At what point does negligence constitute having to be responsible?



Just the other day another CA (Certificate Authority) was “hacked.”  Gemnet, a subsidiary of KPN-Telecom to be exact.  This is kind of a big deal, and is the latest in a group of CA hacks.  But this one, unlike some of the others, was quite trivial and thus gets quote marks around “hacked.”  It isn’t as if toads will fall from the sky, locus will eat all our crops, or one-half-dozen-minus-two horsemen will race across the plains.  But being that I have to trust a CA to ensure that the X509 certification for the SSL connection I am using to my bank is real, and thus I am actually connected to my bank, is a bit important to me.  Same goes for any site really.

Over the last decade we have seen a lot of regulatory acts go into place to force companies to secure their servers and their data.  Take SOX, PCI, and HIPPA for example.  But is it the fault of the bank if the CA they used to sign the certification for their online banking gets hacked?!  E.g. should there be a due diligence requirement for the bank/vendor to now audit the security posture of the CA/Security Vendor?  Where are the regulations from ICANN, governments, etc. forcing such critical security roots to be, well – secure?  Does a CA that has proven they can’t secure themselves deserve to tell others what should or should not be trusted?

And while I am asking questions: At what point do we consider gross negligence to be grounds for criminal / civil action against a company?  Being a CA should be a big deal.  After all, you are the root of the trust relationship I am relying upon to validate the identity of my online bank, the online store I am using, etc.  If you publish your Open Source database admin tool on your public facing web server and then go on to not bother setting a password, shouldn’t someone somewhere be fined or possibly go to jail?  If we had licenses to be systems admins, perhaps this would be grounds to loose your license or have it suspended, but we don’t so it doesn’t.

Does a company who has had a breach owe it’s customers a refund, damages, etc.?  If you, as a business owner, used that CA and during the time of the compromise your customers were told your certification didn’t match the root do you sue the CA for damaging your brand name and customer loyalty / trust?

I am also not the biggest fan of compliance being used as a synonym for being secure.  Because, well, it isn’t no matter how you squint your eyes and look at it.  But it is a good place to start and a nice carrot to use when getting internal funding, resources, or attention to address a potential problem.   What we need is enforcement of regulations and standards.  There needs to be consequence for failing in your fiduciary responsibility to the consumer and your customer.  For that matter, why isn't the CA hiring some small security boutique to at least run a pen test?