In his keynote at Black Hat in Vegas this summer, Dan Geer presented on the issue of mandatory breach disclosure. He drew a comparison between the information security industry and the aviation sector, an analogy that I’d discussed only the day before over lunch with the great Jack Daniel and Trey Ford.
Analogies can often be over-used, clichéd or a little too far-stretched for my liking, but this one really struck a chord.
Ford, himself a trained pilot, pointed out that failures and near-failures in aviation have to be reported, documented and shared, ensuring the entire industry is safer as a result. An aviation failure is deliberately made extremely visible, and thus becomes scrutinized on the world stage.
In stark comparison, in information security, organizations have been able to get away with non-disclosure to date, because data breaches are largely invisible. Vulnerabilities in the sector are often hidden, buried and kept a secret.
Dan Geer called for mandatory reporting, for organizations large and small. He recommended the system that the US Center for Disease Control uses, where all disease outbreaks above a certain threshold must be reported to the public.
A mandatory reporting law would, of course, put everyone on a level playing field. As is the way with human nature, if everyone else is having to do something, it feels less painful being forced into it yourself.
Of course, reluctance to disclose a breach is due to a desire to protect competitive advantage, reputation, and ultimately, revenue. Compulsory disclosure, much of the industry argues, would be a motivator for organizations to better protect their data to save face. But with the increasing inevitably of breach, regulatory bodies could find themselves buried under a deluge of breach notifications.
"As the industry continues to mature, and writes more anthems and ballads for that all-important song book, I hope that bigger strides will be made to contribute to the combined advancement of the industry, and online security and data protection as a whole"
I recall the ICO telling Infosecurity in 2012 that it needs to be “selective to be effective” and that voluntary breach disclosure works better because companies know they’re less likely to be punished if they are honest about breaches. Legal practitioners have also historically voiced concerns in relation to the timescale in which breaches should be disclosed. There’s also the obvious but very relevant question of how this would be policed.
In truth, there is no clean way of incident reporting in information security. The industry is young, breach notification practices are even younger, and the sector is only half way through writing its own song book. I think Jack Daniel got it right when he said “information security was a throwaway line which has now evolved into an industry.” Well, we’re here now, and we’re here to stay, so let’s get that song book written, and let’s write it well.
Data breach disclosure is not the only area where the effectiveness of the information security industry suffers at the expense of prioritizing commercial gain. Intelligence sharing is an area that has been talked about for some time in the industry. Everyone knows – and agrees – that we’re better together, and sharing intelligence between government, private sector, and academia makes our defense community stronger and more efficient.
Yet, perhaps understandably, vendors are reluctant to share the signatures, samples, blacklists and intelligence that gives them a competitive advantage. As the industry continues to mature, and writes more anthems and ballads for that all-important song book, I hope that bigger strides will be made to contribute to the combined advancement of the industry, and online security and data protection as a whole.
Just this week, McAfee, Symantec, Fortinet and Palo Alto Networks announced they have co-founded the Cyber Threat Alliance, a coordinated industry effort against cyber-adversaries based on the sharing of intelligence and indicators of compromise. So steps are being made, and duets – even orchestras – are being formed.
Returning to the aviation analogy, people know about – and are exposed to – the failures of the aviation industry, yet they still choose to fly, and are safe in the knowledge that the industry uses shared intelligence and experiences to get better and safer. That’s a tune we should take out of their (song) book.
Finally, if you haven’t yet checked out the brand new, and quite frankly amazing (if we may say so ourselves) infosecurity-Magazine.com website, please do. We’ve invested in a site that will give our readers what they want, when they want. We’d love to hear your thoughts and feedback, so get in touch: press.infosecurity@reedexpo.co.uk
Take care,
Eleanor Dallaway, Editor