|
But who would you prosecute for what? It is easy to start pushing people under the bus, but when you look at cases like this you often find that it is an organisational failure, not an individual one. That's why I really like the NTSB's style of investigation (they're the people who investigate air crashes). Instead of going in and trying to pin it on one person, they look at procedures, organisational communications, chains of command, the whole works. Most of their reports don't come out and say "engineer John Smith caused the accident by forgetting to tighten this bolt!" They say, we looked at John Smith, we found the mistake, then we looked at how John Smith's work is monitored, the procedures for this repair, the training given, what their manager did, their working conditions, etc. Then finally they come up with some recommendations so it cannot happen again. These are normally procedural, training, and organisational changes, rather than simply saying "nobody should make mistakes ever again or jail!" This is what we need for information security leaks like this. We need an NTSB-style org to come in, pull apart the organisation and how they operate, give everyone criminal immunity so they talk openly, and then generate concrete changes so this never happens again (and ideally send these changes to other departments). ... Or just jail everyone, whatever... |