None of which will change those three points practically.
For any bit of information, they may not apply, but if you assume they’re true you’ll:
1) not record information that is truly damaging in a damaging way (which is really good practice in general if you’ve got something to lose!)
2) have practical operational practices which do not rely on these being false - which is a really good idea if that actually matters (you have actual enemies somewhere).
3) you’ll focus on safety and building value in areas which are not mere information at rest, which is a good modern practice.
Osama Bin Laden already knew all this, which is why it took so long to find him. A decade or so. I guarantee you the CIA has been learning this with all their leaks. The FBI learned this this after COINTELPRO.
What is not written down can’t show up as a grainy photocopy in the New York Times, or a viral video from Wikileaks, or whatever.
What you’re talking about is a hammer to use to punish someone after a leak. But by then it’s far too late for anything actually valuable.
Necessary and important for ‘day to day’ stuff like bank account balances I guess, as long as you assume that they’ll be violated with little practical recourse if you have anything actually valuable in it.
Government regulation is what created and propped up Solar Winds.
I have to believe it's possible, but I have never seen any reasonable proposal for government regulation of infosec. Even disclosure requirements become bullshit and only harm everyone faster than they can get published.
While it's true that the best way to keep a secret is to keep it off the internet, regulation could absolutely improve the prospects of keeping secrets by requiring encryption in every context, imposing heavy penalties on companies that fail to properly secure sensitive data (much heavier than what we currently see, up to the corporate death penalty), and enshrining in law the people's right to strong encryption.
The best way to keep a secret is to never write it down, period. Or tell anyone.
If you do have to write it down (for practical reasons), it’s best to assume it will be leaked eventually and write it down with that in mind.
Even better, is in your operational assumptions, assume it will then be leaked shortly afterwards and build in ways to work around that.
So for instance - key material should have easy ways to be revoked, rotated, etc.
Operational rules should be easy to update/push new versions, etc.
Authentication shouldn’t rely on parroting a well known value (SSN, a plaintext shared secret, a biometric, etc.), and should be easily changeable/rotatable.
Most of these we’ve been steadily baking into our day to day lives anyway.
What you’re talking about is necessary, but insufficient for anyone who has a secret they actually need to keep. At least in the modern world. None of those penalties are ever likely to actually occur either, because no one wants to pay them. And they know they will end up paying them at some point, because anything else is just not how the world works.
For classified top secret information all those rules apply in some form, yet we’ve had numerous high profile leaks of TS information for years. The intelligence apparatus has done everything they can to destroy said leakers, but with limited success - and those secrets are still out there.
And that is without financial incentive!
That’s all. Most folks won’t have those kinds of secrets thankfully! And when they do, they usually just don’t tell anyone.
For any bit of information, they may not apply, but if you assume they’re true you’ll:
1) not record information that is truly damaging in a damaging way (which is really good practice in general if you’ve got something to lose!)
2) have practical operational practices which do not rely on these being false - which is a really good idea if that actually matters (you have actual enemies somewhere).
3) you’ll focus on safety and building value in areas which are not mere information at rest, which is a good modern practice.
Osama Bin Laden already knew all this, which is why it took so long to find him. A decade or so. I guarantee you the CIA has been learning this with all their leaks. The FBI learned this this after COINTELPRO.
What is not written down can’t show up as a grainy photocopy in the New York Times, or a viral video from Wikileaks, or whatever.
What you’re talking about is a hammer to use to punish someone after a leak. But by then it’s far too late for anything actually valuable.
Necessary and important for ‘day to day’ stuff like bank account balances I guess, as long as you assume that they’ll be violated with little practical recourse if you have anything actually valuable in it.
Streisand effect, etc.