The exposure surface¶

Clients handed over, in the course of normal security operations: administrative access to their systems; network topology and traffic patterns; internal communication infrastructure; details of their own security posture including known gaps; and operational data sufficient to reconstruct their business activity over time.

Each of these was a reasonable thing to share with a trusted security provider. Each is now in the hands of a party the clients have never met, consented to, or in most cases heard of.

The item the MCLU finds most troubling is the security posture assessment. Clients disclosed their vulnerabilities in good faith, expecting that information to be used in their defence. The undisclosed recipient now holds a candid catalogue of each client’s weaknesses, produced by the clients themselves. The MCLU invites reflection on how this came to seem like a reasonable outcome for anyone.

Who is most exposed¶

The clients who engaged most thoroughly. The ones who completed every phase, ran every exercise, and integrated the provider into their infrastructure planning because that is what good security practice looks like.

The exposure surface scales directly with the depth of trust. The more a client did everything right, the more comprehensively they are observed. The MCLU notes, for the record, that this is not how security relationships are supposed to work.