Imagine if you were living in a neighborhood where there’d been some burglaries, a few cars had radios smashed, and people are justifiably upset over this. Imagine then that the head of the neighborhood association was dead set against going to the police or the city because that is too inconvenient, having to fill out all that paperwork, and you know, it just doesn’t look good for property values if it gets out that there’s been crime in the neighborhood.
Then imagine that the head of the association gets burgled. And you find out that not only were they burgled, but there were squatters in their basement who had been there for the last six months and were using it as the hideout for their gang, the very one robbing the neighborhood. I know what I’d think — I’d think we need a new head of the association to start with.
Well, that is where the US Chamber of Commerce is right now. They’ve been hacked, and the hackers (presumably Chinese) have been on their systems, stealing information for six months. They’re part of the problem. We need unified breach disclosure laws in the US. There is a patchwork of thirty-some states all with slightly different laws about this, and it would be nice to have a national standard. Well, guess what, Chamber of Commerce, you get to now comply with all those states and their different notification requirements. The US government has been wanting to help industry get better security, and the Chamber has led the charge of saying that no, it isn’t needed. Sure, sure, the Feds often don’t have the right idea of what we in industry need, but how’s going it on your own working out for you?
Some of my fellow security experts have criticized this as being hypocritical. I have to disagree. It would be hypocritical if they said one thing and did another. Their actions line up with their beliefs. They’re merely stupid. As in too stupid to deserve to have customers. I’m not a member of the Chamber, and that’s both a relief and a disappointment. It’s a relief because I rest easy at not having had the Chinese stealing my information that I trusted them with for six months. It’s a disappointment because since I’m not a member, I can’t resign in outrage. All I can say is that if you’re outraged that they got hacked so badly and you are a member, think about whether you want them representing you. Think about that head of the homeowner association who had a gang in their basement. And just do what you think is appropriate.