Friday, June 05, 2015

Cybersecurity and the Tylenol Murders

When a criminal started lacing Tylenol capsules with cyanide in 1982, Johnson & Johnson quickly sprang into action to ensure consumer safety. It increased its internal production controls, recalled the capsules, offered an exchange for tablets, and within two months started using triple-seal tamper-resistant packaging. The company focused on fixing weak points in their supply chain so that users could be sure that no one had interfered with the product before they purchased it.

This story is taught in business schools as an example of how a company chose to be proactive to protect its users. The FDA also passed regulations requiring increased security and Congress ultimately passed an anti-tampering law. But the focus of the response from both the private and the public sector was on ensuring that consumers remained safe and secure, rather than on catching the perpetrator. Indeed, the person who did the tampering was never caught.

This story springs to mind today as Congress considers the latest cybersecurity and data breach bills. To folks who understand computer security and networks, it's plain that the key problem are our vulnerable infrastructure and weak computer security, much like the vulnerabilities in Johnson & Johnson’s supply chain in the 1980s. As then, the failure to secure our networks, the services we rely upon, and our individual computers makes it easy for bad actors to step in and “poison” our information.

The way forward is clear: We need better incentives for companies who store our data to keep it secure.

Yet none of the proposals now in Congress are aimed at actually increasing the safety of our data. Instead, the focus is on “information sharing,” a euphemism for more surveillance of users and networks. These bills are not only wrongheaded, they seem to be a cynical ploy to use the very real problems of cybersecurity to advance a surveillance agenda, rather than to actually take steps to make people safer. EFF has long opposed these bills and we will continue to do so.

Congress could step in on any one of these topic to encourage real security for users—by creating incentives for greater security, a greater downside for companies that fail to do so and by rewarding those companies who make the effort to develop stronger security. It can also shine a light on security failures by requiring public reporting for big companies.

Yet none of these options are even part of the legislative debate; they often aren't even mentioned. Instead the proposed laws go the other way—giving companies immunity if they create more risk with your data by “sharing” it with the government, where it could still be hacked. "Information sharing" is focused on forensics—finding who did it and how after the fact—rather than on protecting computer users in the first place.

It's as if the answer for Americans after the Tylenol incident was not to put on tamper-evident seals, or increase the security of the supply chain, but only to require Tylenol to "share" its customer lists with the government and with the folks over at Bayer aspirin. We wouldn't have stood for such a wrongheaded response in 1982, and we shouldn't do so now."
- Cindy Cohn at EFF (lightly abbreviated)

No comments: