisms which *do not* rely on voluntary disclosure, because it doesn't work very well. (This explains why I'm not very worried about a decrease in voluntary disclosure as a result of prosecutions.) I can think of three things that might have a fighting chance, so I'll propose them in order to let you all promptly shred them. ;-) 1. Not just increased safeguards for whistleblowers, but rewards. It's worth it to us as a society, and if we do it right, it won't cost us anything. If J. Random System Admin inside Foo Corp notes that data is being shipped on unencrypted CDs in violation of law and/or best practice, and JRSA drops a dime to tell someone, then when it's all sorted out, JRSA is compensated for due diligence. (Where does the money come from? Cxx executives. They have plenty to spare. Besides, if they're not doing their jobs correctly, why should they be well-paid?) We need a structure that actively encourages the people who have firsthand knowledge of this to rat out their bosses, preferably *before* breaches occur. To do that, we have to counter their company loyalty, their job security fears, etc.: hence the need for safeguards plus rewards. 2. We need markedly higher penalties for bonehead moves. These might include: - acquiring data that you really have no reason to have - storing data that you have shouldn't - storing data longer than you need it - throwing data in the dumpster out back - shipping data without encrypting it etc. What I mean here is that we all know there are a kazillion threats, and the really really clever ones are probably not on our radar...so it's hard to fault someone if they get nailed by one of those that nobody's ever seen before. But the easy ones? C'mon, there's no reason to let those happen. Even people who just skim the glossy pages of CSO magazine should know these by now. 3. We need a mechanism to correlate independent reports of data theft *symptoms*. Go back to the Sprint example above: those CAN'T be the only people affected by this problem. There must be others. But they may well think they're alone -- they may not realize that they're just another data point in a pattern. We need a way for victims of identity theft, credit card fraud, etc. to safely (and there's the catch!) pool information so that someone can step back and look at the mosaic and say "hmmm...that's odd..." I'll skip over how such a mechanism might work because I'll probably get it wrong anyway. (Some back-of-the-envelope scribbling suggests that this is a hard problem.) But I think we need it, because I think it will give us a chance to uncover the 9 of 10 that companies know about and aren't announcing, and the 9 of 10 that they haven't detected yet. It could do this because it doesn't rely on them -- and we shouldn't rely on them, because *they're the problem*. I can tell you that it shouldn't be run (a) by any government or (b) by any commercial institution. All of those already have way too much data and can't keep track of it, and besides, we already know they have miserable security. (The GAO keeps handing out F grades in security to US government agencies. I presume this is because there is no lower grade available.) So if they ran it, the most likely outcome would be that it made things worse. That said...who? I don't know. A non-profit with very very serious security and privacy clue? I'm sure that there are problems with all three of these. I'm equally sure that 4,5,6... are out there and may well be better. But I think this is worth debating because I don't think voluntary disclosure is working very well. ---Rsk _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- CEOs deserve jail for data breaches security curmudgeon (Apr 09)
- Re: CEOs deserve jail for data breaches Jeff (Apr 09)
- Re: CEOs deserve jail for data breaches James Ritchie, CISA, QSA (Apr 09)
- Re: CEOs deserve jail for data breaches Allen (Jun 30)
- Re: CEOs deserve jail for data breaches Rich Kulawiec (Apr 09)
- Re: CEOs deserve jail for data breaches Ghercoias, Catalin (Apr 09)
- Re: CEOs deserve jail for data breaches Allan Friedman (Apr 09)
- Re: CEOs deserve jail for data breaches [LONG] Rich Kulawiec (Apr 09)
- Re: CEOs deserve jail for data breaches Ghercoias, Catalin (Apr 09)
- Re: CEOs deserve jail for data breaches Jeff (Apr 09)
- Re: CEOs deserve jail for data breaches Casey, Troy # Atlanta (Apr 09)
- Re: CEOs deserve jail for data breaches Eric Nelson (Apr 09)
- Re: CEOs deserve jail for data breaches James Childers (Apr 09)
- Re: CEOs deserve jail for data breaches Eric Nelson (Apr 09)
- Re: CEOs deserve jail for data breaches Mike Simon (Apr 09)
- Re: CEOs deserve jail for data breaches Adam Shostack (Apr 09)
- Re: CEOs deserve jail for data breaches Max Hozven (Apr 09)
- Re: CEOs deserve jail for data breaches Stefan Wahe (Apr 09)
- Re: CEOs deserve jail for data breaches Rich Kulawiec (Apr 09)
- Re: CEOs deserve jail for data breaches lyger (Apr 09)
- Re: CEOs deserve jail for data breaches Adam Shostack (Apr 09)
- <Possible follow-ups>
- Re: CEOs deserve jail for data breaches grexpectations (Apr 09)