There Is No Genuine Information Without Security

Whether we like it or not, information really is king. This has been true for a while now, but it is even more clearly so now. In one way or another we now depend upon digital information for almost everything: to protect us, feed us, cloth us, entertain us and, most importantly, inform us. Erosion of trust in the integrity of the information that we mutually consume and produce effects us all in ways which may not be immediately harmful, but are none the less detrimental to us collectively. Information is king, but trust is paramount in such a world.

Over the recent July 4th Holiday weekend, we were all treated to another high profile information security breach. This time, Fox News’ Twitter account was compromised by a heretofore unknown hacker vigilante group known as the Script Kiddies. After taking over the Fox News account (@foxnewspolitics), the Script Kiddies proceeded to tweet a series of misleading messages claiming that President Obama had been shot and killed while campaigning in Iowa. The messages were removed by Fox approximately 10 hours later. By that time, of course, the tweets had been picked up by numerous others on Twitter and on other online reporting sites to the chagrin and embarrassment of Fox News. Some people reading the tweets were fooled; they believed, that is they trusted, what they were being told. Thankfully, most people did not.

So what lessons of value, if any, can we all derive from this latest episode of the information security breakdown chronicles? Does this incident reveal some new and serious vulnerability; a sophisticated method of attack; or a serious security misstep by Twitter? Likely not. While all of the circumstances are not yet known, what we do know does not indicate that we are moving in any of those directions. Twitter and its associated email accounts have been hacked before, and despite its best efforts it, to likely will be again in the future.

What this incident does makes clear, if it were not already so, is the extent to which we live in and depend upon a world dominated by information. While similar to the old style web site defacements, the Fox-Twitter case is a different class of information security offense. What occurred here is potentially much more sinister. It gives us a peek at the potential for undermining the integrity of our information sources. The Fox-Twitter incident, from an information security point of view, was an attack (whether or not intended as such) on the integrity of information itself, not merely an attack on Fox. While the attack on information integrity involved here was not very sophisticated and easily perceived, this may not always be true. It is easy to imagine more sophisticated scenarios with more serious and far reaching consequences for our trust in the information we have come to rely upon..

Until recently we have seen cyberattacks directed at various industries such as banking and financial services, health care, education, and retail services. However, at its heart, the Fox-Twitter attack and the WikiLeaks breach before it, represent two forms of a new kind of cybersecurity threat whose purpose is to question or undermine the credibility of information distributed to the public. In the usual “hacking” case, the harm involved relates to the responsibility owed by the custodian of the information to the owner of that information to prevent unauthorized access and or use of the information. Failure to safeguard the information could result in (1) a responsibility under the various data breach laws to at a minimum report a breach in security; and (2) potential civil liability in the nature of a class action or other type of lawsuit.

However, in the Fox-Twitter case the damage involved, which is both immediate and direct, is to the reputation of, and trust extended to, the news organization in custody of the information breached. While there is of course potential economic (indirect) damage ,which may flow from this kind of breach , (such as claims by individuals who assert that they have been defamed or that their privacy, reputation, or image has been harmed), the most significant damage to a news organization and to the public at large is in the loss of trust in that news organization. Though there is perhaps no legal redress for this form of loss, its consequences are much more serious. Moreover, it’s not difficult to imagine a slightly different version of the Fox-Twitter hack which could result in both a huge blow to a news organization’s reservoir of trust, and a basis for a third party claim for damages. Imagine a fake tweet which revealed the name and/or other information about a news organization’s sources.

As more and more organizations, including those who are repositories for and distributors of news, increase their utilization of social media and other cloud based technologies, the Fox-Twitter incident should serve as a strong reminder of the benefits and dangers of doing so. Information “in the cloud” is often not within the direct control of the business organization which placed it there. However, the lesson is not that information should be withheld from the cloud, or that the cloud is inherently more insecure than any other computing environment. It is rather, that news and other businesses operating in the cloud have a heightened reason to insure, through contractual and other legal and technical safeguards, that their information, “out in the cloud”, is at least as secure, if not more so than the information under their direct control, “down on the ground”.

The Fox-Twitter incident should help us realize in a world ruled by information, security is truly essential. If information is King, then information security is… well, Queen. The two (information and security) are an eternal, integral, duopoly. In a world in which information is king, information security establishes the essential traits (confidentiality, integrity, and availability) which allow us to trust the king The Fox-Twitter incident should make clear why the practice of good information security is no longer an option, or a nice thing to have, or a corporate step child. It is instead, more essential than ever to insuring that the information kingdom we are constructing remains trustworthy and thereby useful and valuable to us. Not the other way around. A world of trustworthy information is only achieved by each of us insisting upon and practicing good information security.