Can we learn anything from the past few years of leaked secrets? Sure, we can learn that some big-shot executives and elected officials are lazy and feckless. We can learn that software is brittle and needs diligent patching. We can learn that a determined person trying to exfiltrate data has a HUGE advantage over the people trying to protect it.
But we already know this stuff.
The leaks are often due to particular people’s gross incompetence. But, seriously, finger-pointing and indignation have run their course as useful ways to deal with this crisis.
We need a new assumption. It is this: Secrets WILL leak. Not even state actors with unlimited resources can prevent their secrets from leaking.
We need to make the legal assumption that any cache of secrets is, inherently, a hazard. The bigger the cache, the bigger the hazard. We need the holders of caches of secrets to take responsibility for the hazards they create.
In common law, this is called “strict liability.” A farmer who keeps a bull in a field is strictly liable for damage his bull causes if he escapes. It doesn’t matter why the bull escapes. It doesn’t matter whether the farmer was drunk or sober, awake or asleep, or letting his goofy nephew play toreador. If the bull gets into the village and busts up the china shop, the farmer owes full restitution to the shopkeeper. Negligence is not a factor in deciding whether the farmer is liable. The only factor is that the farmer had a dangerous animal.
Farmers cope with this liability using defense in depth. They don’t keep more bulls than they need. (Steers — castrated bulls — ouch — are much less dangerous than bulls.) They keep them far from villlages. They keep them in fields with extra fencing. They keep them close to their farmhouses so they can keep an eye on them.
People and orgs who keep caches of secrets need to be held to the same standard of strict liability. Having a vast cache of secrets in one place has to be recognized as astoundingly, business-threateningly, dangerous. (In the case of state actors, nation-threatening.)
Secret-holders need to have big incentives to reduce the sizes of their caches, to make the secrets they hold less damaging to the public, and to protect those secrets.
Companies like Equifax should be pummelling the government to get rid of the stupid nine-digit taxpayer ID, for example. Credit card processors should cut off merchants who don’t convert to chip-and-pin. Companies like Turbotax (Intuit) should be doing similar things. Most online companies should be scrambling to erase caches of secrets they don’t need. State actors should work on making their caches of secrets smaller. (Why does the US federal government need a centralized HR system?)
If the NSA keeps a cache of software exploits rather than disclosing them responsibly, then that cache leaks, then the health service of another nation is damaged by somebody using that cache, the NSA is responsible for helping clean up the mess.
Congressional hearings to humiliate big shot executives are some kind of fun. But they aren’t solving the problem. In fact, they may be obscuring it.