I had a chance recently to talk with reporters from the Associated Press and the Hill about the recent Anthem data breach and what that means for online security and privacy for healthcare and what people need to know about it.
Ten years ago yesterday, Bill Gates sent out his Trustworthy Computing memo that marked a significant change in the culture at Microsoft and put security, privacy and reliability at the center of the company as ideals.
I was at Microsoft as part of the Microsoft Security Response Center when that came out. And until I left Microsoft in December 2010, I was involved in security and privacy. So I have a former insider’s long-term view of what that was all like.
As my former colleagues are marking the occasion I’m sharing my own thoughts on what it meant then and what it means for the future.
Here are my comments in Robert X. Cringly’s article “PC security: We’ve come a long way, baby“. And a longer write-up by me over at Betanews “10 years after Bill Gates’ Trustworthy Computing memo: What it meant for Microsoft and why every tech company needs one“.
It was something to be a part of, but the world is different today. Part of my take on it is how this is still relevant in this different world.
That’s increasingly the reality around communications and online security/privacy incidents. If you don’t lead in providing information then others will do it for you. And that can mean your company could be out of business in just a few days. Google, Microsoft, Mozilla and the Dutch government have all made this point very clear over the course of the past few days in regards to the DigiNotar compromise.
You can get full details in Gregg Keizer’s story but the important facts are that DigiNotar is a Dutch company that issues digital certificates used for secure web browsing. Around August 29, 2011 Google discovered a forged DigiNotar certificate was being used on the Internet. In real terms, this means that someone could use this certificate to watch what you’re doing on the Internet when you’re using a secure channel without you knowing it. Google, Microsoft, and Mozilla all responded by making the forged certificate unusable in their browsers but keeping the rest of DigiNotar’s certificates usable. This is a standard response when situations like this have happened in the past.
But over the next four days, it emerged that DigiNotar had been aware of this attack since mid-July, that it was broader than a single certificate and had said nothing. In response to that lack of transparency and communication Google, Microsoft, Mozilla, and the Dutch government, now involved because they used DigiNotar for sensitive government websites, took an unprecedented step in response. They revoked all certificates that DigiNotar has issued or will ever issue, basically putting them out of business. It would be like United States Government declaring that a state’s driver’s license issuing procedures were so weak that none of their licenses will be accepted as valid IDs ever again.
If you need any proof that the lack of transparency and communication was the chief driver of this decision, Johnathan Nightingale who is Director of Firefox Engineering over at Mozilla cites the lack of notification as the first reason behind their decision. He goes on to talk about how “Incidents like this one demonstrate the need for active, immediate and comprehensive communication”. While his comments are to this specific incident, they apply to any online security/privacy incident.
DigiNotar had two chances to take the lead in this situation. First, when it was discovered in mid-July, and then when it first broke publicly in late August. If they had made a point to be the source of authoritative information at either of these junctures, they may have been able to keep control of the situation and keep from being shunted to the sides and shuttered by the other affected parties. As it is, though, they’ve become a cautionary tale of how fast things move in Internet time and how quickly one poorly handled incident can close down a business.