…in the incident last September, somewhat similar to recent problems at the Veterans Affairs Department, senior officials were informed only two days ago, officials told a congressional hearing Friday. None of the victims was notified, they said.
“That’s hogwash,” Rep. Joe Barton, chairman of the Energy and Commerce Committee, told Brooks. “You report directly to the secretary. You meet with him or the deputy every day. … You had a major breach of your own security and yet you didn’t inform the secretary.” (From Associated Press, “DOE computers hacked; info on 1,500 taken.”)
It used to be that security breaches were closely held secrets. Thanks to new laws, that’s no longer possible. We have some visibility into how bad the state of computer security is. We have some visibility into the consequences of those problems. For the first time, there’s evidence that I can point to to explain why I tremble with fear at phrases like “we use industry-standard practices to protect data about you.”
The new laws are not yet well understood. They’re not well understood by computer security professionals. They’re certainly not the basis for a set of case law that establishes the meaning of some key terms, like encryption. (I expect that juries will frown on using rot-13 to encrypt secrets, even if it might be within the letter of the law.) The only place where they’re understood is by the public, who expects to hear when they’re at risk.
The change in expectations will have exceptionally beneficial long term effects. We will get data that we can use to measure aspects of computer security. What a set of real attack vectors look like. (We may not learn about insiders or super-hackers.) With that data, we can focus our efforts on putting better security measures in place.
Requiring companies to own up to problems will drive them to ask their vendors for better software. They will ask the experts how to distinguish good software from bad. This may have the effects that some experts hope liability would bring about.
There will be a lot of short-term pain as we discover the shape of the new normal. The transition is well worth it.
The image is X Ray 4, by Chris Harve, on StockXpert.