Why data security regulation is bad

January 17, 2012

The first government knee-jerk reaction in the face of a data breach is to create more government privacy compliance regulation.  This is analogous to shooting yourself in the foot while you hold the loaded weapon in one hand and apply band-aids with the other.
Democracies like Israel, the US and the UK have “a tendency to extremism tempered by having to compromise” (courtesy of D.M. Thomas in his NY Times book review of Philip Roth’s “Operation Shylock“.)
In my previous post “Insecurity by compliance“, I considered the connection between being a free market democracy like the US, Israel or the UK and having  a serious privacy and credit card data security breach problem and my essay “The Israeli credit card breach” delved into the root causes why Israel’s organizations have poor data security.
Following hacking attacks yesterday on Israeli web sites of sites of El Al Israel Airlines Ltd and the Tel Aviv Stock Exchange, Israel Discount Bank and First International Bank of Israel announced that they have blocked access to their websites from outside Israel.
I am not surprised that IDB and FIBI are resorting to primitive methods like blocking IP addresses. If you’ve ever dealt with one, you know that the security management strategy of banking institutions is often highly influenced by internal politics and relies on outsourcing information security operations to security consultants, who naturally want to reduce their personal exposure  as opposed to the banking institution total value at risk.
Shutting down access to a Web site based on geographic source of an IP address is a ludicrous security countermeasure for a hacker – since it is simple to mount the attack from a server or network of Windows PCs in Israel with Israeli IP addresses.
From the government end, there are cries for more Web site security compliance regulation.
I will give the Israeli Ministry of Justice credit for having done nothing for over 20 years on updating the Israeli privacy law.  There is really nothing basically wrong with the law, it just needs to be enforced.  For that, you need police officers who know how to read English – see my post on that problem here.
Even now, I suspect that the Ministry of Justice is just treading water and reacting to the recent spate of credit card and Web site breaches by the so called Saudi hacker.
Security by compliance does not improve data security, especially since attackers can reverse-engineer the minimum security requirements dictated by a standard to look for holes in a company’s defense.

More Articles