You arrive at dinner a little early. The waiter seats you as you wait for your friend.
A few minutes later, your friend approaches with a wave and a horrific dress shirt. It’s the kind of shirt that offends all and delights no one.
Do you tell him? Now or later? Do you want to hurt his feelings? Or will letting him continue to wear the shirt be worse?
Our lives are made up of choices like this, and cybersecurity experts have to make similar types of choices every day. Their choices are inspired by their tools, their knowledge, and something more nebulous: Their ethics.
Ethics and Disclosure
Ethics are always complicated, and interrogating them in the digital world isn’t any simpler. Although it doesn’t sound controversial on its face, one of the most contested cybersecurity issues is disclosure.
Disclosure refers to how and when a company divulges a security breach or security problem. There are two types of disclosure: Responsible disclosure and full disclosure. One of them clearly has better branding than the other, but they’re both worth examining.
Full disclosure is when a company reports a security issue or breach right away, possibly even before engineers have crafted a solution. It gives users of an online service as much knowledge as possible on the breach. Moreover, it should improve security long-term because the public’s scrutiny could force companies to strengthen their cybersecurity measures. Unfortunately, full disclosure could also give hackers a head-start on getting into the vulnerable system before engineers have a chance to create a patch.
Responsible disclosure is when an organization doesn’t tell the public about the breach or vulnerability until a fix is available. This means that by the time would-be hackers learn about the vulnerability, it’s too late for them to exploit that particular weakness. An example of responsible disclosure would be the way that Microsoft responded to a recent WiFi exploit – that is, by telling customers about the vulnerability and the patch.
Most companies opt for responsible disclosure in the event of a breach. This is to fix the vulnerability before hackers can exploit it, and also because users already have a tendency not to update their devices. In fact, about half of all hacking incidents involve vulnerabilities that are two or more years old. If people aren’t updating their devices, full disclosure could give hackers a menu of methods for exploiting outdated systems.
Responsible disclosure doesn’t necessarily inspire as much urgency because there isn’t public pressure to make the proper security fixes. Additionally, companies (mistakenly) believe that consumers care more about a great product than the security surrounding it. Malcolm Harkins, a security expert who spent 24 years at IBM, said that companies need to make privacy as much of a priority as their products.
It won’t be a priority unless consumers demand it, and this is where full disclosure offers long-term benefits. Theoretically, if consumers are aware of vulnerabilities, security issues will feel more pressing to them. That, in turn, will compel them to ask more of companies in terms of security.
Even if full disclosure was the default for companies, would consumers change their behavior? The idea that two-year-old vulnerabilities are the source of almost half of hacking incidents is troubling, as is the practice of using public WiFi despite the well-documented security risks.
This behavior suggests that the majority of consumers prioritize convenience over security. It’s wishful thinking to imagine that that type of consumer will be banging down the doors of a company’s IT department asking for more robust security measures.
That puts security professionals in a difficult position. Full disclosure should help engineers collaborate on solutions to security vulnerabilities and keep the pressure on companies to take security seriously. That’s not the reality. As a result, responsible disclosure is the default because it feels like the best of both worlds.
Follow the Hackers
Part of the argument against full disclosure is that it gives hackers too much knowledge. But, a hacker’s best tool is understanding. To break into a system, you have to understand its strengths and weaknesses. You need to get why it works.
Consumers need more knowledge and they need understanding– they won’t protect themselves or act in their best interest if they’re clueless about the products they use every day. One method of disclosure may offer more information to consumers than the other, but it means nothing if consumers don’t understand the information. It means even less if they don’t understand the dangers.