Thinking a lot about what the BA and Marriott fines mean in a very near future where India, Indonesia, Brazil, Canada, etc.. and 30 US states all have similar penalties.

The current terribleness of information security needs to improve, but not sure that the instant corporate death penalty for getting, e.g. magecarted or breached by a state intel service is the right incentive structure.

RIP my mentions, of course, for everyone cheerleading for this as a deserved outcome for FB and Google.

But as a practitioner for many years, I don't think there's much evidence that anyone is ready for this, or really knows how to get ready. Or that anyone can play defense against states.

It's going to cause many companies to do a lot of data minimization; a good thing - but that's only viable to a certain point.

Hotels, airlines, logistics companies, telecom - are foundational components of the global economy and need customer data to do their business, or are required by other laws to gather and maintain it.

Who suffered what harm, and how much, from the BA breach?

BA has 50k employees and carries 125k passengers a day around the world.

What's the collateral harm of vaporizing it over that breach? Or Maersk? Or FedEx? Or AT&T?

What are the competitive incentives? Even my high school Shadowrun games weren't this ruthless. Would e.g. Boeing, or a hedge fund with a big position in Boeing, secretly spend a million $ to hack Airbus in a way that was sure to result in a billion $ fine?

Are basically all acquisitions of companies with any customer data dead? How could you possibly do enough diligence to discover from the outside a breach from years ago that the insiders haven't found yet?

And for those rooting for G or FB to get mega-fined for the next breach...once that happens - it probably will - how does any other org with a lower budget and less sophisticated infosec program (which is ~everybody) defend the reasonableness of their efforts?

I chose not to work for a crypto exchange years ago because small failures having infinite and irrevocable consequences felt too stressful and perfection unattainable. Seems every business is in that boat now, and just protecting private keys is super chill in comparison.

And if the next few years on the non-Chinese side of the Internet are about massive state confiscation, disruption and destruction of businesses, and a bunker mentality among survivors...

Probably good for my job prospects as a security pro, but how far ahead does Chinese tech pull in that time and how much more attractive does their model look to align with for Africa and the rest of Asia?

Probably the best career bet is to be an international bankruptcy lawyer specializing in how to liquidate and distribute assets among 50+ global sovereign government claimants trying to pick the carcass of something like a Hilton or UPS after a breach.