Friday, March 18, 2011

EMC and Google Lawyers Walked Into A Bar.

The first thing that a company does when it's compelled to report a significant breach of security is try to mitigate the impact. When Google's Chief Legal Officer David Drummond reported that the company had been the victim of a "sophisticated and highly targeted" attack, he claimed that it only affected two Gmail accounts belonging to Chinese human rights advocates. Take careful note of how Drummond opened his now famous post: "Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis."

Fast forward from January 12, 2010 to March 17, 2011 and the opening sentence from EMC's "Open Letter to RSA Customers" regarding the attack against RSA's SecureID products: "Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day."

The opening sentence is so similar that you'd almost think RSA's lawyers met with Google's lawyers for strategy advice on how to draft their public statement. For the rest of us non-lawyers, the first sentence basically says "This is not our fault".

The balance of EMC's letter asks readers to believe a common conundrum; that the attackers were skillful enough to breach RSA's best security protocols but weren't smart enough to take the crown jewels. Google tried that same tactic a year earlier by referring to its own breach as a highly sophisticated attack which only succeeded in cracking a couple of Chinese dissidents' email accounts. Again, for us non-lawyers, let me break that down for you: "A Mossad hit squad found the Munich terrorists but let them live after giving them a firm talking-to".  Sure they did.

I didn't believe Google then and I don't believe RSA now. I do believe, however, that there's a punch line to this joke that we haven't heard yet. And that it's just a matter of time before we do.



No comments:

Post a Comment