Seems strange to not mention the ransomers as having culpability.
I'm 100% in favor of better systems/processes/technology to prevent exploits, but I'm also 100% in favor of blaming the perpetrators of the ransom also.
In the real world we don't accept the argument that the victim is primarily at fault.
* leaving your car unlocked doesn't mean that is OK for someone to steal it and demand a ransom for its return
* leaving your house/apartment unlocked doesn't mean that it is OK for someone to swap out the locks and demand ransom for the new keys
And it really isn't about being locked/unlocked. Doors and locks can generally be easily broken or bypassed, doesn't mean that everyone should have to purchase industrial strength doors and locking systems (and windows, and...).
You're confusing ethics with legal liability. Nobody is saying IT is ethically responsible, they're saying they are legally responsible since the entire reason they get a paycheck is to prevent these sorts of things. Reduce it to a contractual matter if that assuages your conscience.
If you hire a bodyguard and still get shot while the bodyguard is on his phone both the perpetrator goes to jail and the bodyguard gets fired/pays restitution. Not that unheard of. It's not like one person gets all of the legal and ethical blame and everyone else is entirely absolved.
I'm not confusing things. I'm saying that public discussion seems to migrate towards prevention/mitigation and de-emphasizes the criminality. I'm arguing that we not forget that and pointing out that it was missing from the post I responded to.
In your bodyguard example I don't think in that type of a situation that people fixate on the quality of the security detail. They rightly demand that the shooter be tracked down.
People talk about it that way because locking your doors is more pragmatic than eliminating every criminal in the world for all time? Because the purpose of conversation about preventable injuries should be constructive, rather than idle? Because whether someone should do bad things should be a discussion between people who do bad things, but people who are victims should be discussing how not to be victims? Because when someone trusts you to protect something, there's 1) an assumption that that thing could be damaged, or else no reason to have hired you to protect it, and 2) a moral responsibility as the person entrusted with guarding it to do a good job, or else your taking money is wasteful and your promise made in order to get it is fraud?
Any number of reasons all boiling down to the same reason: what does calling bad people bad accomplish? Best for people who want to be good to talk about how to be good.
We have the same likelihood of bringing the criminals to justice as someone who left a laptop on a bench at an international airport for several days and then went back to look for it.
We can blame the criminals, but we will always have criminals when the crime is easy.
Those who are really responsible here are the ones who allowed themselves to become dependent on an ancient and insecure operating system.
To me, the buck should stop with the head of the hospitals.
What's the point of discussing criminality? The criminal justice system is centralized and functions independent of public interest in getting results from it. (And, in fact, functions better when the public is mostly unaware of crime, re: jury selection.)
The civic justice system, on the other hand, is completely driven by public interest—nothing gets done to change things unless somebody (or some class) bothers to sue.
Exactly, and if you had someone's important confidential information sitting on the seat (or even on an un-encrypted laptop), you would be liable for that loss.
Of course the ransomware authors/controllers should be (and are) culpable.
But when financially lucrative attacks can be carried out with very little risk of being caught, and the results are so bad, organizations who don't take security very seriously are at fault for not recognizing the threat landscape, and government is at fault for not recognizing that the market isn't solving this problem, stepping in and requiring higher quality assurance or liability for software.
> In the real world we don't accept the argument that the victim is primarily at fault.
If you're worried about X, and Y promises to prevent X for a cost, you seek recourse against Y.
X: I can't miss this flight. Y: Pay this surcharge to reserve a seat. Overbooking ensues. I'm blaming Y and not the other passengers.
X: Really don't want this disease to kill me. Y: Take these pills to not die. Death ensues. I'm (well somebody else is) blaming Y and not the disease.
In life we can't always control the cause so we aim to minimize the effect. Thus, while the ransomers are culpable for the blast, IT security are accountable for the size of the blast radius.
They're not the same but when you can't control the cause what's the difference?
Due to the nature of the web, unless you unplug from the Internet, the risk is persistent. So although a cybercrime-free world would be swell, until that day arrives we must control the effects.
I'm not convinced this isn't the answer. What are we gaining by putting hospital networks on the Internet? Are those gains worth the cost in increased vulnerability?
How we talk about these situations and the expectations we have are very important. If we collectively signal that extortion is OK and just something everyone needs to get used to then you are de-stigmatizing criminal behavior. I don't think that is a good idea.
I agree, extortion is not OK. Simply saying that this could have been mitigated and if there's someone's job to mitigate things like this, it's on them.
In both those situations whilst it isn't the victims fault, it will invalidate their insurance and any loss is theirs to sort out. So when buying IT services you need to include in the contract the security of it too, a Ransomware attack such as this (and not just because one user infects one machine) would be the fault of the IT provider
Very few people would argue that it's "OK" to commit crimes that you are capable of getting away with. It's the victim's "fault" as it is the fault of a person who doesn't wear a seatbelt and dies a preventable death in a car accident that they died i.e. not a moral failure, just a failure.
Of course they're culpable, but crime is an environmental problem you have to deal with, just like bad weather. No amount of shaking your fist at the clouds is going to mitigate the problem of a leaky roof.
I'm am explicitly rejecting that analogy. Human behavior is not like weather at all. The expectations that we set for our community/society is important.
Bad weather is indifferent to the shaking fists. It won't get worse or more frequent if people fail to shake their fist. But human behavior is very much responsive to feedback from other humans. I'm arguing that we should all be shaking our fists when we see extortionists at work as well as tracking them down and punishing them. And we should also take care to protect ourselves from them. It isn't a binary choice.
The first words I wrote were 'of course they're culpable.' Human behavior is very much like the weather in that our actions today shape the environment of tomorrow, albeit by long and often obscure causal chains.
Nowhere id I assert that it's a binary choice, and that interpretation of ym words only make sense if you ignore chunks of what I'm saying. Over the near term, you're not going to eliminate crime by moral suasion so it's important to have a strategy to mitigate its predictable incidence while we also work on the problem of how to reduce crime through deterrence, reducing incentives, and so on.
Crime is a public health issue. It shares common causes with ill health, particularly poverty, and fear of violent crime is itself a major cause of anxiety. Community development in pre-school education, parental education, and among ethnic minorities, both reduces crime and promotes better health, for example in reducing the effects of alcohol and illicit drugs. Health workers should contribute in full to community development.
I note that I'm standing with my earlier characterisation of a public health domain rather than weather, but both carry very strong similarities, including a risk / forecast / mitigations approach.
I'm 100% in favor of better systems/processes/technology to prevent exploits, but I'm also 100% in favor of blaming the perpetrators of the ransom also.
In the real world we don't accept the argument that the victim is primarily at fault.
And it really isn't about being locked/unlocked. Doors and locks can generally be easily broken or bypassed, doesn't mean that everyone should have to purchase industrial strength doors and locking systems (and windows, and...).