Thursday, 18 February 2016

"We will investigate to learn from our mistakes..."

I'm starting to get physically ill when I read that hackneyed expression that is often churned out after people make mistakes - usually organisations. NHS making mistakes so basic, it is hard to understand; companies losing data because it was not protected; the police allowing a criminal to escape, a politician excusing a poor policy (that everyone knew wouldn't work in the first place), they all tout the same poor justification that looks something like this:

1) This is very serious
2) ...but it doesn't happen very often
3) We take it very seriously
4) We will carry out a full investigation
5) We will ensure it doesn't happen again.

Except, it's nonsense. Take password storage. Anyone who's anyone knows that you should always store passwords as hashes, you should never email them in plain text and you should use a recognized "slow" hash function to make it the most difficult for an attacker to crack the passwords. In fact, with a little extra effort, you could also hash and/or encrypt email addresses so an attacker could not easily match a cracked password to an email address.

So when someone gets hacked and the attacker steals a load of unencrypted passwords or passwords hashed with something like MD5, which is pathetically weak nowadays, "we will ensure it doesn't happen again" is unacceptable, because it has already happened to many other people and you did nothing proactively.

Even when this happens, punishment is rare and, to be fair, it should probably be an executive who is punished, not the company itself. It worries me that across the world, managers make decisions that can be criminally uninformed and by the time something bad happens, they are long-gone and the company takes the hit (although that it probably the CEOs fault).

I have decided that the law in Britain needs to take a new modern form in lots of areas where it involves regulation of businesses and although I don't have a name for it, the idea is very simple.

1) The government implements a baseline, legally enforceable set of guidelines. Although the spirit is that you should not take them as a target, if you do adhere to them, you are by definition covered by law. These guidelines would be quite restrictive but would cover simple cases or small businesses and would provide a free and easy to use baseline.
2) If you are a larger company for whom the baseline is too restrictive, you can extend or modify the guidelines in your own documentation, specifying what exactly you are overidding and what you are using. You can choose to have these audited by an accredited auditor and if there are passed and adhered to, you will also be covered against negligence legislation.
3) If you simply cannot do either 1 or 2 above, you can choose your own method of process. Perhaps you are such a niche or specialized industry that you cannot get your processes audited. Fine, you do your own thing and if something happens, you will have a much higher burden of proof in court as to why the problem happened.

These default guidelines should be designed to be easily update-able but this should be done at reasonable intervals so that people can keep up.

For instance, some basic data protection guidelines would mandate the use of bcrypt, scrypt, pbkdf2 or argon2 as the minimum acceptable for password storage. By default you just do what you're told. A larger company have invented their own has (for whatever reason) so they get it audited and signed off as acceptably strong. A specialist company decides its process is too advanced and takes the risk that their own people have validated its strength.

In another industry e.g. scaffolding, the baseline says that you always wear hard hats if you are erecting, disassembling or working underneath scaffolding. You wear hi-vis vests whenever moving plant is on the same site and perhaps other requirements. A large company might decide that because they have a special walkway cage, that hardhats are not required when using the walkway - they can extend the baseline and have it audited. Alternatively, they could decide that they are using advanced scaffolding that is all made of rubber and hard hats are not required - they decide not to wear them but they take them at their own risk.

I think I will call it the Luke system but it's about time the government caught up and realised that regulation across the whole country (and most of the world no doubt), is completely not fit for purpose in the modern fast-moving, highly populated world.
Post a Comment