Cybersecurity is the most complicated and high-stakes problem in IT today, and the good guys look flummoxed. When companies from Sony to RSA to Epsilon to Lockheed Martin struggle with the best public response to an attack, it sends the message that businesses don't have a good handle on how to react to an IT security crisis.
And when businesses are seen as not dealing with a major problem effectively, the next step is predictable: Send in the regulators.
RSA, as one of the most respected companies in IT security, had a chance to write the playbook for reacting to a breach, after it was hacked in March. As documented by my colleague Kelly Jackson Higgins at Dark Reading, RSA was tight-lipped about the attack, working behind the scenes with customers on remediation but offering scant public information. No doubt RSA had the best intentions in disclosing very little in chairman Art Coviello's initial public letter about the breach. The token technology crooks targeted is used by companies to protect data, so it was likely wary of giving information that attackers could use.
Once Lockheed Martin revealed in June it had been (unsuccessfully) attacked, in part using RSA token data compromised in the March breach, RSA offered a few more glimpses. RSA had considered the threat limited to companies using tokens to protect intellectual property, Coviello said, so it prioritized efforts around defense contractors and government agencies. It then offered to replace tokens for certain groups of customers. Perhaps, given the risks, RSA felt in March like a need-to-know approach was its only option. Still, it feels like an opportunity missed, as other companies won't learn much from this security expert's experience.
I'm not an information security expert, and that's part of my point. Looking from the outside, it feels like every data breach is an ad hoc exercise. Every company must learn its lessons from scratch, and the public doesn't know what information it should expect.
Paul Ducklin, head of technology in Asia-Pacific for security software firm Sophos, suggests four things every company should explain when disclosing a breach:
>> How the problem arose.
>> What holes the breach introduced (and what it did not).
>> How those holes can be closed.
>> What is being done to prevent breaches from happening again.
It's a no-nonsense starting point for a public discussion on disclosure. For companies to have any hope of avoiding onerous regulations on handling personal data, they must show they're serious. (President Obama has proposed national standards for breach notification.)
More important than avoiding onerous regulations is maintaining public confidence.
Data security isn't one industry, though. It's an equal opportunity disaster--who would've put Sony among the highest-risk targets? A drugmaker or automaker knows at some point it will have a recall or safety problem, so those industries have developed some norms and expectations for dealing with and disclosing problems. Companies need a similar common road map for data, and those with the most at stake--banks, security firms, the Web data giants, big federal agencies--should lead the discussion. This will never be easy. There will always be judgment calls. But companies need to create a better playbook than they have today. If they don't, they can count on getting a bigger rulebook from lawmakers.