According to CNN et al, someone -- or several someones -- managed to successfully compromise what appears to be registration data for the World Economic Forum in Davos, exposing personal information of attendees like Yasser Arafat and Bill Gates. It's not known whether this was a network-based compromise, whether social engineering was involved, or just how exactly the data went walkies.
By itself, this theft is already a pretty big deal. But what really got my attention was a quote attributed to one "Charles McLean, the WEF's director of communications," in which he is claimed to have said: "We at this point have no idea how this information got out. If they could have a security breach at the Pentagon and they can have a security breach at the State Department, it is possible to have a security breach at the World Economic Forum."
To quote Yakko Warner, ex-squeeze me?!
As far as I know, "using the mistakes of others to justify your own" is not a recommended approach outlined in the Handbook of Effective Spin-Control. In fact, this particular rhetorical tactic is familiar to me by its concise name: the Lemming Defense.
What they got away with
The Swiss SonntagsZeitung broke the story over the weekend as a result of having received a CD full of information about past and present WEF attendees. An exhaustive list of what's on that CD can be
found here (in German). It's a lot of stuff, and much
of it is quite sensitive, considering the individuals whose data the
WEF did not adequately protect.
Given that SFr 5,000,000 (roughly US$ 3,000,000) appear to have been spent on the physical security of the most recent WEF in Davos, one wonders how much it would've cost to hire some competent data security talent before the breach (and subsequent major embarrassment). Instead of spending money on a Flash intro animation for its Web site, the WEF's money clearly would've been better spent on securing its systems.
Enforcement and audits
Predictably enough, after first downplaying its own culpability by
besmirching past victims of insufficient security, the WEF is
engaging in loud saber-rattling and throwing the word "criminal"
around, albeit not in the context of "negligence."
I certainly would not like to be the WEF's head of IT and having to explain how this data got out. Mr McLean is even quoted in the SonntagsZeitung as asserting that the WEF's data security standards are quite high. Evidently they are not high enough. The NetCraft data for the WEF's site doesn't reveal much beyond that its uptime isn't anything to crow about.
Part of the problem is that there are no widely-recognized -- not to mention enforceable -- data protection standards out there. However, careless codification of data security can also be a Bad Thing, as Bruce Schneier points out.
If, for example, a credit card company were to anoint one particular technology solution as its officially sanctioned standard, that would result in potentially legitimate accusations of favoritism, but more damagingly, it would very quickly create a monoculture where a single vulnerability in the sanctioned system would affect all of merchants using that system for e-commerce.
Fortunately, any kind of product-specific recommendation has already proven to be entirely unnecessary. The concept of "best practices" is well understood in the world of business, as is "auditing." In fact, one of the reasons that OpenBSD is frequently touted as a benchmark for operating system security is precisely because its core source-code has been audited heavily for weaknesses.
No more carrots: we need a large financial stick
A crucial missing piece in all this is financial culpability: until
those whose insecure systems are breached have to pay for their
inattention, nothing will change. Look at the Egghead.com debacle. It cost the credit card
companies millions to deal with the fallout, but I doubt Egghead
itself had to pay anything. Expect the contracts between credit card
companies and their merchants to change shortly.
What's also infuriating is that all it would take for the lackadaisical attitude toward data protection to change is for the credit card companies to slap a few miscreants with lawsuits to recoup the cost of dealing with the security failures. (Even more interesting to see would be if one of the EU governments took a few companies to court for breach of data protection laws.)
While in the short term these sorts of actions might put a bit of a damper on the already strained e-commerce economy, since the participants would have to actually expend time and energy on securing their systems, in the long run everyone would benefit.
Shoot first, find out what really happened later
The WEF had received the data, and it was responsible for protecting
it. But rather than do the honorable thing, or even just keep quiet
until it knew what really happened, the WEF only compounded the
damage by having its spokesman point fingers everywhere but at
itself, regardless of how the act of data thievery was perpetrated.
The WEF's credibility -- especially given its recent proclivity for
inviting captains of information industry to their events -- has
taken a major hit and I would expect it to tarnish the organization's
image for some time to come.
If only that also held true for the many sites collecting personal information without securing it adequately.
ZDNet columnist Stephan Somogyi, a child of the Cold War, considers nationalism atavistic, but is far from convinced that either the pro- or anti-WEF sides of the debate have got the right idea.
