Comments on: When Planes Fell From the Sky http://emergentchaos.com/archives/2007/01/when-planes-fell-from-the-sky.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Allan Friedman http://emergentchaos.com/archives/2007/01/when-planes-fell-from-the-sky.html/comment-page-1#comment-3029 Allan Friedman Thu, 04 Jan 2007 09:21:05 +0000 http://emergentchaos.com/?p=2147#comment-3029 CSIA puts out some interesting stuff, but one should always take a few grains of salt with research that comes from an industry group with clear benefits from certain findings. Re: 2006. No hard data, but I would be surprised if none of the sponsors of any of the recent ID Theft bills (no matter how poorly thought out or ineffective) mentioned their efforts while campaigning. If you were looking for hard evidence, start with the Congressional Register and work backwards through campaign literature. CSIA puts out some interesting stuff, but one should always take a few grains of salt with research that comes from an industry group with clear benefits from certain findings.
Re: 2006. No hard data, but I would be surprised if none of the sponsors of any of the recent ID Theft bills (no matter how poorly thought out or ineffective) mentioned their efforts while campaigning. If you were looking for hard evidence, start with the Congressional Register and work backwards through campaign literature.

]]> By: David Molnar http://emergentchaos.com/archives/2007/01/when-planes-fell-from-the-sky.html/comment-page-1#comment-3028 David Molnar Wed, 03 Jan 2007 21:38:57 +0000 http://emergentchaos.com/?p=2147#comment-3028 Adam: I thought you might have been, but wasn't sure. I'm still curious as to know whether breach laws were in fact an issue in any November 2006 campaign. Google news isn't much help as far as I can tell. Adam:
I thought you might have been, but wasn’t sure. I’m still curious as to know whether breach laws were in fact an issue in any November 2006 campaign. Google news isn’t much help as far as I can tell.

]]> By: Adam http://emergentchaos.com/archives/2007/01/when-planes-fell-from-the-sky.html/comment-page-1#comment-3027 Adam Wed, 03 Jan 2007 10:54:51 +0000 http://emergentchaos.com/?p=2147#comment-3027 David, I was being sarcastic about our lack of progress. Thanks for the second article; that's fascinating and I'd missed it. David,
I was being sarcastic about our lack of progress. Thanks for the second article; that’s fascinating and I’d missed it.

]]> By: Chris http://emergentchaos.com/archives/2007/01/when-planes-fell-from-the-sky.html/comment-page-1#comment-3026 Chris Tue, 02 Jan 2007 21:25:30 +0000 http://emergentchaos.com/?p=2147#comment-3026 @Allan: As some of these outfits might have thought of it "The loss of your privacy is the cost of my doing business". :^) On the typology --> control points idea, it seems somewhat clear even at this early stage that encryption of data at rest outside the perimeter, and more thoughtful consideration of what to store in the first place would put a decent-sized dent in the problem. That is probably too technical a solution, where you are thinking more from a regulatory standpoint. This is one where the techies, regulators, and politicians need to work together. All would benefit from better data. In particular, I am frustrated by the seeming inability (or at least, difficulty) to tie real ID theft likelihoods to breaches. What could be done to get the data needed for this, while maintaining confidentiality and privacy for those whose records are involved, I wonder? @Allan:
As some of these outfits might have thought of it “The loss of your privacy is the cost of my doing business”. :^)
On the typology –> control points idea, it seems somewhat clear even at this early stage that encryption of data at rest outside the perimeter, and more thoughtful consideration of what to store in the first place would put a decent-sized dent in the problem. That is probably too technical a solution, where you are thinking more from a regulatory standpoint. This is one where the techies, regulators, and politicians need to work together. All would benefit from better data. In particular, I am frustrated by the seeming inability (or at least, difficulty) to tie real ID theft likelihoods to breaches. What could be done to get the data needed for this, while maintaining confidentiality and privacy for those whose records are involved, I wonder?

]]> By: David Molnar http://emergentchaos.com/archives/2007/01/when-planes-fell-from-the-sky.html/comment-page-1#comment-3025 David Molnar Tue, 02 Jan 2007 20:22:15 +0000 http://emergentchaos.com/?p=2147#comment-3025 Oh, I just noticed this. The Cyber Security Industry Alliance ran a survey in 2006 on public perception of computer security issues. <a href="https://www.csialliance.org/publications/surveys_and_polls/dci_survey_May2006/print/" rel="nofollow">https://www.csialliance.org/publications/surveys_and_polls/dci_survey_May2006/print/</a> Here's the interesting part: <blockquote> "The key circumstance arises from the fact that strong interests are lining up on both sides of the issue – corporations afraid of burdensome disclosure requirements on one side and consumer activists on the other. The survey shows that the electorate is ready to take sides as well. Americans choose California-strength disclosure even when presented with the caveats that they will be bombarded with worthless notices and that prices will rise as companies pass along the cost of compliance. Seventy-one percent of respondents agree that Congress should pass a law like California’s compared to only 21 percent who think that California’s is too strict. While Democrats are the most likely to support stronger data security (78 percent), 68 percent of Republicans favor a law like California’s while only 25 percent think it’s too strict. Voters who support stronger data security are prepared to hold candidates accountable. Among those likely to vote in the 2006 elections, 46 percent say that a candidate’s opposition to a law like California’s would give them serious doubts. While this does not rise to the level of the silver bullet a challenger would use to take out an incumbent, it is nonetheless a number that suggests that the issue will get more than a passing mention on the campaign trail. If a Member of Congress votes against a strong data security bill this session, the survey suggests that the Member’s opponents will bring up the issue in the fall campaign." </blockquote> Anyone know if a campaign in 2006 actually did have someone raise breach bills as an issue? Oh, I just noticed this. The Cyber Security Industry Alliance ran a survey in 2006 on public perception of computer security issues.
https://www.csialliance.org/publications/surveys_and_polls/dci_survey_May2006/print/
Here’s the interesting part:

“The key circumstance arises from the fact that strong interests are lining up on both sides of the issue – corporations afraid of burdensome disclosure requirements on one side and consumer activists on the other. The survey shows that the electorate is ready to take sides as well. Americans choose California-strength disclosure even when presented with the caveats that they will be bombarded with worthless notices and that prices will rise as companies pass along the cost of compliance. Seventy-one percent of respondents agree that Congress should pass a law like California’s compared to only 21 percent who think that California’s is too strict.
While Democrats are the most likely to support stronger data security (78 percent), 68 percent of Republicans favor a law like California’s while only 25 percent think it’s too strict. Voters who support stronger data security are prepared to hold candidates accountable.
Among those likely to vote in the 2006 elections, 46 percent say that a candidate’s opposition to a law like California’s would give them serious doubts.
While this does not rise to the level of the silver bullet a challenger would use to take out an incumbent, it is nonetheless a number that suggests that the issue will get more than a passing mention on the campaign trail. If a Member of Congress votes against a strong data security bill this session, the survey suggests that the Member’s opponents will bring up the issue in the fall campaign.”

Anyone know if a campaign in 2006 actually did have someone raise breach bills as an issue?

]]> By: David Molnar http://emergentchaos.com/archives/2007/01/when-planes-fell-from-the-sky.html/comment-page-1#comment-3024 David Molnar Tue, 02 Jan 2007 20:15:03 +0000 http://emergentchaos.com/?p=2147#comment-3024 <i>Some people wanted to 'save the organization from embarrassment.' I'm so glad we in information security are past that, and are learning lessons from each other's mistakes.</i> "Past that" might be too strong. Yes, we do now have breach laws in some states, most notably California's SB 1386. Yes, this has changed the landscape. There are still people out there who want to 'save the organization from embarassment,' and the federal story has not yet been written. It might be worth keeping an eye on the new Congress to see what happens. Some people wanted to ‘save the organization from embarrassment.’ I’m so glad we in information security are past that, and are learning lessons from each other’s mistakes.
“Past that” might be too strong. Yes, we do now have breach laws in some states, most notably California’s SB 1386. Yes, this has changed the landscape. There are still people out there who want to ‘save the organization from embarassment,’ and the federal story has not yet been written. It might be worth keeping an eye on the new Congress to see what happens.

]]> By: Allan Friedman http://emergentchaos.com/archives/2007/01/when-planes-fell-from-the-sky.html/comment-page-1#comment-3023 Allan Friedman Tue, 02 Jan 2007 18:43:06 +0000 http://emergentchaos.com/?p=2147#comment-3023 Adam, this is an excellent point. Strong, sustained attention to problems often produces a good solution to things that were just accepted as a "cost of business." Other examples might include automobile safety (back when Nader was seen as a good guy) and early credit card liability issues. One interesting thing to consider is the type of solution to the techno-social problems. Is the solution purely technical? Is there a difference between the source of the solution and the implementation of that solution (i.e. a new liability standard might be set by a single decision, but then implemented by myriad players). The fun thing about these wide-spread lingering problems is that they span so many different levels of technology, economic incentives, organizational dynamics, etc. It would be a fun project to put together a set of them and build a typology to suggest where corrective change is easier or harder, and what policy options would be better in different situations. Adam, this is an excellent point. Strong, sustained attention to problems often produces a good solution to things that were just accepted as a “cost of business.” Other examples might include automobile safety (back when Nader was seen as a good guy) and early credit card liability issues.
One interesting thing to consider is the type of solution to the techno-social problems. Is the solution purely technical? Is there a difference between the source of the solution and the implementation of that solution (i.e. a new liability standard might be set by a single decision, but then implemented by myriad players).
The fun thing about these wide-spread lingering problems is that they span so many different levels of technology, economic incentives, organizational dynamics, etc. It would be a fun project to put together a set of them and build a typology to suggest where corrective change is easier or harder, and what policy options would be better in different situations.

]]>