undefined | Better HN

0 pointstxcwpalpha7y ago0 comments

> I believe this happens in transportation sectors often enough to be an important skill in those industries.

There's a significant difference between cybersec and other sectors: most other sectors don't have groups of extremely well-funded, malicious attackers trying to circumvent everything you do. We send people to jail for failing to do things that are entirely in their control (a train conductor falling asleep, a CFO falsifying records, etc). But in situations where there are malicious outside forces, we don't punish the victims.

For civil engineers, sure they are legally liable for not building something up to established codes or if they knowingly defraud inspectors, etc, but if a terrorist blows up a bridge, we don't send the bridge's engineer to prison (nor do we send the director of the FBI to prison for failing to prevent the bombing). If a burglar is able to sneak past the security guard at the mall, maybe the guard gets fired, but we certainly don't send him or his boss to prison, either.

> I would like to hear of instances where this has ever happened, and at any rate it would be an absolute-minimum penalty in a Target/Equifax/Marriott context.

During my career of cybersec consulting I saw it often enough for it to easily be considered status quo. Security at most companies is basically like playing a game of hot potato: everyone knows it's just a matter of time until the next breach is discovered. This is especially the case in most companies that are actively looking for a CISO: the reason you're probably looking for a new CISO in the first place is because your last one was fired/"retired"/left, or you didn't have one in the first place.

So now a new CISO joins, and they're responsible for reforming what is most likely a steaming pile of shit. Unfortunately, it can take years to move the needle even a little bit in terms of security maturity. So the new CISO might be 9 months into revamping the security program, but hackers just breached the network using an exploit that was left there by the last guy and that the CISO just hasn't gotten anywhere near being able to remediate yet. Or, maybe the hackers used a 0-day against the company that literally nobody even knew about until today. There was nothing the CISO could realistically do, but the C-suite is pissed, stockholders are pissed, customers are pissed, and someone's head needs to roll. So who gets fired (or is forced to "retire")? The CISO, of course. (incidentally, this means a new CISO has to be hired, which is going to significantly delay any security remediation efforts, which just means the company is exposed even longer).

I've personally seen this happen at multiple companies, and I've heard countless other similar stories from my colleagues. At my (very large) consulting firm, almost everyone I worked with that had >10 years experience had been offered a CISO position at one of our clients, but almost all refused it, because like I said, it's pretty much an inevitability that taking that job will just result in them being used as the sacrificial lamb in 12-24 months when they get hacked by something that's hardly even their fault. CISO is, based on what I've seen after years in the industry, not a coveted position whatsoever.

It's also funny that you mentioned the Target hack specifically, as the Target breach wasn't caused by anything I'd consider even remotely close to "incompetence". At the time, Target was actually known (at least among my colleagues) for having one of the best cybersec teams in corporate America. They did everything by the book, and the breach wasn't caused by any unpatched vulnerabilities or misconfigured systems. It was caused by something that nobody at the time even knew to watch out for. It was pretty much as close to "they really did do their best, but unfortunately their best wasn't good enough" as can be. And if you start jailing people for doing their best, or even firing them for it, pretty soon we just won't have anyone working in cybersec at all.

> I don't understand the scare quotes, but like I said (or tried to imply), bad things happening on someone's watch where best practices are established and not followed are criminally punished often enough to mention.

The "scare quotes" are specifically around the world "incompetence" because of what it implies. If you consider every CISO who didn't achieve absolute 100% breach prevention as "incompetent", then that would be nearly every single CISO in the country. In the cybersec industry, there's a famous quote by the director of the FBI: "there are two types of companies: those that have been hacked, and those that just don't know yet that they've been hacked". (again, it's a game of hot potato). If that's not what you mean by "incompetence", okay, fine, but who does get to decide the definition of incompetence? Who gets to draw the line between "incompetent" and "competent but just unlucky"? The public? A jury? A judge? Cybersecurity is hardly an area that even the most educated judges and juries understand. Nobody with half a head on their shoulders is going to take the risk of jail time just because an 80 year old technophobe judge couldn't wrap their head around who was truly at fault for a 0-day breach.

0 comments

1 comments · 1 top-level

danShumway7y ago

If companies know that data leaks are inevitable, then we need to shift our security models to be, "avoid storing anything on a corporate server that we don't need to store."

You're saying that incompetence is not the reason that breaches are happening. Fine. But breaches are still happening, so maybe Target shouldn't be storing credit cards at all. I have insecure things in my life that I know are insecure. I know that probably at some point in my life someone, somewhere will break into my car, so I don't store tons of money and jewelry inside it.

We know what the solution is to a data store that's fundamentally insecure and can't be fixed -- you limit the amount of sensitive data inside of it so that when it is hacked, the damages are mitigated. We already see this in many large companies with their email retention policies. Many companies take the view, "we don't know when we're going to be embroiled in some random, crazy legal battle. So we delete old emails whenever we're legally allowed to."

I understand where you're coming from with the perspective that incompetence is hard to measure, and to an extent, I agree with you. But the data breaches are just as damaging to consumers regardless of who's at fault. I have very little sympathy for a company that says, "we shouldn't suffer because of a breach because we couldn't reasonably prevent it." Consumers can't prevent breaches.

Companies should face an equivalent risk to consumers, so that they're incentivized to reduce that risk in any way they can. That doesn't need to be at the CISCO level, I'd prefer it be at the shareholder level.

j / k navigate · click thread line to collapse