In Memoriam Barnaby Jack.(1)
When it’s an indictment, a settlement or an ethical hack. It is interesting to note the difference between a breach notification press release (these are required by law, for example, for breaches of health care data affecting over 500 individuals) and the subsequent coverage and reports of indictments, settlements and ethical hacks.
Let’s consider the recent breaking news that 4 individuals were indicted for stealing over 160 million credit card numbers over the past 7 years or so.
Computer security experts said the scheme was notable for how long it lasted, how well coordinated it was and how it carefully singled out specific systems in the financial companies’ servers to steal from so many personal credit and debit card accounts.
As I’ve pointed out elsewhere, a breach notification needs to do certain things to be accepted by the public:
- Come clean that there was a breach
- Describe the extent of the breach (what was breached and what did “they get”)
- Describe how you are going to minimize the risk this will recur and what is being done for the victims of the breach (if there are any)
Likewise, press coverage should be an objective account of the facts. If the organization states that they are sincerely working to strengthen their security, that needs to be in quotation marks unless the reporter has investigated that claim. The event, the breach, has the victims as its focus and making things better for them going forward.
The coverage of these indictments are NOT breach notifications. In fact, some of the breaches mentioned such as Hannaford Supermarkets and Payment Systems got plenty of press coverage when they happened. Consumers got letters, some received credit protection, and the coverage was about the extent of the breach. In contrast, the reports of this indictment are more similar to reporting on suits brought against BP as a result of the Gulf Oil Spill than they are to breach coverage. Or follow-up articles on bridge collapses in Minnesota or Washington state.
The coverage also mirrors other follow-up stories around breaches as this one which announced a settlement between BlueCross BlueShield of Tennessee and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.
What you notice is that the “victims” in each of these articles are a number and the remediations, fines and penalties, if any, feature in the story only if they are new.
And reporting on ethical hacks? The late Barnaby Jack was arguably the most widely reported on ethical hacker ever. In interviews with him, it came out clearly that his interest was in influencing industries to improve the security they built into their products. Did he enjoy the “mischief” he made? Undoubtedly. But when you watch interviews where he describes how he could wirelessly connect to an insulin pump and turn a life saving device into a remotely controlled potential weapon, he never smiles. He understood the stakes and knew the difference between getting an ATM machine to spit out hundreds of twenty dollar bills and a pump to give a diabetic hundreds of doses of insulin. Ethical hacking is different from indictments in that the ethical hacker is not finding a vulnerability in a technology and trying to single out those who exploit that vulnerability and “bring them to justice”. The ethical hacker is not looking for criminals. They are looking to make security better.
So, what ties the coverage of indictments, settlement and ethical hacking together? They are NOT about an initial privacy breach, even if millions of identities were originally involved. They are not about the hack, even if the hacker is wicked clever. They are about the risk of our dependence on technology and attempts by law enforcement, regulators and ethical hackers to prevent that technology being used against us.