"Sophistication" and the downfall of security
Apparently, my call 18 months ago for more transparency and openness around security incidents largely has fallen on deaf ears.
At the time, I was writing to protest the firing of Bob Maley, the former CISO of the state of Pennsylvania, who received a pink slip after revealing details – too many, apparently, in the eyes of his bosses – about a compromise that affected a government agency in the Keystone State. I wrote:
In 2010, remaining mum, or too close to the vest, about incidents benefits nobody. Every organization in the country is being probed on a daily basis. Vulnerabilities are going to be there. Hacks are going to happen. Data is going to be exposed. The criminals are going to be one step ahead. Let's move on from this prevailing wisdom that any one organization is immune from attack.
But there's been little to no advancement on this front, at least from what I've seen and heard. If anything, we've taken steps backward.
Case in point: Harvard University. The college announced this week, in a brief statement, that its website was defaced by "sophisticated" attackers. Then it went into defense mode by, in essence, saying there was nothing it could do to stop the adversaries.
"Recent months have seen a rise in frequency and sophistication of these attacks, with hacking groups increasingly on the offensive and targeting news media, government and education websites," a Harvard statement said.
A university spokesman declined to offer details as to what made the attack or attackers sophisticated.
I can't claim to know the specifics, but I don't normally associate "sophisticated" with a site defacement, do you? (To put this incident into some context, it doesn't appear as if any data was stolen, and who wastes a zero-day vulnerability to scrawl some threats on Harvard's home page?)
I have to believe that Harvard, instead of accepting blame for lacking security measures that should have prevented such a seemingly simple attack, leaned on recent headlines to save face.
Harvard's decision to basically say, "There was nothing we could do. Sorry. Maybe next time," is not a particularly shortsighted PR move. After all, most people wouldn't know the difference between the skill level required to perform a defacement versus that needed to create the real deal.
But this PR tactic certainly has lasting ramifications for the security of the internet. Not only did Harvard not release any specifics about the attack – the bad guys share information, why can't we? – but it also attempted to exonerate itself by citing "sophistication."
Nothing will ever improve if organizations keep doing this every time they are breached. Security will continue to suffer, and lawmakers, who are just as susceptible to accepting myths of unstoppable attacks as any non-IT savvy citizen is, may overreact, changing the internet as we know it.
Ultimately, though, I think I'd be satisfied if a CISO who experiences a breach came forward and simply said: "We messed up. We'll do better next time."
Apologies can go a long way, you know.