Responsibility and responsible disclosure

Publish date:

Earlier this month a story went round that the GCHQ (responsible for Britain’s SIGINT activities) wants to monitor Britain’s most vital private networks for unusual network traffic. Prime Minister David Cameron invited a number of large companies at Downing Street to discuss these plans. A somewhat disturbing thought at first: wiretapping with permission? And what […]

Earlier this month a story went round that the GCHQ (responsible for Britain’s SIGINT activities) wants to monitor Britain’s most vital private networks for unusual network traffic. Prime Minister David Cameron invited a number of large companies at Downing Street to discuss these plans.
A somewhat disturbing thought at first: wiretapping with permission? And what about the permission of the owner of the data passing, as this initiative would also involve companies moving third party data?

But a more recent event may tick the scale. Three days ago, the executive chairman of RSA published an open letter warning customers about a successful hack (APT) which targeted RSA’s flagship SecureID product. SecureID is one of the most widely used products for strong authentication using tokens.

At first, this open letter looks like what is a responsible disclosure. But with statements like “..we are confident that the information extracted does not enable a successful direct attack..” you can see the wording have been chosen carefully. There is very little detail about the true consequence to the integrity of SecureID and the customers installations, which of course leads to speculation. Although third parties do their best at assessing the risk, RSA release more advice directly to customers only. From what has leaked, this advice is mostly stating the obvious..

So where does this leave us? Should vital organisations allow governments to actively monitor their communications? And what if these organisations don’t agree, whose interests prevail? Can we expect organisations to protect our interests themselves, given the recent news on RSA? Food for thought on a Sunday morning.

Related Posts

Cybersecurity

Can AI save the security operations center?

Geert van der Linden
Date icon November 30, 2021

AI technologies can also perform threat modeling and impact analysis, activities that...

Cybersecurity

Mastering the critical art of cybersecurity in Automotive

Geert van der Linden
Date icon November 3, 2021

Steps OEMs need to take in order to get ahead of cyber threats

Cybersecurity

Improving the adoption of Privileged Access Management across the organization

Date icon October 26, 2021

Using best practices to drive increased adoption of effective Privileged Access Management...