Wednesday, January 28, 2004

The RISKS of IT

http://catless.ncl.ac.uk/Risks/
This seems to be a web interface to a newsgroup on risks related to the use of IT (news://comp.risks, RISKS-LIST, "Forum on Risks to the Public in Computers and Related Systems". I didn't know it so far, but it's really quite interesting reading. For example, a post from January 5, "Danish PM's private communications disclosed by MS Word" -I think no direct link available- is about the New Years speech of the Danish Prime Minister, was distributed in MS Word format. As most (?) people also outside the IT world could know by now, it's very easy to have a peek in the history of these kinds of documents, when they’re not pasted to a new document before distribution. Last year, the British government was brought into embarrassment following the same practice. As far as I remember, it had to do with different people around Tony Blair, editing a document about Iraq's WMD. A trail of who made which changes was easily found in the press release. So, the thing that strikes me the most is that even in 2004 governments are still sending Word docs to the press. Are they thinking that now this Word feature is public knowledge, everyone will act securely and think twice about sending Word docs around without first copying all text into a new document? But then, following this trail, you could also remove all corporate virus scanners from employees' email clients. They know how to discern legitimate correspondence from viral content. They will absolutely not open attachments which they don't trust. Sound like reality? Of course not. People like to click on things, they like nice pictures, something to laugh about during the day. People need to be secured from all kinds of evil, which could be upon them every minute of every day. However, the problem is that you can never rely on everybody following the most secure practices, even if it's in common knowledge. Then you can just wait for something like this happening someday, or more often. Instead change your policy and distribute everything as PDF, or some other closed format.
This doesn't mean however, that people shouldn't be instructed about safe behavior. This is indeed quite important. But protective measures need to be in place to prevent these accidental kinds of things from happening. Sending PDF by default instead of Word helps a great deal with that. My idea would be that users should act responsibly, but need to be protected against themselves.
Well, now the Danish government will change their practice, according to this post ('"We will in the future distribute speeches as PDF files so that such things will not happen" says ministry spokesman Michael Kristiansen'). But it's acting after disaster, where a preventive measure could easily have been taken.