In an interview following his presentation at the ISSA International Conference in Nashville, Tenn., Professor Glenn Harlan Reynolds, the Beauchamp Brogan Distinguished Professor of Law at the University of Tennessee's College of Law, sat down with SearchCIO editorial director Christina Torode to explain the benefits of whistleblower protection and how an "army of Davids" is changing the security profession.
You gave a talk this morning titled 'Don't Fear the Leakers.' In that talk, your point was that leaks can be a good thing for security and for security professionals. Can you explain that to me?
Glenn Reynolds: The point of my talk is that leaks build trust, in a way. The federal government is so big that everybody accepts that the president can't really keep track of everything that's going on. The elected officials can't keep track of everything that's going on in the federal government. The only people who know what's going on in the federal government all the time are the people who are doing whatever is going on in the federal government.
We assume that there can't be anything too bad going on, because if there were, it would leak out. That's only true if it's possible for people to leak things and if they know when to blow the whistle on bad things and when not to. My suggestion is you actually build trust in the system by allowing for people to blow the whistle on bad things. When you build trust in the system, you ultimately make the system more secure.
Do corporations have a culture that encourages whistleblowing and whistleblower protection? How can you start to develop that kind of culture?
Reynolds: I think there is an issue within corporations, because while corporations aren't as big as the federal government, some of them are awfully large, so you have the same problem. Sometimes the whistleblowing may not be to the public, but to superiors within the corporation or the people who are in charge of compliance, or it may be to people outside the corporation. I think you need a culture where people know the difference between right and wrong and when that should transcend the natural team loyalty that you feel within any organization.
Do you think that there should be legal protection for whistleblowers?
Reynolds: I do. There is something called the Whistleblower Protection Act from 1989, and it was recently amended to give it a little more strength, but it really doesn't do very much. It only applies to federal whistleblowers anyway. I think that it ought to be something people can claim as a defense when they're charged with crimes for blowing the whistle and things like that. I think that we want a situation in which people who really have something serious to blow the whistle on don't fear that their life is going to be ruined as a result of doing the right thing.
What about accountability? I was reading an article recently where, in it, you talk about how in government it often comes down to 'we didn't do that' or 'that was you who did that,' so it's hard to figure out who was in charge of something if something does go wrong. How can you build transparency and accountability into it?
Reynolds: That's another problem -- a separate problem, but it's a real problem. Large organizations have the problem that nobody is really in charge. They sometimes break down into something kind of like feudalism, where you have a lot of fiefdoms within the corporation or within the government agency. The good thing about feudalism is at least you always know who's in charge.
More from the ISSA conference
More information security focus predicted for 2014
ISSA conference attendees talk whistleblowing, cybersecurity trends
A lot of times you get what Hannah Arendt called the 'bureaucratic diffusion of responsibility,' where nobody really is to blame for anything that happens. That is something we need to work on. I think we need clearer lines of accountability and transparency to deal with that. That's true inside or outside of the government.
What about your book, An Army of Davids? Can you talk about the book and how technology is empowering everyday people?
Reynolds: Well, I think we're living it now. Here I am having my [video] interview being done. Not that long ago, there would've been a gigantic camera and a whole crew around. Here, we have a microphone and a MacBook Air -- it's even a small MacBook Air. The video [camera] is actually an iPhone. ... All of this stuff that once would've been the resources of a major TV network, or at least a major local TV station, and now it's stuff that literally fits in a briefcase. That lets people do all kinds of things that formerly only big organizations can do.
You've seen it in news gathering, you see it in spontaneous organization that forms via social media around various topics or causes. You see it in a wide variety of areas, and I think the big theme of the 21st century is individuals sort of bypassing big organizations and doing things on their own or organizing each other sort of horizontally without any vertical structure at all.
Does that have any implications for security professionals?
Reynolds: Yes, security professionals are living this stuff all the time. You can be in charge of IT security for a big company, you could have tens of millions of dollars' worth of security equipment and personnel, and you're being jerked around by some guy with a $500 laptop in China. They're living it all the time and, you know, not all the Davids are good.