I’ve written extensively here and elsewhere (especially) about how we need to use legal rules to hold individuals and entities liable for not taking reasonable efforts to secure their computer systems. The goal, I argue, is to alter our current culture, to create a climate in which we – the individual end-users and the entity intermediate-, originating-, whatever-users – take security seriously and take it as our individual and collective responsibility.
I’ve just had an object lesson in how far we have to go to achieve that . . . a lesson in humility, maybe . . . or maybe just a good, solid dose of early twenty-first century reality.
I’m a professor at a law school, which is part of a university. Like all law schools, ours is a separate operational unit for most purposes, including internal technology. We do, though, rely on the university’s technical staff for certain things, some of which implicate computer security. That’s about all I’m going to say about organizational responsibilities because my purpose here is not to get anyone into trouble – it is, as I said earlier, simply to recount my recent encounter with reality.
At home, I have my own laptop, my own software, my own security arrangements, etc. At the law school, I use a law school-provided laptop which runs law school-provided software (via university arrangements) and I access the Internet via the law school’s wired connection, which has firewalls (sometimes very annoying firewalls and filters, I might add) and other security measures. My laptop has antivirus software provided by a major, reputable company, which I will not identity because what happened is not the fault of their product – it is, as is so often true, attributable to human factors.
My laptop antivirus software updates itself, and I routinely run a virus scan on the laptop at least once a week (more, depending on how often and how long I’m there). I ran a virus scan on Monday and came back to find that it had found a Trojan horse program but was unable to do anything with it – couldn’t delete it, couldn’t quarantine it, nada. I found that peculiar, so I went to the tech staff.
They responded promptly, ran the laptop in safe mode, ran the antivirus software, found the Trojan, deleted it. All was good, till the next day, Tuesday, when the Trojan showed up again, same message, same futile efforts by the antivirus software. So, back I go to the tech staff. They weren’t sure what to do, researched the matter, and decided the problem was that running the antivirus software in safe mode didn’t clear the Trojan from the registry (though now that I think about it, why would running the program in safe mode let it do what it could not do in regular mode?), so a very nice tech person did that while I was out teaching a class.
I come in yesterday, and run into the nice tech person in the hall. I’ve really begun to wonder why the antivirus software had such a hard time with the Trojan, so after he tells me they cleaned the registry, the Trojan is really gone and all is good, I ask about that.
I’m told that the program the law school uses (via the university) has had two upgrades in the last year, neither of which made it to my laptop. The effects of the first upgrade were apparently not that dramatic, so we’ll let that one go.
The second upgrade, which was implemented some months (4? 5? 6?) ago left the software on my laptop incapable of updating itself . . . so for some months I have been running a laptop from my office the antivirus software of which was increasingly out of date. Neither the notice that there was an upgrade or the upgrade itself ever percolated down to me . . . which makes me wonder how many other law school users it missed. (Note: This is not intended as an invitation to would-be law school hackers.)
Again, my point here is not to cause trouble for the good people who work in computer security at my law school and at my university.
My point is simply anecdotal . . . simply a personal experience with how completely out of whack our culture is with the need to secure systems . . . and KEEP them secure.
In a completely different context, someone said our grand jury system is “alchemical” in its function . . . by which they meant that we put together a group (12, 16, 23) of people, wave a set of proposed charges (an indictment) at them, which they almost instantaneously approve and we have a criminal case. The point was that nothing really happens, in terms of having the grand jurors actually assess the merits of the indictment – that the process is almost purely symbolic.
I’m beginning to wonder if a lot of the exercise about computer security isn’t alchemical, in the same sense. Effort happens, and that’s supposed to count, somehow.
This is one of those days when, if I were a gambler, I’d definitely be putting my money on the cybercriminals.