An interesting few days in the world of information security. Last week we saw the UK Information Commissioner handed out two significant fines to two authorities for significant breeches of the Data Protection Act. This week, the spilling of the CIA's most secret secrets courtesy of Wikileaks in what is becoming known as Cablegate.
The most interesting aspect of the IC's actions was how old fashioned the sources of the infringements were. For A4e, a care provider, a £60k fine for the loss of a laptop containing unencrypted case data. For Hertfordshire County Council, it was a mis-sent fax (a device invented in the 1800s). Whilst it could be strongly a argued that a modern, cloud-based data management system would have mitigated against such breeches happening in the first place, it's often the Data Protection Act itself that prevents the move to such technologies. Simply put, the law is very outdated.
For me, the biggest issue today with the DPA is that, through extension via European directives, the physical location where data is held is given far greater significance than is justified in today's very virtualized world. This leads to greater dependence on on-premise databases, and by extension much greater duplication of that data resulting in greater risks of loss as seen in last week's cases.
Where data physically sits is much less important today, though, than where the person who is looking at it is… And even that is becoming increasingly tangential in our ever more globalised world.
So, we have a series of laws that are both very difficult to comply to, but also in some ways encourage practice s that will become highly likely to lead to compliance issues in their own right.
And then the Cablegate event happens. Hundreds of thousands of highly confidential diplomatic cables leaked to the world. And at this point I wonder if that if the combined might of the US Government can't keep its secrets secret, what hope the rest of us? Of course there will be a gnashing of teeth about all of this, and calls for stronger security systems to be put in place. But the weak link will always be the people involved.
Not for any reason other than that it is just the way the world is going, it feels like we are entering a new world where very little can be kept secret. A world of complete transparency is not necessarily a good or bad place, but it will certainly be a very different place. But maybe the solution to addressing some of the security issues that we have seen in the last few days is to start both systems and legislation from a base position of assumed disclosure, rather than from assuming that we can choose what is disclosed.
mmitII 