This morning, friend shrdlu pointed out that RSA might indeed have entirely legitimate reasons for being so deliberate in avoiding a rush to disclose information about the breach of SecurID information:
Guys, unless you’ve dealt with this from the executive seat before, you don’t know the other issues.
She has a point. Like her, I too have sat in the security officer’s chair and, as she put it, “I’ve spent a lot of time in my career Not Being Able to Talk, so I know a little of what RSA is going through.” Before we wander too far into shark-jumping territory, then, let’s take a moment and consider some of the arguments both for and against disclosure sooner rather than later.
Disclosure of what was compromised would provide customers with the level of detail they need to determine an appropriate response to the incident based on factual data, not hearsay or assumptions. They need to formulate an informed response sooner rather than later, in order to mitigate known risks most effectively and avoid wasting resources due to a lack of actionable information.
Disclosure of how RSA was breached would inform others of the nature of the attack and raise awareness of exploitable gaps in security practices. To the extent these gaps can be remedied, they will help support better security. To the extent they cannot, they will stimulate greater awareness of risk based on actual incident data rather than uninformed discussion.
Given all that RSA has already recommended to customers about the need to reinforce other aspects of a multifactor authentication system in the wake of this breach, how much is really left to keep quiet that would cause customers to further conclude that SecurID is significantly compromised? Is it really necessary to quash the details of the incident in order to rush mitigation into place, if the circumstantial evidence is already known and captured data is already exploitable (even if exploit may take some time to develop) by what RSA has suggested are skilled attackers?
That last paragraph suggests how disclosure would actually help RSA to enable its customers to recognize where the product has not been compromised. It would also help RSA mitigate further damage to its products and its brand, if the limits of exposure in any sense were known.
In the absence of data to the contrary, many SecurID customers are already operating under a “when in doubt, rule it out” assumption that SecurID is compromised regardless, as a practical matter if nothing else. Why, then, would RSA rush to disclose before a more considered response is ready?
Before this gets readers into sky-is-falling mode, remember: As I discussed on Monday, SecurID is a multifactor system that includes additional authentication factors such as PINs and passwords that further control access to IT. Where these other factors are in use, customers are not as exposed as they would be if a SecurID one-time password were the only mechanism – hence RSA’s guidance to focus on the security of these other aspects of the system as a whole.
Most importantly, however: RSA customers really may be placed in jeopardy by revealing too much information before a more considered response is put into play. There may be aspects to this incident that directly affect customers – and those who depend on them – beyond what has been speculated by anyone, myself included. This is not trivial, particularly for a large public company accountable not only to its shareholders, but to customers such as government or financial services organizations on which we all have some dependence for our own security – even if risks of SecurID compromise are mitigated by other factors.
This has implications, however, beyond just the safety of RSA customers and those who rely on their security. As shrdlu pointed out, disclosure places RSA at some risk that someone, justified or not, could file suit against RSA for disclosing information that a plaintiff could claim led to a compromise of their own security in some way. This is undoubtedly one of the biggest obstacles to disclosure generally, and even though it inhibits the sharing of information that could better inform security for everyone, it is a reality that companies – particularly those that are large, well-resourced and/or publicly traded – simply cannot avoid.
Other factors may be keeping RSA from disclosing information, even if they would want to, such as explicit or implicit direction from authorities, for example. Many of us understand the need for confidentiality when a law enforcement investigation is involved, so I’m not going to speculate on too much there – at least not yet.
In short, while disclosure would enable a more informed response and put the brakes on (some) speculation, there really are reasons why RSA (and its parent EMC) would consider a more deliberate response to this incident. I’m not saying that a company such as EMC/RSA wouldn’t use these reasons as cover for good old fashioned, self-interested damage control – but make no mistake: RSA is aware of the risks it is taking with its approach. (I’m not quoting them out of school on this, here or elsewhere in this post. If you need to be told this, you’re the person who needs flight attendants to demonstrate how seat belts work.)
This is more than a major corporate incident. It is arguably the highest-profile breach to date not only of a leader in the IT security market, but of a product widely used to secure high-sensitivity resources. RSA is aware that, no matter how they respond, they will be setting an important precedent. They also realize that not everyone will agree with their approach, no matter what they do.
Really, the arguments both pro and con boil down to this: The interests of customers and the public trump those of RSA/EMC. Those that have merit on both sides of this dilemma make it all the more challenging for RSA to respond.
On Monday, I alluded that slow disclosure could burn through goodwill fairly quickly. I also added that I felt this would be the case “unless and until RSA can demonstrate that its actions were warranted in the best interests of its customers.”
That’s an aspect of this case we have yet to determine – and it could be frustratingly difficult for RSA to prove, if disclosure of meaningful evidence places the interests of customers or the public at real risk.