Slashdot Mirror
Cybersecurity and the Tylenol Murders
HughPickens.com writes: Cindy Cohn writes at EFF that when a criminal started lacing Tylenol capsules with cyanide in 1982, Johnson & Johnson quickly sprang into action to ensure consumer safety. It increased its internal production controls, recalled the capsules, offered an exchange for tablets, and within two months started using triple-seal tamper-resistant packaging. Congress ultimately passed an anti-tampering law but the focus of the response from both the private and the public sector was on ensuring that consumers remained safe and secure, rather than on catching the perpetrator. Indeed, the person who did the tampering was never caught.
According to Cohn the story of the Tylenol murders comes to mind as Congress considers the latest cybersecurity and data breach bills. To folks who understand computer security and networks, it's plain that the key problem are our vulnerable infrastructure and weak computer security, much like the vulnerabilities in Johnson & Johnson's supply chain in the 1980s. As then, the failure to secure our networks, the services we rely upon, and our individual computers makes it easy for bad actors to step in and "poison" our information. The way forward is clear: We need better incentives for companies who store our data to keep it secure. "Yet none of the proposals now in Congress are aimed at actually increasing the safety of our data. Instead, the focus is on "information sharing," a euphemism for more surveillance of users and networks," writes Cohn. "These bills are not only wrongheaded, they seem to be a cynical ploy to use the very real problems of cybersecurity to advance a surveillance agenda, rather than to actually take steps to make people safer." Congress could step in and encourage real security for users—by creating incentives for greater security, a greater downside for companies that fail to do so and by rewarding those companies who make the effort to develop stronger security. "It's as if the answer for Americans after the Tylenol incident was not to put on tamper-evident seals, or increase the security of the supply chain, but only to require Tylenol to "share" its customer lists with the government and with the folks over at Bayer aspirin," concludes Cohn. "We wouldn't have stood for such a wrongheaded response in 1982, and we shouldn't do so now."
According to Cohn the story of the Tylenol murders comes to mind as Congress considers the latest cybersecurity and data breach bills. To folks who understand computer security and networks, it's plain that the key problem are our vulnerable infrastructure and weak computer security, much like the vulnerabilities in Johnson & Johnson's supply chain in the 1980s. As then, the failure to secure our networks, the services we rely upon, and our individual computers makes it easy for bad actors to step in and "poison" our information. The way forward is clear: We need better incentives for companies who store our data to keep it secure. "Yet none of the proposals now in Congress are aimed at actually increasing the safety of our data. Instead, the focus is on "information sharing," a euphemism for more surveillance of users and networks," writes Cohn. "These bills are not only wrongheaded, they seem to be a cynical ploy to use the very real problems of cybersecurity to advance a surveillance agenda, rather than to actually take steps to make people safer." Congress could step in and encourage real security for users—by creating incentives for greater security, a greater downside for companies that fail to do so and by rewarding those companies who make the effort to develop stronger security. "It's as if the answer for Americans after the Tylenol incident was not to put on tamper-evident seals, or increase the security of the supply chain, but only to require Tylenol to "share" its customer lists with the government and with the folks over at Bayer aspirin," concludes Cohn. "We wouldn't have stood for such a wrongheaded response in 1982, and we shouldn't do so now."
The same people that say it is OK that the NSA weakens security paradigms and that take seriously government demands for backdoors in all crypto systems and that OKs spying on everyone is not about to do a complete 180 and actually do anything to build up security. The corporations can do little for better security while the government is busy weakening and limiting all security tools. So simply making more demands on companies is useless.
There are definitely some important points to be made in the comparison here, but some of them are a bit off. For one, it makes the comparison to sharing customer lists for Tylenol/Bayer Aspirin/etc, but that's a bit off.
There is a value in 'information sharing', it just depends on the information being shared. Sharing the sorts of data associated with an intrusion, so that others can check their networks for similar activity or vulnerabilities? That's a good thing. The comparison here would be having Tylenol's makers share the information on how their supply chain was possibly compromised in the first place, so that we don't wind up having them fix the problem, only for other companies to get hit with the same thing because the details were kept secret.
That's what's important - the information about the vulnerabilities and exploits, not the customer data. This is why we have to be especially wary about nebulous proposals that hand over truckloads of unnecessary data, since there are certainly agencies in the government that would love to have free access to it in order to entirely unrelated things like go on witch-hunts.
At the same time, we have to keep in mind that most companies won't share information about attacks unless they're required to do so. Imagine if Tylenol had just ignored clear signs of a break-in at their plant, and ignored the possibility that thousands or millions of capsules could have been poisoned, and decided to just pretend nothing ever happened, only for it to come to light years later, because that was roughly what has happened in many past instances of major retailers getting hacked.