This story appeared on Network World at
http://www.networkworld.com/columnists/2011/032811bradner.html

Ensuring mistrust -- companies not coming clean on problems

'Net Insider By Scott Bradner, Network World
March 28, 2011 03:19 PM ET

It has been quite a month for organizations mishandling bad situations. In all of these cases, delays in reporting the problem made it worse, and in one case the decision to not be forthcoming about the actual risk may cost a company most of its customers.

In early February an overhead light fixture fell in one of the Boston "Big Dig" tunnels but it was more than a month before the public who drives through the tunnel was told. On March 15, a system at security company Comodo was used to create fake security certificates for a number of major U.S. companies, but Comodo did not tell the public for more than a week.

And, at some, so far unknown point, RSA, the folks that bring you the SecurID tokens used by thousands of companies to protect their electronic assets, was hacked.

As of this writing, RSA has still not said just what happened.

The decision to not tell the public about the Big Dig lighting problem has already cost one highway administrator his job and has become a daily reminder of the expensive mess that was the whole Big Dig project.

When Comodo did come clean about the breach it published a detailed incident report and has posted some good blog entries on what happened and what it learned (click here and here for blog entries).

But the company has come under strong criticism for the delay, particularly because Comodo said it found and canceled the bogus certificates "within hours." At least one commentator said that lives of Iranian dissidents were put in danger by the delay. Mozilla, one of the companies involved in cleaning up after the breach, concluded that the delay was a mistake.

The RSA SecurID case is the most troubling and puzzling. RSA is a company whose very existence depends on trust, but the way it has responded to the breach is almost perfectly designed to destroy trust.

So far RSA has posted one very fuzzy "Open letter to RSA customers." The letter says nothing of any use to a RSA customer worried about the security of their SecurID-protected systems and information. An RSA-led conference call, during which company officials did not take questions, provided no additional information.

Because RSA is refusing to actually say what happened and what information was stolen, all RSA customers must assume that everything was compromised and that their assets are hanging out there for the picking. I expect it is not that bad, but RSA seems to be trying very hard to ensure the maximum level of mistrust in itself. Its excuse seems to be that customers would be at more risk if they knew how much risk they had -- this is an argument that makes little sense to me.

Unlike some of its competitors, RSA keeps a copy of the key information used to authenticate a SecurID user. Since RSA is not saying, we have to assume that this information was stolen. It is almost as if RSA's decisions were being made by a mole working for a competitor.

You should take the above examples into account if you are in the decision path at a company that has a problem of some sort that will impact your customers. Timely honesty may be painful, but the pain will likely be far less damaging to your company than the festering that comes from delay and dishonesty.

Disclaimer: The above is my own observation of the results of not being prompt and honest. Harvard will make up its own mind if it needs to do so.