The Importance of Protecting Cybersecurity Whistleblowers

Interesting essay arguing that we need better legislation to protect cybersecurity whistleblowers.

Congress should act to protect cybersecurity whistleblowers because information security has never been so important, or so challenging. In the wake of a barrage of shocking revelations about data breaches and companies mishandling of customer data, a bipartisan consensus has emerged in support of legislation to give consumers more control over their personal information, require companies to disclose how they collect and use consumer data, and impose penalties for data breaches and misuse of consumer data. The Federal Trade Commission ("FTC") has been held out as the best agency to implement this new regulation. But for any such legislation to be effective, it must protect the courageous whistleblowers who risk their careers to expose data breaches and unauthorized use of consumers' private data.

Whistleblowers strengthen regulatory regimes, and cybersecurity regulation would be no exception. Republican and Democratic leaders from the executive and legislative branches have extolled the virtues of whistleblowers. High-profile cases abound. Recently, Christopher Wylie exposed Cambridge Analytica's misuse of Facebook user data to manipulate voters, including its apparent theft of data from 50 million Facebook users as part of a psychological profiling campaign. Though additional research is needed, the existing empirical data reinforces the consensus that whistleblowers help prevent, detect, and remedy misconduct. Therefore it is reasonable to conclude that protecting and incentivizing whistleblowers could help the government address the many complex challenges facing our nation's information systems.

Posted on June 3, 2019 at 6:30 AM • 16 Comments

Comments

MeJune 3, 2019 12:53 PM

Perhaps some sort of "whistle-blower insurance" similar to unemployment insurance?

The difference being that if a whistle-blower is let go due to their whistling, they get paid 100% wages/salary until they land a new job?

MeJune 3, 2019 1:13 PM

Yes, you always ned truthtelling whistleblowers in society, it is a vital defensive check, and offensive tool of restoration.

But you DO NOT need more "laws".
You know that does not work, ever, in all of history.
You don't need "Con Gress" to do anything for you, do it yourselves.
So stop kidding yourself, and trying to convince others of it.
What you need is a lot less laws, and a whole lot more actual freedom, love, respect for human community and endeavour.
That's not from "laws", but a state of mind, a persistant way of life defending all who do nothing to you, instead of trying to enslave them to your own ridiculous will.

https://youtube.com/channel/UC8ewiXhsWfnBENJQLCIxRIQ/videos
https://youtube.com/user/larkenrose/videos
https://youtube.com/user/whatonearth93/videos

Petre Peter June 3, 2019 1:35 PM

We need more whistleblowers. Protecting them with documentaries (Oliver Stone's Snowden) might be another way to boost their courage.

Gerard van VoorenJune 3, 2019 3:59 PM

@Bruce,

You can say whatever you want but Edward Snowden is still in Russia AFAIK. And as long as that he is, this entire discussion is moot.

JackJune 3, 2019 8:58 PM

There had been wars about ideology but the establishment had pretty much done away with zero knowledge disclosures. We can argue this all day long but we're looking at this "problem" from a wrong angle.

JackJune 3, 2019 9:28 PM

@Me wrote, "Yes, you always ned truthtelling whistleblowers in society, it is a vital defensive check, and offensive tool of restoration."

The only "benefit" for making a law out of this that I can think of is to sandbox the act of whistle blowing into a panel-reviewed process, thus applying a review on "selectively" outing smuggled information.

Wikileaks had been providng somewhat raw and "uncut" versions of whistle blown materials (some will argue this is the correct way to do it). With the Assange arrest, the wikileaks pipelines will likely go into shambles. This vacuum will be replaced by a new "unbiased" handler.

If whistle blowing cannot be ideologically prevented, a lower bound must be installed to minimize damage. By enacting a due process, a selective filter of information is made possible thereby reducing whisle blowing exposure.

name.withheld.for.obvious.reasonsJune 4, 2019 1:45 AM

In the past I've made the observation that Wikileaks is called "Wiki"-"Leaks", not "Wiki"-"Blowers". Wikileaks primary objective is to make public that which is done in secret--more often then not--at a detriment to others (pissing off those not wanting to be exposed). For the most part, it is the powerful using their own purvey, influence, position, and manufactured justifications, their witness, as they see it...using their "facts" to carryout various actions. Wikileaks has demonstrated time and time again, much is done under the guise of governance, law, righteousness, and for "your own damn good"--it is not.

Journalists, I argue that Assange is, have the first amendment to the U.S. Constitution and through "Principal Law" cannot be subverted--but here we are. If you believe that U.S. law is extra-territorial, that Assange can be charged by Federal statute, than Principal Law applies. You cannot have it both ways. Ecuadorian President Moreno failed his country and made chattel of his people claiming that sovereign citizenship isn't worth anything. Furthermore, under the Vienna Convention, refugees seeking asylum can be subject to the abuse for the reasons that asylum is sought. The UK courts and law enforcement have proven that their subjective enforcement and sentencing is uncivil and reprehensible. Assange is held in a super max for skipping bail on an uncharged offense. Sweden has yet to file charges in court nor have a court order pending. This is a pure pre-trial law enforcement action.

It has to be obvious to anyone following the facts of this case, the application or ignorance of laws (national and international) are strained beyond belief. The fundamental tenets of governance, law, jurist prudence, and fairness are all laying bare on the operating table and is about to be served up.

As to legislation regarding whistle blowers, at this point it is the cart before the horse. We are at a crossroads geopolitically; when monarchs call soldiers to arms, ignore their courts, and thumb their noses at the senate--Rome is burning.


Get your forks, cuz ya aint goin to need no spoon.

EvanJune 4, 2019 2:41 AM

I remember seeing a cartoon from somewhere on Facebook shortly after the Snowden documents started coming out that said simply "If we don't protect whistleblowers, Russia will." Pretty much says it all, I think.

IsmarJune 4, 2019 2:49 AM

What is the point in whistling when most of the society is deaf or has noise canceling headphones plugged in 24/7?

MeTooJune 4, 2019 8:29 AM

@name.withheld... Again with the "Assange in supermax" nonsense. What makes you think Assange is in super max, is it coz Pamela Anderson told you he is? Belmarsh is NOT some kind of super-maximum security institution, there IS a max security wing at Belmarsh but Assange is not housed there.

Clive RobinsonJune 4, 2019 6:00 PM

@ MeToo, All,

Belmarsh is NOT some kind of super-maximum security institution, there IS a max security wing at Belmarsh but Assange is not housed there.

That is where your argument starts to fall appart.

Security is designed like the layers of an onion is the usuall analogy given. But that kind of misses the point, if you slice across an onion the "rings" that you see for the most part are the same thickness. These days security architectur tends not to be layered that way, a closer analogy might be "the cork oak". Which has a thick soft bark on the outside and close in hard packed rings within as this tends to maximize land utilisation.

Thus the security level a modern UK prison has starts in the surounding streets and is clearly in place as you enter the gate and remains at that level more or less through out, with only certain limited exceptions that get "hard cased" or "celled". Thus a medical area that requires free movment of staff and patients in it's operational area would be "hard cased" that is built like a cage or cell with heavily controled minimal access points.

In the UK the highest catagory of prisoner is "Catagory A" HMP Belmarsh is Catagory A throughout. It also has high security courts built in and a number of other "plus" features.

It was built in the 1980's to fulfill a design requirment from earlier decades, becoming operational in early 1991.

You have to understand what that primary design requirment was all about to understand HMP Belmarsh how it was built, how it is used and it's place in penal abuse in England.

It is a men's catagory A prison for the purpose of keeping the "politically inconvenient" out of sight as can be seen by it's long list of "Newsworthy Prisoners". Which includes those detained illegaly not just under UK legislation but European and other International treaty legislation the UK has been signitory to in the past. Which amongst other things erned it the title of "British Git-Mo", and the UK Government to be legaly sanctioned.

The staff at HMP Belmarsh appear to be specially selected or trained to mentally break prisoners judging by the number of serious complaints made and the little action taken on the complaints. I've known a prison officer refer to it as "The bad boys Club" when talking not about the prisoners but the prison officers. Because of this it has a "suicide watch" system that was and probably still is unique in the UK (difficult to find out for sure because many things about the prison are "Secret").

The reason such a prison was required was from "Political Embarrassment". If you look up escaping prisoners in the UK you will find "Traitors/Spys", "Terrorists" and a few others have escaped and caused the political wallflower class to suffer the angst of the embarrassment not just from the UK MSM but international MSM and importantly the likes of the "Special Relationship" partners[1].

Part of the design process that gave rise to HMP Belmarsh came from lessons learned in the notorious "H Blocks"[2] holding suspected and convicted Irish mainly Catholic Terrorists from the "Troubles" --as it was so delicately put-- for a third of a century.

Belmarsh at one point had approaching 6% "terrorists" as part of it's inmate population. Which is way way off the curve when you consider not just other UK inmate populations but National Population. It also gives a likely indicator of it's future use. There are stories going around in certain circles that HMP Belmarsh is to have it's current inmate population reduced for "upgrades" such that it can be used for the indefinate holding of returning jihadist soldiers. Similar stories come and go about how "Jihadi Brides" and any children they might bring with them are to be dealt with. This became rather more public with the death of such a child and the UK Home Office telling the UK familly illegaly that their daughters citizenship had be revoked.

So when you take a little time to look at it HMP Belmarsh is way way more than just a "Catagory A" prison throughout, and anyone who thinks otherwise has either not looked or has been partaking of that brand of "Cool-Aid" others call "Government Propaganda", handed out by the somewhat complient UK MSM.

[1] https://www.bbc.co.uk/news/uk-18643024

[2] Originally RAF Long Kesh, it became the Long Kesh Detention Center when the "nissen huts" were repurposed to hold people swept up of the streets by the likes of the Royal Ulsta Constabulary (RUC) from the early 1970's. Situated near "Maze" it became Her Majesty's Prison (HMP) Maze and the nissen huts got replaced with "H-Block" buildings a style prevelent in UK High Security thinking. Thus colloquially it becsme "Maze Prison", "The Maze", "Long Kesh", or more simply the "H Block(s)",

https://belfastchildis.com/tag/h-blocks/

Darren BindertJune 5, 2019 7:38 AM

Interesting post, i think now more than ever before, the way we interact with our corporate IT systems is evolving at a relentless pace. Widespread adoption of the Internet of Things, Bring your own Device, ‘App’ and 24/7 culture is significantly altering the security landscape, exposing business systems to an increasing number of cyber threats.

These threats warrant an urgent rethink of corporate Firewall security to ensure the network and our data is protected from these ever more sophisticated and malicious hacker, malware and criminal risks.

reassigned_variablesJune 6, 2019 9:19 AM

Thanks for this decent topic.

I read some of the Inspector Generals referral/protocol webpages and they look somewhat menacing.
Also, for those who simply want to report evidence or impending problems, the US's current system discourages that. The tips pathways are lately geared only for the totally obvious types of things which are probably already effects not causes to be prevented.

Even if a person tries to report or contribute info in person or via postal mail, there are troublesome blockades. Sometimes messages get through just fine. Other times, there are specific hecklers, sideliners, and stonewallers there to specifically waste our time or to send us to our doom. I know this from experience.

Conventional communications and resolution pathways are currently snafu-ed. Make other plans if you need external help.

All I can say is that if difficult/cruel/stupid/indifferent people continue to make it increasingly difficult to do good or even wonderful things, the pre-existing ease to do bad or even astonishingly horrible things will become so profound that widespread unilateral devastation will be more than guaranteed for several decades to come.

This isn't a plan, it's a description. Future historians of our already bygone era will hold their heads heavy and wonder how this all came to be--unless this trend is halted in it's tracks ASAP.

That's why I keep saying things like "Don't wait for permission to take the appropriate actions."

You might think this is all just empty commentary, but it's not.
There's a psychological component to hestitation. And hesitation and inaction rather than problem-solving and problem-blocking are security/safety topics amongst those who comprehend.

Some don't want to comprehend. I'm not one of those people.
Cause and effect are important to me. I don't rationalise the destruction of the future with the complacency of the present.

VRKJune 6, 2019 12:41 PM

PURE MAGIC if regulations are ever enforced against themselves (assuming regs materialize). Especially when legislators are a chief SOURCE of attacks AGAINST cybersecurity, it seems.

Ask why we even need this standard: https laws-lois.justice.gc.ca/eng/acts/R-10/page-7.html#h-421430

Or for example, one keyword for this watchdog is "on-duty" conduct. A typical dodge, in my estimation: https www.crcc-ccetp.gc.ca/en/ In addition, current and recent legislation seems driven to provide ways to off-load culpability.

"Words convey truthful conviction when tasted on the tongues of discerning minds", as I see it. That's all the earthly "protection" you should hope for.

A Nonny BunnyAugust 3, 2019 2:50 PM

@Me

But you DO NOT need more "laws".
You know that does not work, ever, in all of history.
Actually, history shows that laws are a terrific invention that has improved lives immensely.
Sure, overlegislation is a bad thing (as is overdoing most things), but living in a lawful nation is empirically a lot better than in a lawless/law-ignoring one.

What you need is a lot less laws, and a whole lot more actual freedom, love, respect for human community and endeavour.
Yes, well, good luck with trying to instill more love and respect for human community and endeavor. But failing that I'd still like to be able to fall back on the law. If people were perfect we wouldn't need laws. But people are people.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.