More Serious Breach

Every big hack discovered will eventually prove to be more serious than first believed. That’s holding to be especially true with the recently disclosed hack of the federal Office of Personnel Management (OPM), the government’s human resources division. wired

The Wall Street Journal reported that the breach was actually discovered during a sales demonstration by a security company named CyTech Services, showing the OPM its forensic product.

Federal background checks are meant to suss out information that might be used by foreign enemies to blackmail a government staffer into turning over classified information. And that stolen information could now be used for exactly that extortion purpose.

There is concern that if the Chinese government got hold of lists containing the names of Chinese nationals who had been in touch with US government workers, this could be used to blackmail or punish them if they had been secretive about the contact.

.

Notice that the government collected an exceptionally large quantity of confidential information from employees and then failed to keep it confidential. What is it about computers that make this such a problem? Why hasn't this problem been solved.

I argue that it is a social problem, mostly one of priorities within organizations. Let's consider the steps required to make use of information:

1. it must be collected from many sources 2. it must be organized so as to be meaningful 3. it thus made valuable must be protected from misuse

All three of these tasks involve considerable effort but only 1 and 2 provide value to the organization doing the collecting. The value of 1 and 2 are tangible, predictable, often leading immediately to the "bottom line". The risks addressed in 3 are hypothetical, indirect, subject to the ingenuity of unknown others.

It doesn't help that 3 can be expensive and in some cases illegal. Although excellent cryptographic technology has existed since the '70s, the publication of these solutions were immediately blocked by our own intelligence services. Implementations were classed as "munitions". The mathematics involved could be expressed compactly. There was a t-shirt with the essential operations coded in four dense lines of Perl script. page

Number 3 above is expensive because of the specialized knowledge required to develop and test cryptographic algorithms. But even more so, it is expensive because of the sprawling bureaucracy required to sell the service of these technologists to other sprawling bureaucracies at a profit.

Economic theory says that free trade and the specialization it enables will optimize such production. But in this case, I think not so much. The root problem is again that the costs are not reflected in the right bottom line. There are similarities to industrial water pollution or any other externality.

See Passwords Bad but still popular for wrong reason.