Responsibility and responsible disclosure

Publish date:

Earlier this month a story went round that the GCHQ (responsible for Britain’s SIGINT activities) wants to monitor Britain’s most vital private networks for unusual network traffic. Prime Minister David Cameron invited a number of large companies at Downing Street to discuss these plans. A somewhat disturbing thought at first: wiretapping with permission? And what […]

Earlier this month a story went round that the GCHQ (responsible for Britain’s SIGINT activities) wants to monitor Britain’s most vital private networks for unusual network traffic. Prime Minister David Cameron invited a number of large companies at Downing Street to discuss these plans.
A somewhat disturbing thought at first: wiretapping with permission? And what about the permission of the owner of the data passing, as this initiative would also involve companies moving third party data?

But a more recent event may tick the scale. Three days ago, the executive chairman of RSA published an open letter warning customers about a successful hack (APT) which targeted RSA’s flagship SecureID product. SecureID is one of the most widely used products for strong authentication using tokens.

At first, this open letter looks like what is a responsible disclosure. But with statements like “..we are confident that the information extracted does not enable a successful direct attack..” you can see the wording have been chosen carefully. There is very little detail about the true consequence to the integrity of SecureID and the customers installations, which of course leads to speculation. Although third parties do their best at assessing the risk, RSA release more advice directly to customers only. From what has leaked, this advice is mostly stating the obvious..

So where does this leave us? Should vital organisations allow governments to actively monitor their communications? And what if these organisations don’t agree, whose interests prevail? Can we expect organisations to protect our interests themselves, given the recent news on RSA? Food for thought on a Sunday morning.

Related Posts

Cybersecurity

A converged approach to IoT cybersecurity

Niket Raut
Date icon March 3, 2021

The huge number of devices scattered across many locations, both stationary and mobile,...

Cybersecurity

Five Security areas to focus on to respond to today’s cybersecurity challenges

Leonardo Carissimi
Date icon March 2, 2021

Failure to observe good cyber risk and privacy governance practices have very tangible...

Cybersecurity

Insider Threats: Getting to the left of Boom!

Dan Leyman
Date icon February 15, 2021

Mature, effective insider risk programs take the necessary next step to prevent insider...