Sign up for our daily briefing

Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Denver news in your inbox

Catch up on the most important stories affecting your hometown with Axios Denver

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Des Moines news in your inbox

Catch up on the most important stories affecting your hometown with Axios Des Moines

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Minneapolis-St. Paul news in your inbox

Catch up on the most important stories affecting your hometown with Axios Twin Cities

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Tampa Bay news in your inbox

Catch up on the most important stories affecting your hometown with Axios Tampa Bay

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Charlotte news in your inbox

Catch up on the most important stories affecting your hometown with Axios Charlotte

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

At a Federal Trade Commission hearing on Wednesday, Malcolm Harkins, chief security and trust officer at Cylance, will pitch his pet idea: The government should hold companies that make security software — like his — accountable.

The big picture: Harkins is hoping the FTC will require companies to "disclose all of the controls that failed" during a breach — from the security flaws exploited by hackers to the security products that didn't capture them.

  • "Do what the FAA does. They report the primary cause of the problem, like a broken wheel, and all of the contributing factors that didn't stop it," Harkins told Codebook.

To be clear, this isn't the type of idea the FTC usually goes for. The FTC's regulatory powers are largely based on its mandate to fight unfair practices — in cybersecurity that means deceptive claims of privacy protection. It's not an IT advice shop.

  • "The FTC has historically been averse to specifying security measures or products that a company should employ," noted Julie O'Neill, former FTC staff attorney and current privacy and data security partner at Morrison & Foerster.
  • That doesn't make it any less interesting an idea for someone, somewhere to run with.

Why it matters: If Harkins' idea ever gets adopted, we'd know a lot more about blind spots in breach prevention.

  • Organizations typically use multiple security products designed to thwart breaches at different points in the process — one product may detect strange computers trying to log in, another might detect malicious code being run, and a third might detect data being stolen.
  • But when the public hears about breaches, while we might learn about the initial entryway into the network, we don't tend to hear about why none of those products halted the hackers' progress.
  • Harkins compared it to how the government intercedes when there's trouble with automobile parts. "Takata was crucified," he said of the airbag maker forced into a massive recall. "Why aren't we crucified?"

That doesn't mean breaches always result from problems with products. But a company whose product roster matches that of a breached competitor might want to know how that combination failed.

  • This would be a good way to identify less capable systems or show how to improve capable ones.
  • If companies have clear gaps in their security product systems, knowing their negligence would be exposed might motivate some action.

Security vendors would almost definitely push back against any such scheme, as has happened whenever Harkins has brought up his idea in the past.

  • Vendors argue that breaches that circumvent their products often happen thanks to factors beyond their control: misconfigured software, poorly trained IT staff, other user error.
  • Harkins has a different explanation for the resistance: "They're embarrassed about major breaches they didn't prevent. And they should be."

The bottom line: The security industry is not at a point where it's comfortable with the message that "even the best products staffed with the best people will occasionally fail" — nor is the public ready for that nuance.

Go deeper

31 mins ago - Politics & Policy

McConnell drops filibuster demand, paving way for power-sharing deal

Senate Majority Leader Chuck Schumer (R) and Minority Leader Mitch McConnell attend a joint session of Congress. Photo: Olivier Douliery/AFP via Getty Images

Senate Minority Leader Mitch McConnell has abandoned his demand that Democrats state, in writing, that they would not abandon the legislative filibuster.

Between the lines: McConnell was never going to agree to a 50-50 power sharing deal without putting up a fight over keeping the 60-vote threshold. But the minority leader ultimately caved after it became clear that delaying the organizing resolution was no longer feasible.

2 hours ago - Technology

Scoop: Google won't donate to members of Congress who voted against election results

Sen. Ted Cruz led the group of Republicans who opposed certifying the results. Photo: Stefani Reynolds/Pool/AFP via Getty Images

Google will not make contributions from its political action committee this cycle to any member of Congress who voted against certifying the results of the presidential election, following the deadly Capitol riot.

Why it matters: Several major businesses paused or pulled political donations following the events of Jan. 6, when pro-Trump rioters, riled up by former President Trump, stormed the Capitol on the day it was to certify the election results.

2 hours ago - Politics & Policy

Minority Mitch still setting Senate agenda

Illustration: Aïda Amer/Axios

Chuck Schumer may be majority leader, yet in many ways, Mitch McConnell is still running the Senate show — and his counterpart is about done with it.

Why it matters: McConnell rolled over Democrats unapologetically, and kept tight control over his fellow Republicans, while in the majority. But he's showing equal skill as minority leader, using political jiujitsu to convert a perceived weakness into strength.