Crime and security

I’ve been following the story of Gary McKinnon, the chap who is facing extradition to the States as a result of his hacking into a US government computer system on the hunt for UFO evidence. I’m not sympathetic, his was a targeted attack against a restricted system however, if the story is to be believed there was no malicious intent and no motivation to steal for profit. Politics aside (and if you want the political side then browse on over to the Free Gary McKinnon blog) there seems to be a good deal of effort on the American side to see that justice is done and an example set for others who might have similar ideas, but one can’t help wondering if Mr McKinnon simply represents an easy target to use as that example.

This story is hot on the tail of another about the number of British businesses that actually report security breaches. Apparently only a third do so and I was wondering where you draw the line between identifying suspicious entries in the logs and responding by making a report of a crime. Tony Neate, whom I know and respect, makes the point that “In order to be effective we need to know what the scale of the problem is, this can only be measured if we report incidents when they occur.” Fair enough but I was chatting some time ago to the manager of a web hosting facility for a large and well known portal who was talking me through how much they spend on anti-DDoS measures as a result of being under almost continuous attack. Should each and every source IP be investigated? Chances are most would lead to some zombie’d home PC anyway.

So, should we only report incidents that result in some financial or data loss? Data disclosure laws in the USA make such reporting mandatory in many cases while in the UK there is no such obligation. Should there be? There’s an interesting blog entry here where it’s stated:

There is a new legal and moral norm emerging: breaches should be disclosed….The reason that breaches are so important is that they provide us with an objective and hard to manipulate data set which we can use to look at the world.

So, I find myself in agreement with Tony Neate and fast losing interest in Gary Mckinnon. Ironically both are attendees at InfoSec Europe – Gary was a speaker last year – but represent extreme ends of the scale: one side breaching security and now whinging about having to face justice in the country where he committed his crime, and the other side talking of the need to “be aware of the cost to society at large and the measures that need to be put in place to fight it.” Who wants to suggest that the two debate head-to-head? 🙂