The lemming defense

I'd originally intended to write about something completely differentthis week, but the news headlines caught my eye on this sunny Sundaymorning. (Columnists work weekends, too.)

According to CNN et al, someone -- or several someones --managed to successfully compromise what appears to be registrationdata for the World Economic Forum in Davos, exposing personalinformation of attendees like Yasser Arafat and Bill Gates. It's notknown whether this was a network-based compromise, whether socialengineering was involved, or just how exactly the data went walkies.

By itself, this theft is already a pretty big deal. But what reallygot my attention was a quote attributed to one "Charles McLean, theWEF's director of communications," in which he is claimed to havesaid: "We at this point have no idea how this information got out. Ifthey could have a security breach at the Pentagon and they can have asecurity breach at the State Department, it is possible to have asecurity breach at the World Economic Forum."

To quote Yakko Warner, ex-squeeze me?!

As far as I know, "using the mistakes of others to justify your own"is not a recommended approach outlined in the Handbook of EffectiveSpin-Control. In fact, this particular rhetorical tactic is familiarto me by its concise name: the Lemming Defense.

What they got away with
The Swiss SonntagsZeitung broke the story over the weekend as a result of having received a CD full of information about past and present WEF attendees. An exhaustive list of what's on that CD can befound here (in German). It's a lot of stuff, and muchof it is quite sensitive, considering the individuals whose data theWEF did not adequately protect.

Given that SFr 5,000,000 (roughly US$ 3,000,000) appear to have beenspent on the physical security of the most recent WEF in Davos, onewonders how much it would've cost to hire some competent datasecurity talent before the breach (and subsequent majorembarrassment). Instead of spending money on a Flash intro animationfor its Web site, the WEF's money clearly would've been better spenton securing its systems.

Enforcement and audits
Predictably enough, after first downplaying its own culpability bybesmirching past victims of insufficient security, the WEF isengaging in loud saber-rattling and throwing the word "criminal"around, albeit not in the context of "negligence."

I certainly would not like to be the WEF's head of IT and having toexplain how this data got out. Mr McLean is even quoted in theSonntagsZeitung as asserting that the WEF's data security standardsare quite high. Evidently they are not high enough. The NetCraft data for the WEF's site doesn't revealmuch beyond that its uptime isn't anything to crow about.

Part of the problem is that there are no widely-recognized -- not tomention enforceable -- data protection standards out there. However,careless codification of data security can also be a Bad Thing, asBruce Schneier points out.

If, for example, a credit card company were to anoint one particulartechnology solution as its officially sanctioned standard, that wouldresult in potentially legitimate accusations of favoritism, but moredamagingly, it would very quickly create a monoculture where a singlevulnerability in the sanctioned system would affect all of merchantsusing that system for e-commerce.

Fortunately, any kind of product-specific recommendation has alreadyproven to be entirely unnecessary. The concept of "best practices" iswell understood in the world of business, as is "auditing." In fact,one of the reasons that OpenBSD is frequently touted as a benchmarkfor operating system security is precisely because its coresource-code has been audited heavily for weaknesses.

No more carrots: we need a large financial stick
A crucial missing piece in all this is financial culpability: untilthose whose insecure systems are breached have to pay for theirinattention, nothing will change. Look at the Egghead.com debacle. It cost the credit cardcompanies millions to deal with the fallout, but I doubt Eggheaditself had to pay anything. Expect the contracts between credit cardcompanies and their merchants to change shortly.

What's also infuriating is that all it would take for thelackadaisical attitude toward data protection to change is for thecredit card companies to slap a few miscreants with lawsuits torecoup the cost of dealing with the security failures. (Even moreinteresting to see would be if one of the EU governments took a fewcompanies to court for breach of data protection laws.)

While in the short term these sorts of actions might put a bit of adamper on the already strained e-commerce economy, since theparticipants would have to actually expend time and energy onsecuring their systems, in the long run everyone would benefit.

Shoot first, find out what really happened later
The WEF had received the data, and it was responsible for protectingit. But rather than do the honorable thing, or even just keep quietuntil it knew what really happened, the WEF only compounded thedamage by having its spokesman point fingers everywhere but atitself, regardless of how the act of data thievery was perpetrated.The WEF's credibility -- especially given its recent proclivity forinviting captains of information industry to their events -- hastaken a major hit and I would expect it to tarnish the organization'simage for some time to come.

If only that also held true for the many sites collecting personalinformation without securing it adequately.

ZDNet columnist Stephan Somogyi, a child of the Cold War,considers nationalism atavistic, but is far from convinced thateither the pro- or anti-WEF sides of the debate have got the right idea.