A Short Rant about Computer Security and Ethics

Let’s suppose, hypothetically, that I was in charge of computer security for a large company with 50 independently run divisions. And let’s suppose, hypothetically, that I discovered evidence that 39 of these divisions had experienced break-in attempts at a critical time in our operations. And further, that in at least a half a dozen of those cases, hackers got so far as to come in contact with sensitive data.

And let’s also suppose that many of those 50 independently managed groups did such a bad job, that log files were often incomplete or missing entirely.

Here is what I would tell the press. This is based on both what my employers would require of me, and what my current understanding of ethics would require of me:

…although we have experienced significant attacks, we have no evidence that there was any substantive effect on operations at all…

And this is exactly what we hear about the election hacks. However, this answer has been widely misconstrued as “security experts say election results were not altered”.

NO. Security experts DID NOT say that.

To understand fully what I’m getting at, let’s look at my hypothetical example, and what I would tell my boss, and how I would approach my job. Because my professional ethics on the internal response would be decidedly different than the public one. My internal response would basically be this:

ARE YOU FREAKING KIDDING ME??? We had 39 separate attacks (at least), and the logging is so bad I honestly have no idea what happened. We probably had more than 39 attacks. If our attackers had the resources to hit 39 of our divisions, why would they stop there? And it’s almost inconceivable that these hackers hit 39 divisions and had zero successes. We know our security is a mess, and we know that it’s not standardized between divisions. The only responsible course of action for us moving forward is to assume that some of these attacks were completely successful.

This is what has been widely misunderstood: that “no evidence” and “no effect” are in any way the same thing. You have to assume they are not. This assumption is the basis for security professionals’ approach to their jobs. The media should understand this assumption when they interact with security professionals and interpret what they are saying.

Am I saying I know they successfully altered our elections? Of course not, I don’t know that. I’m saying that if it were my 50 divisions, and you asked me publicly about it, I would have to say “no evidence” because that’s the only thing I can realistically and honestly disclose. It’s the only ethical public statement to make. But it would be height of incompetence to execute my duties based on the assumption that these attacks were not successful. Assuming that at least 39 attempts were made and all were unsuccessful, without clear evidence, is the definition of irresponsible.

As U.S. citizens we are all responsible for our democracy. And as such, though we have no evidence of altered election results, it should be a base assumption moving forward that the raw numbers in the elections were affected by these hacking attempts. Any other assumption is irresponsible. This assumption doesn’t mean we’ll ever know if Trump really won, and it doesn’t mean we have sufficient evidence to do anything at all about the past election, but it means that moving forward we have to make substantive changes in our security practices, and if we don’t make those changes, we are not fulfilling our ethical responsibilities.

And it means we should not make unsupportable claims about the accuracy of our last election, when the reality is that we don’t know that, and may never know.

The author is a systems administrator who has been personally and professionally involved in computer security since 1988.

Just a guy with too many interests.