Forbes has a story today that came from London. It seems the Kings College in London has published a report saying it might be better to shame companies that don't protect their data very well. That approach is hardly noticeable in this report, and I wonder why any reasonable person would have picked out that part of it. I picked out this part:
"The first is that ACD in its initial iteration has only been used to protect the public sector. NCSC has described this as an ‘eat your own dog food’ attitude, ‘using government as a guinea pig’.40 The presumption here is that government will not ask anyone to implement cybersecurity solutions that it has not tested on itself."
I think this part of the report is right to the point of having anyone testing commercial businesses to find out of their security is adequate. The testers are just as likely to be full of holes in their own systems until they do something about it. The governments of the world are awful at security and the main reason why so much data is stolen every year. Our tax service (the IRS) has been hacked multiple times without much improvement being made to correct those problems. I don't even want to go into the whole list of Federal agencies that have been hacked but it is long. Get those in order before starting to shame anyone into doing better security.
Second, in my experience, the shaming method does not work very well. Introduce liability instead. It is subtle, but briefing the Board of companies on their vulnerabilities is more effective. The Board members then know, as they are required to know, what they are doing that makes them vulnerable. That is harder to ignore. Public shaming ,which causes more trouble and gets people fired who may not be the real problem, is a panic attack inducing approach that ruins careers. Getting the Board's attention is usually effective. Where it isn't, there might be a need for more than public shaming.
Third, who gets to decide if a company is secure or not? What this report is describing is having an intelligence service doing the criteria and testing commercial establishments on that criteria. I don't think very many countries would be willing to follow that approach,
Fourth, cyber security is much more complicated than this part of the solution suggests. There are issues with liability, testing results, sharing of testing results, public knowledge of testing vulnerabilities and hackers who will use this data to attack the weak. Even testing teams have to have extraordinary knowledge of multiple systems that few people have and I wonder about having government members on those teams. China would hack those teams and so would lots of others.
No comments:
Post a Comment