"I don't care if the government listens to me, I don't have anything to hide. If you don't have anything to hide, what are you worried about?"
-- US citizen comment I read in response to Snowden revelations
Are there standards and regulations that organizations should meet? Who enforces them? What are the penalties if they don't?
If they don't follow the standards should there be additional sanctions? Who decides?
"JPMorgan Chase Hacking Affects 76 Million Households"
Announcement of breach delayed months, only revealed due to SEC filing--Jessica Silver-Greenberg, Matthew Goldstein and Nicole Perlroth
What are the requirements for reporting to people when private information is revealed? Who sets these requirements and who enforces them? Do the agencies suffer from regulatory capture? Do they have a budget or was it slashed so "the market" can decide?
Yesterday on
Virtually Speaking Jay Ackroyd and I talked about cybersecurity, cyberterrorism and end-to-end encryption. I touched on some of these questions, but I think the Ashley Madison breach might get more people to pay attention to this issue. Here are for two reasons why, plus an attitude to notice.
1) Salacious! Schadenfreude!
2) Famous people having sex.
Moral superiority, ("It serves them right, those cheating bastards!")
The news media will cover all the juicy details because it's fun, but, like some 1st Amendment fights, privacy protecting should extend to unsavory characters, such as lying cheaters, who DO have something to hide.
There are criteria on privacy that need be discussed. It's easier to say some people don't deserve it, especially when it's an activity you don't approve of. But think about what activities that happen between consenting adults in the bedroom that recently became approved of in many states.
My favorite response to the US Citizen comment is from Glenn Greenwald following the Snowden revelations:
Jay and I discussed the massive Office of Personal Management breach quite a bit but not much about privacy. Part of that was because of a question Jay poised:
'What will it take for people to take this computer security and cyberterrorism seriously?"
My first response was, "An effective attack on the power grid by a non-state actor in which important people die."
I quoted from
Shane Harris' book @War, (page 52-53) What most people don't know is that our power grid has been hit twice (that we know of) in 2003 and 2008. But because the entity that appear to be behind it was a State Actor (China) the cases were covered up.
If people die,
and those attacks get pointed to ISIS as the entity behind it, that would give certain groups a "Cyber 9/11!" power that they want. But it has to be pointed at a group or individuals that aren't a huge trading partner.
Today I realized that my answer was incomplete. There needs to be multiple attacks on the
right kind of infrastructures, in the
right regions, and from the
right sources. So for example, power grids, in media dense areas. There needs to be TV visuals. Innocent and powerful people or children need to be hurt. The source needs to be an individual or an entity without state backing
Also, the reasons need to be the
right ones. As we might be seeing in the Ashly Madison case WHY someone starts an attack is important. It's NOT always about the money. Sometimes it's revenge. Other times scores to settle. "Senseless" reasons, like the kind that does not pay off in cash are harder for the media to understand.
It's all about the
Leverage.
The other big issue I mention on the show is leverage. If you are an entity that has personal information on government employees and their relatives from one hack and you also have information on their financial status from another hack, together you have a perfect tool kit for a Spymaster.
Spymasters don't sell their info on the open market. They save it. And use it when they need something bigger to happen, like a "Trade" deal.
Maybe I'm like Richard Clarke running around with my hair on fire, telling people to do something on this issue and they can't see the fire.
Vulcans love to be right on things and have nobody listen to them. Just like dirty hippies loved to be right about the war in Iraq and have nobody listen to them then or now.
As Jay pointed out there ARE things that can be done, both personally, corporately and federally. But the policies of "small government" and weak regulation that conservatives always push is harming our economy and jeopardizing people's lives.
But I guess they need to wait until a cyber attack or computer breach leads to physical deaths to do some deeper investigations into failures and make changes to secure our systems and people's private data.
I don't want to assume that mostly conservatives are on the Ashley Madison list, it's none of my business if they aren't breaking the law with consenting adults. But if they dodge a bullet this time, maybe they will consider the importance of privacy for everyone. And do it soon before more lives are ruined, after all, as the people at Ashley Madison say, life is short.
