If there's one thing that the security community has never lacked, it is innovative and original research. From the earliest days of the industry, free thinkers at IBM, Bell Labs, MIT and labs and universities around the world have been working out creative solutions to some of the tougher problems in computing.
If the papers presented at the Workshop on Economics in Information Security at Dartmouth College last week are any indication, that spirit of innovation and curiosity is alive and well. However, much of this research is being severely hampered by the lack of accurate, unbiased data from credible sources on attacks, data breaches and other incidents. Any study or research project, no matter how well thought out, is only as good as the data on which it's based. And right now, that data is not very good.
"We need better information on attacks and better data. What statistics are out there are very poor," says Tyler Moore of the University of Cambridge, who presented a paper entitled Security Economics and European Policy at the workshop. "People have a bias to over or underreport, and some of the victims may not know the cause of their compromise," he said.
Moore and his co-authors focused on issues facing the European Union, but many of their recommendations would be just as welcome in the United States. Specifically, the time has come for the Congress to set aside petty arguments and pass a comprehensive national data breach disclosure law. The vast majority of states have passed such laws in the last five years, and the result is a confusing patchwork of regulations with any number of different thresholds for disclosure, numerous exceptions and safe harbors for encrypted data, and dozens of definitions of what constitutes personal or confidential data. The state laws have served several purposes, most importantly in bringing the epidemic of data thefts to light. But they have sown plenty of confusion as well, and an overarching federal disclosure law could go a long way toward clearing up that confusion.
The debate over a federal law is sure to be loud and contentious, with plenty of misinformation and posturing from all sides. And, like many federal laws, would likely end up being a watered down measure that satisfies almost no one. But the scope of the problem demands attention on a national scale, and any national law must include strong sanctions for organizations that fail to report breaches. There are plenty of stories out there these days of companies that have found creative ways of interpreting the state disclosure laws in order to avoid public embarrassment. People will always find ways around rules they find inconvenient, but Congress should ensure that companies that choose this route will find a hefty fine, at minimum, at the end of the road.
To go along with a federal law, the next president should establish a central repository to collect and disseminate data on breaches, thefts and other relevant attacks. The Federal Trade Commission serves this purpose to a limited extent right now, by collecting and publishing numbers on identity theft, but that's just a small part of the picture. We need an independent authority to which all government agencies and independent businesses must report qualifying data breaches and other compromises of confidential information. And -- here's the kicker -- those reports must include specific details of the compromise, as best it can be worked out. Those reports can then be collected, analyzed, stripped of any identifying details and published.
What better way for companies to identify the weak points of their own strategies than to see what's working and what isn't for their peers? This was the original mission of the Information Sharing and Analysis Centers (ISAC), but the data generated by each ISAC is generally restricted to its members. We need a national, cross-industry center that can serve this purpose and provide anonymized data on attacks and thefts. Without it, we'll simply keep stumbling along the same path we're on now, without any sense of why we're heading in one direction instead of another.