Integrity is the often understated and sometimes ignored third leg of the information security triad: confidentiality, integrity and availability.
Confidentiality gets lots of press attention as privacy breach stories make headlines. Availability needs no headlines to get attention since everyone immediately knows when their information isn’t accessible. Poor integrity, however, is like debating scientific consensus. It’s a step into Plato’s philosophical conundrum of shadows on a cave wall. What is right, what is real?
I’ve said for a decade now or more we are in the age of integrity breaches. Moreover I’ve said we have largely solved for confidentiality and availability…
With that in mind, the following story highlights once again how the security industry must immediately focus itself more on integrity solutions.
British Prime Minister Rishi Sunak has said he will introduce measures to reverse the convictions of more than 900 Post Office branch managers wrongly accused of theft or fraud because of a faulty computer system in what is considered one of the gravest injustices in the nation’s history.
The announcement Wednesday follows a TV docudrama on the wrongdoing that created a huge surge of public support for the former postmasters who have spent years trying to reclaim lives ruined by the scandal.
A TV show.
It was a TV show that forced top managers of a fraudulent and corrupt information system to admit their abuse of innocent users.
That’s a textbook definition of integrity being compromised. Integrity was hacked. And from all accounts this was an easy case to prove.
This case also should be seen as foreshadowing, given the NHS deal being inked with a notoriously immoral firm Palantir. Expect even more lives to be ruined at a faster pace and in more ways.
The phrase Integrity Breach is what government regulators need to become comfortable with, and start to enforce ASAP with clear boundaries, as they have done with “privacy breaches” (e.g. California’s SB1386 in 2003) or “downtime”.
To put it another way, if computer engineering was even remotely disciplined like any other engineering skill, when someone grossly violated the duty to do no harm to society (e.g. when they built bridges that collapsed) there would be some accountability and far less fraud.