ChoicePoint (Roundups from Adam: today, 25th, 24th) is to receive help from Bank of America, which has just revealed that "a small number of computer data tapes were lost during shipment to a backup data center. The missing tapes contained U.S. federal government charge card program customer and account information."
This might seem like a silly way to run the privacy of a nation, but there is more to this than meets the eye. I've been writing on a draft paper on security, and one relevant observation seems to be that we have to get over this finger pointing, as the incentive for companies like ChoicePoint to hide and fudge their security is driven by the bad exposure, and not by the incentives related directly to the data.
A paper by Schechter and Smith at FC2003 raised the possibility that if companies openly share their threats and breaches data, they can reduce the overall risk [1]. They show this from the pov of the attacker; who has to see his costs rise because of the reduction in openings.
Yet, I see their suggestion as more in terms of game theory or prisoner's dilemma results, as to stand up and reveal weaknesses raises the possibility of punishment. The industry as a whole has no great understanding of the risks and threats, and the major cost they have to deal with is adverse exposure. Hence, finger pointing becomes the norm, and avoiding the blame becomes the commercial imperitive. (I develop this much more in the paper.)
In order to share the information, and raise the knowledge of what's important and what's not, we may have to get over the finger pointing. That may mean we have to go through several ChoicePoints, if only so that it can become routine and not scandalous. Bank of America is thus timely and expected; although I don't think anyone else is likely to see it that way.
[1] Stuart E. Schechter and Michael D. Smith, "How Much Security is Enough to Stop a Thief?", Financial Cryptography 2003 LNCS Springer-Verlag.
One key element in firms' reluctance to share incident information is that they fear negative impacts on their reputations, yes. Another element is that they are fearful of giving information away to adversaries (both black hats and competitors). Of course, at least in the US, there also is concern that too much sharing exposes them to accusations of anti-competitive behavior.
On the theoretical side, Kannan and Telang presented a paper at WEIS03 which analyzes vulnerability (not incident, but I don't think it matters to your point) disclosure. Their results suggest that a "federally-funded social planner" will outperform a competitive market from a social welfare standpoint.
While the paper I mention considers no empirical data, it is nonetheless germane to the current discussion in that the solution it suggests (based on an infomediary) would seem to eliminate the reputational and competitive advantage risks which currently suppress (in my opinion) so much potentially valuable information sharing.
Of course, giving away info - to the attacker so as to benefit others - is a prisoner's dilemma. It's still a better payoff, and the challenge is to move in that direction.
Giving away info to competitors - that bemuses me! I don't think I've ever come across a security breach where it gave any advantage to a competitor, and I've seen dozens of really embarrassing breaks. If anything, it puts the competitor in a conflict of interest, as they have to keep mum about it. So when people talk about that, I generally assume they are using competitive secrecy as an excuse to hide from their own fears. Same with NDAs.
Anti-competitive behaviour - I suppose in theory one could make a case. But in practice, explain it and go ahead. I'd call that one a risk you have to take.
For various reasons - I drift into that in that draft I mentioned - a regulated approach such as Kannan and Telang suggest may overcome the sharing discincentives on paper but it brings in another big drawback, herding. I doubt that will ever improve security, and I suspect it will lower security over time.
Posted by: Iang at February 26, 2005 08:59 PMI had to refresh my memory on the "Prisoner's Dilemma" problem so thought I'd pass on the link to others: http://en.wikipedia.org/wiki/Prisoner's_dilemma
Posted by: Wren at February 27, 2005 08:37 AM