Arthur T Knackerbracket has processed the following story:
At the start of September, Transport for London was hit by a major cyber attack. TfL is the public body that moves many of London's human bodies to and from work and play in the capital, and as the attack didn't hit power, signaling, or communications systems, most of the effects went unnoticed by commuters. The organization downplayed the damage done to back office ticketing, billing, and other systems. Everything was in hand.
Not for long. TfL (Transport for London) quickly rowed back on claims that no customer data had been exposed as evidence appeared to the contrary. Customers complained that various ticketing discount schemes and group privileges for students and retirees weren't accessible, and TfL made vague promises to perhaps compensate for this some time in the future if receipts were kept. The official line was, however, that things were basically fine.
Recent reports say otherwise, claiming that the scope of the problem is much wider and the situation more serious than previously understood. A vintage friend of The Register confirmed that he couldn't get his old age travel permit, while TfL's Oyster contactless ticketing system was putting erroneous entries on passenger accounts that could not easily be fixed.
[...] This is not unique to TfL. If you've read The Register for more than a week, you'll know how it goes. Nobody likes to broadcast bad news, and from the British Library to public health services to government organizations, the initial instinct to manage the information about a breach seems stronger than the instinct to manage the systems in the first place. Commercial entities have the same instincts, but can be quite the poster children for regulatory disgorgement. Public sector outfits have the institutional instinct to clam up and ride things out, which their political overseers understand all too well.
This is exactly wrong. There is a case to be made to exact more disclosure from companies that get hit by cybercrime, but also the argument that their responsibilities are limited to themselves, and their customers can leave or lawyer up depending on levels of horror and hurt. Public sector outfits not only have much broader responsibilities to citizens, not customers, but consume state resources that directly affect all our lives. A million spent rebuilding an IT system blown apart by bit burglars is a million not spent keeping people safe, healthy, and free.
In short, cybersecurity in the public sector is a critical matter to society. It should be treated as such. It is not. Unlike transport infrastructure, environment, food and health, it is not regulated. If an aircraft crashes or a novel infection breaks out, certain bodies have a legal duty to investigate and report.
[...] We need an accident investigator for cybersecurity, one with the power to keep senior execs awake at nights, one to whom nobody can say no. One that looks for reasons, not blame.
In the long term, it will save money and lives, make everything easier for everyone with responsibility to keep the wolves in the forest. In the medium term, it will shake up expectations and practices across the sector. And in the short term, it will be exceedingly entertaining. We own the public sector. We set the rules. Let's make it happen.
(Score: 3, Touché) by Thexalon on Tuesday November 12, @11:59AM
When something good happens, everybody wants credit for it and will try to claim that they are somehow responsible for it. When something bad happens, nobody wants to admit it because admitting it will involve taking some degree of responsibility for it. Therefor, all organizations regularly engage in collective self-delusion about how good everything is going.
And since there are generally no real consequences whatsoever to organizations who have large amounts of data on other people stolen in a security breach, what generally happens is that they send out some PR flak to spout lies about how it really wasn't that bad, offer identity theft insurance to anybody who asks for it (which is a nice cheap sop to offer because most of their victims don't ask for it), and then go right back to doing what they were doing before. See, for instance, Equifax.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 4, Insightful) by VLM on Tuesday November 12, @01:49PM (1 child)
There seems to be a push to make it a special cyber situation so there must be special cyber rules and special cyber laws and special cyber regulations.
However:
So it's just plain old fashioned fraud, nothing special. We can agree to trade your money for our services but LOL you better keep your receipt because we're not going to do what we agreed upon before you sent in the money.
"a material false statement made with an intent to deceive"
You don't need special "cyber" laws to prosecute fraud.
Disclaimer: This is in England they don't have "rights" and are subjects not citizens like in the USA, its theoretically possible (I don't know one way or the other) that the govt is permitted/encouraged to commit fraud against its people. It does seem to in general, so I donno.
Possibly they're incompetent or unknowing of a developing situation which is a reasonable defense against fraud (it wasn't on purpose they have no idea what they're doing). Again no additional laws are required because if they're overwhelmed by the basics of providing minimal security, they will simply be more overwhelmed by demands to provide more elaborate disclosure. More likely they'll reassign money and resources into disclosure that should have been spent on prevention or mitigation, making the situation even worse for the victims.
(Score: 2) by choose another one on Tuesday November 12, @03:17PM
well, maybe, but it's possibly more that it's a special public sector situation.
In England/UK quite a few public sector organisations have their own police force and/or their own right to prosecute and/or the right (special status in law) to prosecute or fine you with surprisingly little (if any) due process. They are special in this way.
That makes cyber attacks on their systems far more concerning in many ways. Just as one example, you can be fined (I think close to four figures when converted to US $) for failing to display a proper pass/permit to match your ticket (old age pass, young persons pass etc.), probably on the underground as well as the railways. Those passes/permits are now frequently digital, stored on the systems that they will testify were "basically fine" when you failed to access your account with your pass. Must be your error not a cyber attack on our systems, so you pay $$$$.
You can still, just about, use the old fashioned pieces-of-paper systems that give you a fighting chance to prove your innocence later, but sometimes their systems fail and you cannot, for example, physically buy a ticket before boarding a train and they will then fine you for not buying a ticket at the point that they made it impossible to do so. Moreover the "court" process for finding you guilty is actually merely a rubber-stamp process where you cannot submit any evidence or have any representation.
That is really why these institutions may be special.
(Score: 3, Interesting) by mcgrew on Tuesday November 12, @03:23PM (1 child)
First, I need a better link than The Register, which is only slightly less dishonest than Fox. They don't make shit up, but they do leave important facts out to make a story more sensational.
Nobody likes to broadcast bad news
...says the man who has never read a newspaper! As mentioned above, ALL mainstream news media, including (especially) the Register, LOVE bad news. How often do you see good news in the news? Did George Santos write that nonsense?
I do agree that "cybersecurity in the public sector is a critical matter to society." Good luck getting it legislated, especially on my side of the pond.
A Russian operative has infiltrated the highest level of our government. Where's Joe McCarthy when we need him?
(Score: 0) by Anonymous Coward on Tuesday November 12, @04:20PM
Yeah well, can't complain too much, we just squandered another chance to fix that