Following the revelation that the EFF has filed a lawsuit against the NSA and the Office of the Director of National Intelligence, Toyin Adelakun, VP at Sestus, has provided the following comment in which he explains what the possible implications of the EFF winning the lawsuit would be for the public, as well as for business and security professionals.
“The utility of any information obtained as a result of the EFF’s Freedom of Information Act (FOIA) lawsuit is debatable, from at least a philosophical standpoint. Strictly speaking, the ethics of the matter are less important than the pragmatics. It is better, from a pragmatic standpoint, to presume that an arbitrarily large number of “opponents” may have knowledge of your systems’ vulnerabilities, and therefore to adopt a security posture that prioritises multi-layered security and segregation of duties. That way, compromise of a single given security measure or product — SSL, say, or database encryption — will not be sufficient for an opponent or attacker to gain unauthorised access to your sensitive information. That principle indeed is behind measures such as multi-factor authentication.
Were the EFF’s lawsuit to succeed, the NSA and other agencies might be compelled to divulge their decision-making processes in respect of zero-day disclosures to vendors and the public — in other words, to explain the workings of the Vulnerabilities Equities Process. And then what? Let us assume that the public can, crudely speaking, be classed into three groups: those who believe the government and its agencies constitute a bunch of malevolent connivers; those who believe the government and its agencies are benevolent strivers for the common good; and those who have no strong beliefs on the matter (i.e. are apathetic, ignorant and/or neutral). Disclosure of the decision-making process might shift some “neutrals” into the “government-is-malevolent” end of the spectrum, and will obviously entrench in their beliefs those already in that area — but may also shift some opinions in the other direction.
To businesses and security professionals who start with the presumption that an arbitrarily large number of opponents — be such opponents’ hackers or government agencies — may have knowledge of their systems’ vulnerabilities, disclosure of the workings of the Vulnerabilities Equities Process will change little.”
By Toyin Adelakun, VP at Sestus
About Sestus
Sestus is an online security company offering a suite of ground-breaking security products used to satisfy multi-factor authentication requirements (FFIEC, CJIS, PCA, HIPAA). Sestus’ products are used by both regulated and non-regulated companies who wish to improve their online security.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.