Responsibility and responsible disclosure

Publish date:

Earlier this month a story went round that the GCHQ (responsible for Britain’s SIGINT activities) wants to monitor Britain’s most vital private networks for unusual network traffic. Prime Minister David Cameron invited a number of large companies at Downing Street to discuss these plans. A somewhat disturbing thought at first: wiretapping with permission? And what […]

Earlier this month a story went round that the GCHQ (responsible for Britain’s SIGINT activities) wants to monitor Britain’s most vital private networks for unusual network traffic. Prime Minister David Cameron invited a number of large companies at Downing Street to discuss these plans.
A somewhat disturbing thought at first: wiretapping with permission? And what about the permission of the owner of the data passing, as this initiative would also involve companies moving third party data?

But a more recent event may tick the scale. Three days ago, the executive chairman of RSA published an open letter warning customers about a successful hack (APT) which targeted RSA’s flagship SecureID product. SecureID is one of the most widely used products for strong authentication using tokens.

At first, this open letter looks like what is a responsible disclosure. But with statements like “..we are confident that the information extracted does not enable a successful direct attack..” you can see the wording have been chosen carefully. There is very little detail about the true consequence to the integrity of SecureID and the customers installations, which of course leads to speculation. Although third parties do their best at assessing the risk, RSA release more advice directly to customers only. From what has leaked, this advice is mostly stating the obvious..

So where does this leave us? Should vital organisations allow governments to actively monitor their communications? And what if these organisations don’t agree, whose interests prevail? Can we expect organisations to protect our interests themselves, given the recent news on RSA? Food for thought on a Sunday morning.

Related Posts

Cybersecurity

Is your Operational Technology (OT) environment insider safe?

Dan Leyman
Date icon September 8, 2020

Organizations need to exercise due diligence and care to ensure their vendors, contractors,...

Cybersecurity

Unlocking the power of AI and SOAR for end-to-end cybersecurity

Geert van der Linden
Date icon September 3, 2020

For AI to work effectively, organizations need to build a roadmap that addresses...

Cybersecurity

Identity access management (IAM) – the new normal

Dino Karanikas
Date icon August 27, 2020

Having an upgraded IAM plan in place will not only let you sleep better at night; it will...