Security disclosure debate intensifies

Print Friendly, PDF & Email

The disclosure conflict at the heart of two major news events is shining a spotlight on an issue that has been nagging many cybersecurity professionals for years now.

Not many organizations are, understandably, all that anxious to share any information that might be used against them by either cybercriminals or any regulatory authority that might impose a fine. The conflict that ensues is when that information could potentially have an adverse impact on another entity.

For example, a whistleblower complaint filed by the former head of cybersecurity for Twitter has been filed with the Security Exchange Commission (SEC) because investors in the company have a right to know what level of risk is being assumed by a company they have bought shares of via the stock exchange. Cybersecurity professionals have more insight into weaknesses so the moral debate has always been to what degree they are obligated to share their concerns regardless of what senior management might prefer.

The disclosure issue is not confined to the rights of investors. A breach at LastPass, a provider of a widely-used password management platform, has raised concerns about how any code that might have been stolen could impact organizations that have adopted the platform. There are calls for more details to be shared with a third party that would assure those organizations that exploits that could compromise the integrity of the company’s password manager platform could not be created or that code has been changed or altered in some way that renders harmless any potential exploit.

Like other providers of software that might be deemed critical infrastructure, LastPass is under no obligation to make any further disclosures. However, there are plenty of alternatives so not making those disclosures is not going to inspire customers with confidence.

Obviously, it’s a difficult situation for all concerned. Most cybersecurity professionals are going to assume the worst and act accordingly. As such, providers of critical infrastructure platforms are almost always going to eventually be pressured into eventually disclosing a lot more than they might initially have thought desirable or even prudent.

In an ideal world, of course, there should be standard protocols in place for breach disclosures based on severity. Not every incident, for example, might involve stolen code that can be reverse engineered to create an exploit. The victims of a breach, however, are not going to be the most impartial judge of any potential code vulnerabilities. An evaluation by a third party is going to be the only thing that will quell lingering doubts. Even then, there will always be those that will continue to wonder what exploits might be in the hands of cybercriminals acting on behalf of a nation-state that has a lot of software engineering resources at its disposal.

Cybersecurity professionals know there will never be such a thing as perfect security. The best that can ever be attained is a level of reasonable risk. Each organization, naturally, needs to determine for itself what level of risk is acceptable. The one thing, meanwhile, that is certain is there will be more breaches of core IT platforms. How the providers of those platforms handle those security breaches will have as much to do with character as it does any contract.



Scroll to top