I was pleased last Thursday (January 29) to participate in the Workshop on Accountability at MIT. The general idea with the event was to focus on the distinction in cyber-security between developing protections that prevent policy violations or attacks versus developing ways to hold parties accountable for these things. When we think of typical legal frameworks they focus heavily on defining rules, expecting people to follow them, and then punishing them if they do not. For cyber-security the focus is often instead on prevention. Perhaps this is not always the best path; perhaps accountability can be cheaper, simpler, and adequately effective. The general issue is well-articulated in this CACM Article from 2008.
There was an interesting group on hand to discuss the matter. Here is the web page for the meeting. In addition to academics like myself there were some folks speaking on accountability and compliance at organizations such as NSA (John DeLong) and Facebook (Maritza Johnson). For instance, Maritza urged us to have a look at the Ireland Data Commissioner Audit Review of Facebook, a document that provides interesting insight in to privacy policies at Facebook.
I spoke on the topic of audit controls at hospitals in a session with Brad Malin (Vanderbilt) and Maya Bernstein (HHS). Here are my slides, which focus on the Random Object Access Model (ROAM) and how it might be used to validate audit log analytic systems.
I came away from the meeting with at least a new joke I learned from John DeLong. Here’s a version I’ve edited a little (to make the engineer look good):
A compliance officer, a lawyer, and an engineer are meeting to review the compliance of a device required to fill a glass with water. They test the device and find that it only fills the glass halfway.
The compliance officer is deeply concerned and says “This is a bad thing. We should inform the regulating authority immediately and tell management we will need to pay fines.”
The lawyer responds “This is not a problem. Did the regulations specify that the glass needs to be filled `to the top’? We should report that we are complaint.”
The engineer enters the discussion and says “No, no, the two of you are missing the point. This is a good thing. We should tell management we can save money since the glasses we have been buying are apparently twice as large as they need to be.”
I think there is a good learning point here about the need to avoid compliance rules that create too much negative energy or are met with cynical disregard for their meaning or inspire unanticipated distortions in the regulated entity.