New concepts in security, part I: “Discreet Disclosure.”
This just in from the VERT Daily Post:
We’ve had a “responsible disclosure” debate in the vulnerability research community for a whole lot of years - the point is simply that, while disclosure forces everyone to be responsible, sometimes, you can have too much of a good thing.
The recent VA compromise is a great example. The analyst whose laptop was stolen obviously potentially compromised a large amount of personal data. However, the average domestic laptop theft isn’t a targeted act - the purpose isn’t to steal data, but to steal a laptop. However, with the amount of disclosure that happened in this case, it’s a safe bet that, if the thieves didn’t know what they had stolen (and the value of the data on the laptop), there’s no question that they do now.
We likely won’t ever know if the thieves stole the laptop for the sake of the laptop, or for the sake of the data. But, if the disclosure had been a little more discreet, it’s at least possible that they wouldn’t have known what they stole.
Come on, does anyone really believe this? Any disclosure that involves sending out 26.5 million letters can in no way be discreet, any more than I can be a little bit pregnant. (I can’t, not when I’m throwing up my toenails.)
The only way disclosure can be discreet (i.e. controlled) is in the case of a vulnerability that is being communicated by the one who found it to the one who wrote it and presumably can fix it. And it’s discreet only because the disclosure doesn’t include any of the potential victims of the vulnerability, which is why there’s so much Sturm und Drang about “responsible disclosure.” To whom are you being responsible?
Even if you’re excluding those potentially affected by a vulnerability, the disclosure can still get out if you have to notify a lot of people just to address it. Being responsible with disclosure means recognizing the fact that humans don’t keep secrets very well. Being responsible means taking this into account and making contingency plans. It means mitigating as much risk as you can even while you’re disclosing.
And it means acknowledging that there are just some vulnerabilities that are never going to be kept secret. That our society doesn’t WANT to be kept secret. Hence, the new disclosure laws. We have decided that the potential victims of a certain kind of vulnerability are not better served by not being informed. If there are ANY steps that they can take on their own to mitigate their personal risk, they deserve the chance to do so.
The response to a laptop data loss should always include a good faith disclosure and remediation plan. If you have no control over the disclosure, then you need to work extra hard at repairing the breach of trust, and you’d better do it fast. I believe that companies will, in the end, be judged more by their incident response than by their prevention. I’m not saying that’s right or fair; I’m just saying that’s the way it is.
