In the matter of a class action lawsuit against Ameritrade, U.S. District Judge Vaughn Walker has declined to approve a proposed settlement.  He is concerned whether the deal would provide any real benefit to Ameritrade’s customers according to Wired Magazine. 

But even if this settlement did provide a benefit to the customers, would it provide a benefit to the public?  The deal apparently involves a one year subscription to spam blocking software as well as an agreement that Ameritrade “monitor for cracks in its online security.”  Apparently this deal does not include any money to the actual victims (but plaintiff’s council is apparently looking for $1.8 M in legal fees)

Ameritrade contends that this is a good settlement because there is “no evidence of identity theft.”  Here in lies the problem.  We know that customer records were compromised.  We know that hackers had access to customer names, phone numbers, email accounts, and home addresses but apparently there is “no evidence” that this compromise resulted in the release of social security or account numbers.  Apparently unless the customers actually fell victim to identity theft then “no harm no foul”. 

Now I’m not a lawyer but I can see the legal argument supporting the argument that Ameritrade’s customers didn’t experience any loss as a result of this breach.  Perhaps I should restate that – I can understand the logic of the argument not that I personally agree with it. 

What may be morally wrong is not necessarily legally wrong.  What we as information security professionals need is actual case law surrounding data breaches.  We have legislation but no actual examples of the law holding up in a court of law.  If this case goes to settlement then we will have to wait until another high profile breach goes to court and hope that that too doesn’t settle. 

The recent statements from Congressmen claiming to have been hacked the Chinese really isn’t a surprise.  In case you missed it here is a brief review:  Officials have indicated that the intrusions began in August 2006 although I would think that it has been taking place for much longer than that.  Anyway the extent is currently unknown but Rep. Frank Wolf (R – VA) and Rep Christopher Smith (R – NJ) were named as being among the targets.  Other targets included other members of Congress and at least one congressional committee.  Rep. Wolf is quoted as saying “They got everything”.  China of course has yet to comment on this incident. 

They have however offered comment on the allegation that they copied the contents of a laptop left unattended during a visit to China by Commerce Secretary Carlos Gutierrez last December.  Foreign Ministry spokesman Quin Gang is quoted as saying

 ”These reports are totally groundless… These allegations are highly irresponsible…. China has made clear our principled position on many occasions: China is opposed to computer criminality including hackers.”

Of course this is the diplomatic response.  It isn’t like they could openly admit that they did this.  It isn’t like they haven’t openly published statements concerning their use of information warfare to achieve their objectives.  Oh wait – they did.  Check out Unrestricted Warfare by Qiao Liaug and Wang Xiangsui (Beijing: PLA Literature and Arts Publishing House, February 1999).  The book advocates a multitude of means, both military and particularly non-military to strike at the United States.  This includes hacking into websites, targeting financial institutions, terrorism, using the media and conducing urban warfare.  Targets also include private companies in a form of economic warfare conducted against our country and its interests.   

From Unrestricted Warfare:

 ”The reality of information exchanges and intertwining interests is continually broadening the meaning of warfare. Also, any country which plays a decisive role has various capabilities to threaten other countries, and not just with military means. The use of means singly will produce less and less effect. The advantages of the combined use of various kinds of means will become more and more evident. This has opened the door wide for supra-means combinations, and for the employment of these sorts of combinations in warfare or quasi-war actions.”

 Just in case China’s own words don’t ring home here are some quotes about China and its capability over the years:

 ”With the advent of the 21st Century, not only is it likely that many of the conflicts facing the United States and her allies will be of an asymmetrical and devolving nature, but it is also likely that”…”low-intensity conflict will be accompanied or compounded by computer/infrastructure attacks that may cause damage to vital commercial, military, and government information and confront communications systems.”

- Journal of Counter-Terrorism and Security International

“The potential advances in Chinese IW doctrine and capabilities have direct implications for U.S. national security. The ability of China to conduct IW against the United States in peacetime, confrontation, or conflict could pose severe challenges to defense planners.”

- Strategic Studies Institute

“China, Russia, and other nations have begun to focus on US commercial computer networks’ vulnerability in preparation for any future conflict.”

- CIA Director George Tenet, Wired Magazine

“In addition to developing wartime applications for its robust information control and perception management capability, China is pursuing IO/IW development as part of its overall military modernization.”

- Department of Defense Annual Report to Congress

While the most recent events are nothing new, I do hope that their blatant targeting of Congress will result in something more than hot rhetoric.  Perhaps a Congressional Investigation over China’s activities against the United States public and private interests will result?  Well if it results in public outrage and a change in how we as a culture view the protection of information then I’m all for it.