Information Security Law

Multidisciplinary Practices the Only Way to Go

2011-05-15T14:04:00.001-07:00

I just made the following post yesterday to an American Bar Association message board about a DC firm implementing a sort of multidisciplinary practice. I believe this is particularly relevant for those practicing information security law given its interdisciplinary nature.

The current law firm model is an anachronism. Nearly all other professions have embraced the needs of their customers/clients who want quality services at reasonable prices. The law profession, particularly Big Law, has used legal and social barriers to drive up costs for their clients. The hiring process is skewed so in favor of pedigree (what other profession cares about class rank 20 years after someone has been practicing) that the labor pool for Big Law is artificially constrained and salaries and billing rates are inevitably driven up as a result. Lawyers, knowing the law better than anyone, have managed to maintain rules barring MDP under the guise of ethics even though nearly ever other profession uses MDPs and are frequently viewed as being more ethical than lawyers. Let’s rid ourselves of notions that lawyers who report to non-lawyers can’t be ethical. General counsel and many government lawyers do it everyday. Law firms do it when they say no to an important client who makes up the majority of their revenue.

We need to stop pretending that we’re so different in order to justify the competitive restraints we’ve imposed on our clients. The law profession in the United States is one huge anti-trust violation. For the sake of our clients, who are frequently left making substandard decisions based on limited or no representation, we need to adopt MDP and move into the 21st century like everyone else.

More Cybersecurity Bills, More of the Same

2010-06-15T17:44:00.001-07:00

With the amount of cybersecurity legislation being proposed these days, one would think that someone would come up with an innovative and fresh perspective on the issue. Unfortunately, we’ve been largely subjected to more of the same attempts to give the issue more prominence by creating new bureaucracy and slightly more funding and offering largely symbolic mechanisms to respond to incidents. As an example, the bill entitled “Protecting Cyberspace as a National Asset Act of 2010,” S. 348, offers great promise but falls short when examined more closely.

Among other things, the bill would create “an Office of Cyberspace Policy in the Executive Office of the President run by a Senate-confirmed Director.” And while I like the fact that the newly created office will have the power to review cyber security budgets of federal agencies, it is only an advisory power, which presumably DHS could do right now if they wanted to. Moreover, the enforcement power seems a little weak:

"(4) if the policies or activities of a Federal agency are not in compliance with the responsibilities of the Federal agency under the National Strategy— (A) notify the Federal agency; (B) transmit a copy of each notification under subparagraph (A) to the President and the appropriate congressional committees; and (C) coordinate the efforts to bring the Federal agency into compliance;"

We already have inspector generals that are supposed to perform this function as well as GAO. I'm not sure why adding another oversight body, who will presumably be underfunded anyway, will make much of a difference. In the end, agencies will just end up punishing those who have been pleading for more funding when there are audit findings. While we can hope that the Cyberspace Policy Office will be able to force more funding, I'm not optimistic given the current budget constraints. Moreover, much of the language encourages CYA behavior of agencies that may just lead to the generation of more useless paperwork in response to endless audits. Additionally, more extensive monitoring, which is generally a good thing, will likely lead to the discovery of more compromises that went unnoticed before, leading to more finger pointing, more audits, and less time spent trying to secure systems. The better solution is for more individual accountability, which is hard to achieve with CIOs and CISOs bouncing from one agency to another.

On the private sector side, there is even less to be excited about. Like most previous bills, the Lieberman bill tries to thread the needle by attempting to give the federal government more authority to act in an emergency without taking over private assets. And according to National Journal, the bill is not intended to provide a "kill switch" for Internet connections but instead provides other mechanisms. "Such actions might include ordering a private sector operator not to accept incoming traffic from a particular source, Lieberman said." Of course, without a mechanism to force DHS and other agencies to declassify, de-SBU, or de-FOUO such information, one may wonder if private sector agencies will ever get the instructions needed to block the source. Moreover, private sector organizations have been clamoring for such actionable information for some time. Few of them would need to be forced to block such sources of attack. That's already being done regularly by informal relationships between government and private sector entities facilitated by groups such as the Forum of Incident Responders and Security Teams (FIRST). What we don't see is any evidence of private sector agencies refusing to take a specific action based on government recommendations. Instead, what is missing are specific recommendations from government based on threats occurring in real time. This legislation does nothing to force that to happen. Moreover, by the time the government has decided what action to take, the private sector organization would have probably already taken the needed action or it will be too late.

Finally, the language on liability protection seems a bit troubling. According to CNET, "If there's an ‘incident related to a cyber vulnerability’ after the president has declared an emergency and the affected company has followed federal standards, plaintiffs' lawyers cannot collect damages for economic harm. And if the harm is caused by an emergency order from the Feds, not only does the possibility of damages virtually disappear, but the US Treasury will even pick up the private company's tab." First of all, the government has little knowledge of the private sector's business processes, and while this defense falls within the common law principles of public necessity, this is hardly as simple as tearing down a house to keep the entire city from starting on fire. Private sector entities will likely use the emergency declaration as a fig leaf to imply that all its actions or failures to act were dictated by the emergency declaration and that the government's failure to prescribe other actions was intentional and precluded them from taking such actions. Do we really want private sector, or even public sector organizations, blindly accepting an order from DHS and not being held accountable for not telling the government about the potential consequences? For example, what happens if the government asks an oil pipeline operator to block a TCP port that the operator uses to monitor pressure in the pipeline and as a result, the pipe bursts and millions of gallons of oil spill into an environmentally sensitive area. Do we want the government to take all the heat for something like that when the pipeline operator knew about the potential consequences?

I hate to pour cold water on all these seemingly genuine, but misguided, efforts to improve cybersecurity, but I've yet to see any evidence that the federal government is capable of doing more than providing intelligence and thought leadership to the private sector and funding research and development into new security technologies. The only other thing is for laws that demand accountability, but so far we don't seem to be very good at that either if the financial sector reforms are any guide. Moreover, we can't even definitively say what controls and funding is needed for a given organization to prevent a compromise with any degree of actuarial reliability.

Is Privacy Destroying Security?

2010-04-17T19:34:00.001-07:00

In reading a recent post entitle “The Smart Grid Privacy Smoke Screen” describing how relatively low impact privacy concerns are masking some more significant security vulnerabilities, it got me think that this issue is broader than just Smart Grid. And it makes me question what is Privacy’s role today some thirty years after the OECD Privacy Guidelines were first released. Back then, security was just a single reference (Security Safeguards Principle) that simply noted that security was an important element to making privacy successful. After all that adage that you can have security without privacy but you can’t have privacy with security is as true as ever today. Perhaps that why so many in the privacy community have been the champions of encryption at all costs even if they don’t completely understand how it works.

The truth is that privacy’s purview is relatively narrow. It really asks who should be given access and for what purpose. Everything else is about security. And not surprisingly, because the answer to that question can vary significantly depending upon the organization, the subject of the information, and type of information, discussions in that area become somewhat unsatisfying. Instead many become involved in somewhat high-level discussions of security issues. As many security professionals will tell you, privacy professionals are often less technical, but because many are lawyers who have the ear of the CEO, such high-level technical guidance suddenly becomes the new mandate for the chief information security officer. Moreover, the objectives of privacy are often somewhat squishy and personal. People willingly give up their privacy on a daily basis in exchange for access to some information or to save money on what they buy. That makes defining misuse of private information much more difficult. We all agree that stealing one’s bank account information for the purpose of withdrawing funds is always a bad thing. However, but selling magazine subscription information to marketing firms that send out junk mail is just one of many consequences we’ve come to expect.

Let’s not forget that compared with cyber attacks that put lives at risk or result in significant financial losses, the value of the dignitary right of privacy hardly holds a candle. The message to the privacy professionals out there is to focus on the who for what purpose and leave the security to the real experts.

Compliance in the Cloud?

2010-03-20T12:37:00.001-07:00

A few weeks ago, I was part of a panel at the RSA Security Conference called “Cloudy with a Chance of Litigation.” This panel of lawyers and security practitioners tried to anticipate the kinds of legal issues that would arise in litigation, from liability of providers for security compromise to the dicey issues of e-discovery of something amorphous as a cloud. There was a general sense of trepidation about cyber security in the cloud that permeated this and other sessions. While most admitted that the technology of today’s clouds isn’t much different than time-share style computing mainframes have offered for 40 years, many have highlighted some possible pitfalls in moving quickly into technologies that require little upfront planning or expense and therefore often miss the radars of both cyber security professionals and legal counsel. Moreover, seemingly innocuous uses of cloud computing can quickly evolve into “bet the business” style operations when the initial pilots seem to work without a hitch.

But amidst all the confusion, hype, and understandable worry, we may find a bit of a silver lining. And that is a somewhat standardized platform that security service providers and software developers can target. Because one of the biggest problems for security professionals is often defining and maintaining secure configurations in a heterogeneous environment, the cloud, by necessity, offers some solutions. While cloud providers do offer some flexibility in their software-as-a-service, platform-as-a-service, and infrastructure-as-a-service capabilities, service providers need to offer consistency and manageability in their packages to make money and stay competitive. And so while storage, processors, and memory can vary, certain virtualization technologies and management tools may be the same across all customers. That makes it easier for security service provider solutions like McAfee’s Cloud Secure Program to be effective. By working closely with the cloud provider, Amazon in this case, McAfee can focus its energies on offering a secure and compliant service and less on addressing interoperability and customizations issues that plague far too many technology deployments. Through economies of scale and competition, we have the possibility for innovative approaches that are relatively inexpensive and easy to deploy. The best part is that it offers the best hope yet for automating compliance processes as well as simple security tasks, so security professionals can focus on evolving threats and issues that are more unique to their businesses. If that can happen, maybe all this hype surrounding cloud won’t be so bad.

Does Privacy Matter with the Smart Grid?

2010-03-19T19:43:00.001-07:00

As we hear more stories about the Smart Grid and the media focuses attention on potential security risks, it is worth asking whether privacy has a role to play. But first let me set the ground rules. I do not subscribe to the notion that privacy is security for the legal/policy types who can’t talk techie at a detailed level. All too often I’ve seen privacy articles and discussions devolve into discussions about password length or the need for encryption. That’s not privacy; it’s security, and it pains me to see two perfectly good disciplines get pillaged by folks who run out of material and decide to veer into a different discussion. That’s not to say that they both can’t be discussed at the same time, but people need to know the difference. So for me, privacy is about only the process involved in determining who should get access to a piece of information and for what purpose. In some senses privacy is what makes security useful as security is concern deploying restrictions to access based on the criteria set by privacy.

With that said, are we really facing privacy issues with the Smart Grid? And I caveat that by saying that privacy here means how personally identifiable information about energy customers is used and shared. In theory, privacy could cover trade secrets and other sensitive information as in a sense that data is meant to stay private, but for purposes here, we’re just talking about the customer information. In an excellent article entitled “Smart Privacy for the Smart Grid: Embedding Privacy into the Design of Electricity Conservation” the authors go to great lengths in describing the various types of measurement that can be taken and how it could be used:

Whether individuals tend to cook microwavable meals or meals on the stove; whether they have breakfast; the time at which individuals are at home; whether a house has an alarm system and how often it is activated; when occupants usually shower; when the TV and/or computer is on; whether appliances are in good condition; the number of gadgets in the home; if the home has a washer and dryer and how often they are used; whether lights and appliances are used at odd hours, such as in the middle of the night; whether and how often exercise equipment such as a treadmill is used. Combined with other information, such as work location and hours, and whether one has children, one can see that assumptions may be derived from such information. For example: the homeowner tends to arrive home shortly after the bars close; the individual is a restless sleeper and is sleep deprived; the occupant leaves late for work; the homeowner often leaves appliances on while at work; the occupant rarely washes his/her clothes; the person leaves their children home alone; the occupant exercises infrequently.

Practically speaking, I suppose that exposing this information could be a bit embarrassing, but much of it serves little purpose to someone with malicious intent unless the person is a celebrity as I’m sure Al Gore can attest to when his house legitimately became drawn into charges of hypocrisy. However, for the average person, burglary would seem to a more compelling motive even though there are probably easier and more accurate ways to find out if someone isn’t home. There, of course, is the dignitary right to privacy that can’t be easily tied to economic value. Us capitalist Americans tend to deride such sentiments as idle chatter standing in the way of progress. Nonetheless, at some level, we all succumb to that luxury of privacy for privacy sake whether it is out of embarrassment that a parent, spouse, co-worker, neighbor, or Greenpeace activist finds out that we like to crank up the AC on days with energy shortages or partake in that guilty pleasure of a 30 minute shower.

But aside from those issues, survey after survey has shown that people will gladly give up some of their privacy for something in return. That’s the dirty secret behind web news registrations, free samples, and loyalty cards. While there are some die hard privacy proponents out there, most people are just trying to get the best deal for what they have to give up. Hence, the lesson for utilities is to be responsible in how you protect information that you say you’re going to protect by putting in effective cyber security measures. However, if you want to do some marketing with all that data you’re getting from your customer, make they know they’re getting a discount for all this personal information they’re supposedly giving up that never was available to sell before. Isn’t capitalism wonderful.

Our Users aren’t as Dumb as We Think

2010-03-17T18:51:00.001-07:00

For system administrators and security professionals, one of the most common complaints is that end users don’t care, they don’t take the right precautions, or they don’t listen to what we tell them. Well, all that may be true to some extent, but maybe we’re missing the obvious as well. While complying with the law is not optional, the methods we use to secure our data often give us more flexibility when we think. An alert reader on the Security Metrics list noted an article entitled “So long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users,” which discusses the results work done by Microsoft Research. The article abstract notes:

“It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational
from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the
advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses.
Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.”

In our private lives, following these security and safety precautions because not all activities are measured in dollars and sense. If someone derives some utility from washing his hands every fifteen minutes on the off chance that some invisible deadly germ might suddenly appear, who are we to argue. There is an infinitesimally small chance that the failure to wash at that frequency could lead to death, but few for-profit businesses could survive if they required their employees to follow that regimen. People often misperceive risks, but many perceive risks correctly and still engage in abnormally risky or cautious behavior. To them, it’s simply a matter of utility. For example, the very small risk of dying in a plane crash can be enough for one to forgo flying in planes if the need nor desire is minimal. However, driving down a highway at 10 mph for fear of car crashes would be inappropriate even if it only impeded other drivers and didn’t increase the risk of an accident, which very slow driving has been shown to do.

When our actions work in tandem with others, some happy medium is needed. Hence, there is the risk/reward tradeoff we find in business. When one chooses to work for or do business with a company, one is necessarily accepting their risk model. Consequently, a super secret intelligence agency may find it worth the cost to carefully read every URL to avoid phishing. For the rest of us, it’s just not worth it. And yet the tips keep coming and organizations plug them into training materials without any thought to their risk profile (or bottom line). We lock people out of their accounts after three unsuccessful complex password tries even though there’s not a scintilla of evidence to suggest that a higher number would be too risky. We simply take what we receive from some official sounding source to be gospel and implement because making a risk-based decision would mean someone would have to be accountable. Some day people will realize that deferring all decisions to some unknown entity who knows little about your environment or risk tolerance is not only economically silly, it may be riskier. I relish the lawsuit where a company is sued successfully for having security policies that are too strict to the point that any reasonable person in that environment would choose to ignore them. Now, who was it that needed security training?

Another Cybersecurity Bill; Yawn

2010-02-07T19:13:00.001-08:00

And so now yet another cybersecurity bill is seeing the light of day as H.R. 4061 has just cleared the House. Based on my reading, the bill authorizes, but doesn't appropriate, funds for cyber security research, an agency-by-agency review of cyber security skills and scholarships, more of NIST guidance efforts, including an effort to normalize security standards internationally, which is what NIST has been working on for several years. While more funding for cyber security is usually a good thing, that's about all it does. Everything else is already being done. And in fact I understand that the Senate is looking to wrap this in with one of their appropriations bills. The most telling sign of the bill's underwhelming nature is that it passed 422-5. That ranks up there with the naming of post offices in terms of lacking any controversy.

As a New York Times article notes, the Obama budget actually cuts the cyber security division in DHS where most of the cross government cyber security efforts are spearheaded. That doesn't bode well for a bill whose only distinguishing characteristic is more funding.

The suggestion that the government needs to hire 1000 more "cyber warriors" has been bandied about by various government officials with little idea what those folks would do or how they would be paid for. As has been frequently pointed out, most of our critical infrastructure and much of what hackers are interested in are owned and operated by the private sector. The parts of the government most at risk, mainly the military and intelligence communities, are much further along in both protecting their infrastructure and providing appropriate staffing. However, even then there is a mismatch.

Most of the top technical skills they're looking for, such as malware
analysis, exploit development, and penetration testing, are held by
individuals who command salaries above the government GS scale and would not likely want to sit in windowless rooms all day examining network traffic they can't talk about. Contractors will inevitably fill some of this void, but they're also having a hard time keeping talent and still fitting in under the often rigid rate structures the government demands. Right now the going rate for strong penetration testers with about 5 years of experience in IT/security exceeds $100K in many markets.

I do believe that we will be able to implement appropriate security controls for the federal government and that a sufficient amount of staff will eventually be hired and many may simply need to grow to the needed skills while on the job. However, I do not believe the federal government will ever be able to provide operational support for cyber security matters for the private sector. Guidance on control frameworks and funding for research are useful endeavors. But the government is simply not structured to advise the private sector on evolving threats in a timely manner. Even if they had
timely information, they would not be able to share it. It's hard enough sharing information among federal agencies, as the December 25 Northwest bombing demonstrated, but providing actionable information to the private sector is next to impossible. Moreover, it is highly unlikely that private sector agencies will share the needed information on incidents that affect them. The fear of fines and unwanted regulator attention has all but precluded those activities.

Unlike physical security where jurisdiction is easy and techniques are well understood and slower to change, I don't believe the government can ever be able to protect us from cyber security
threats other than to make a few arrests in the more serious cases or where the hackers are idiots. The FBI and Justice Department should be congratulated for the busts they have made. However, things are only going to get harder. The source for timely threat information and the development of defenses will need to reside predominantly in the private sector. There simply is no other way in my opinion.

“Just Encrypt Everything”

2009-12-27T11:35:00.001-08:00

Here’s Bruce Schneier’s well-argued retort to all those supposed security experts who assert that it would be trivial encrypt the video streams coming out of those Predators that were supposedly hacked by insurgents in Iraq. As he notes, it’s trivial to encrypt, but it’s not so trivial for troops on the ground or our allies to obtain and deploy the right encryption/decryption keys. Despite what the encrypt everything proponents say, encryption doesn’t solve security problems, it just shifts them to key management, which in a traditional office environment that is self-contained and doesn’t involve granting access to outsiders might work well, but in ad hoc environments that are constantly changing and need the information quickly to save lives, we still don’t have the right solutions.

http://www.schneier.com/blog/archives/2009/12/intercepting_pr.html

“So the military is now committed to encrypting the video ... eventually. The next generation Predators, called Reapers -- Who names this stuff? Second-grade boys? -- will have the same weakness. Maybe we’ll have encrypted video by 2010, or 2014, but I don't think that's even remotely possible unless the NSA relaxes its key management and classification requirements and embraces a lightweight, less secure encryption solution for these sorts of situations. The real failure here is the failure of the Cold War security model to deal with today's threats.”

Is it really a security breach if it’s insured?

2009-12-16T18:27:00.001-08:00

A blog post at http://www.courthousenews.com/2009/12/15/BJ_s_Bank_Not_Liable_for_Credit_Card_Fraud.htm notes a decision in CUMIS INSURANCE SOCIETY, INC.,& others vs. BJ'S WHOLESALE CLUB, INC. found at http://www.courthousenews.com/AppellateOpinions/10400.doc. As a result of the breach, "[t]he credit unions wanted to be compensated for having to issue millions of new credit cards to replace the ones that were compromised." However, the trial court and the Massachusetts Supreme Court side with defendant in granting a motion for summary judgment in not letting the credit unions act as third party beneficiaries. "The court also tossed fraud and negligence claims against BJ's and Fifth Third Bank, saying they never misled the credit unions and Cumis about their compliance with Visa and MasterCard regulations."

To me, more interesting was the following statement at the end of the decision:

"As the second judge determined, no rational jury could have found reasonable reliance on the regulations prohibiting storage of magnetic stripe data in the circumstances here. First, as the judge observed, Visa and MasterCard compliance regulations explicitly provide for fines for breach of regulations such as storage of magnetic stripe data. This indicates that the system is designed with the expectation that breaches will occur. In addition, the plaintiff credit unions anticipated and insured themselves through plaintiff Cumis against fraudulent losses arising from such storage."

The logical extension of that is that no one should be liable for anything because our laws anticipate bad behavior by punishing and therefore it is to be expected. And of course if you have insurance, what are you complaining about; you've been compensated. That's a great argument unless you’re the insurance company or your policy doesn't cover all your damages.

Compliance Conundrum Part 2

2009-10-28T18:54:00.001-07:00

It’s a bit ironic that a practice that is designed to keep organizations on the straight and narrow has instead served as instead a symbol of ineffectiveness within the information security profession. But unfortunately, the very existence of compliance programs has been a sign of weakness rather than strength. As evidence piles up showing the ineffectiveness of enterprise security programs, the greater is the outcry for regulation. The sad fact is that it doesn’t have to be that way.

But first, let’s provide a little background. I teach a class called Legal and Ethical Principles in Information Security. One of the first things I tell my students is that they need to understand the difference between risk and ethics. Not every decision made about security is an ethical decision. For example, the decision to use an eight character password rather than a nine character password is a risk-based decision. While a policy may require a longer password, the decision to do so is rather arbitrary and isn’t necessarily a consensus opinion that requiring a longer password is the “right thing to do.” Instead, it’s a risk-based decision. Now here is where the twist comes in. A two-character password, if it’s used to secure someone else’s data, could be unethical. Because ethics is really about taking on unreasonable risk that affects others without their consent. Of course what’s unreasonable is open to debate, but the consensus opinion often becomes the policies, regulations, standards, and laws we all need to follow, or, in other words, compliance.

But let me be clear. I’m not saying that compliance isn’t a fact of life or even inevitable. Human beings tend to act in their own self-interest, often to the detriment of the whole. We’ll always need laws that regulate pollution, prohibit fraud, and protect consumers. However, what we’re seeing with information security goes beyond that. We’re now passing laws and regulations that are the equivalent of requiring banks to lock their money in vaults. It would be one thing if organizations were careless with other people’s data but careful with their own crown jewels. Instead, we have the Payment Card Industry (PCI) Digital Security Standard (DSS) mandating firewalls and anti-virus software because organizations fail to even implement such rudimentary controls for any part of their enterprise. Simply put, when laws are needed to get us to protect what is valuable to us, we know we’ve failed.

When business processes and technologies aren’t transparently implemented to consistently meet both regulatory and business requirements, auditors and compliance officers are needed to constantly look under the covers to note the irregularities and correct them. And can we blame them for wanting to come back when they seem to find more problems each time they look. Manufacturers have used process improvement methodologies like Six Sigma to reduce the error rate for very complicated manufacturing processes down to a few defects per million. Only in a dream world could software developers and system integrators hope to accomplish that. We can quibble about the differences between these two worlds. But by any measure, enterprise security has not done well by comparison.

Like the optimistic police officer hoping to be so successful that his job will go away, I’m hoping we can make the compliance process more efficient and useful in the hope that some day we won’t need to talk about it. Fortunately for this blog, the material is not going to run out anytime soon.

Is Compliance Enough?

2009-10-16T13:20:00.001-07:00

In my first blog post three years ago entitled “We Don’t Need No Stinking Compliance,” I laid out the flaws of a information security program that focused on compliance rather than security. Moreover, I noted that the most costly part of compliance is frequently not the cost of implementing and maintaining security controls that comply with particular standard or regulation but rather its proving that compliance to regulators, auditors, customers, and anyone else that demands a C&A report, a SAS 70, or any of the dozen or so compliance reports that are taking up the valuable time of the CISO team and away from monitoring and responding to new threats.

Now comes along an article by Robbie Forkish of Cloud Compliance, Inc. arguing in “Is Compliance the New Security Standard?” that based on competitive realities and demands of shareholders compliance should be the bar as preventing security breaches is too expensive, hard to justify from an ROI perspective, and ultimately impossible. While it is certainly true that 100% security is a pipe dream, I take issue with Mr. Forkish’s contention that compliance protects a company from liability. Unfortunately he is confusing compliance to a regulation, which is a statutory obligation, with compliance with a standard of care, which is the common law standard of negligence. Anyone who has been involved with a personal injury lawsuit involving a traffic accident knows that following all traffic laws doesn’t make one immune from liability as the negligence standard, or duty, is based on what is known as the “reasonably prudent person” standard, a standard that no human being meets with any degree of consistency.

And while liability is often the motivator for implementing security measures, it is foolish to assume that meeting the letter of PCI, HIPAA, GLBA, Sarbanes-Oxley, or some other regulation or standard will absolve one from claims of liability. The sponsors of the PCI Standard for protecting credit card data proudly claim that no system found to be compliant with the PCI Digital Security Standard has ever experienced a compromise of credit card data. What they don’t say is that the investigations interpret the PCI Standard in such a way that a breached system is almost by definition considered in violation of the Standard. So far the FTC has yet to find a company investigated for experiencing a security breach that is willing to challenge the agency’s contention that there was a violation of the Unfair and Deceptive Trade Practices Act. While the FTC would likely dispute it, the conclusion seems to be that a major security breach involving customer information is automatically a violation of some law.

So is being compliant with regulations and mandatory standards necessary? Absolutely. Companies that never get breached can still be fined or worse for not implementing the required controls. However, suggesting that is enough to escape liability is silly. If you want to avoid getting sued, then don’t get hacked. Failing that, mere compliance with slow moving regulations is a good recipe for not only being sued after a breach. It is a recipe for losing. Cost benefit analysis that includes penalties, private lawsuits, and internal harms are essential when deciding on the appropriate controls, but compliance is only half the story.

Cloud Computing: Yet Another Opportunity to Get It Right

2009-10-09T06:04:00.001-07:00

Pity the security practitioner. After each new technology is released, we hold out hope that it will finally make our jobs easier, that the promise of seamless and fully integrated security will finally be realized. However, our hopes are quickly dashed as bug reports pile up and end customers seek to one-up the product vendors in their efforts to obliterate any semblance of security during the implementation stage. That places us in the familiar role of corporate nannies that advise our wards to take their vitamins and, for heavens sake, don’t even think about having any fun.

As the industry begins to embrace the concept of cloud computing, security professionals may be reflexively pulling out of our whips and chains to deliver the first lashings to those presumably misguided souls seeking to thrust the company’s most sensitive data into some virtual grab bag in the sky. The reality is that cloud computing offers tremendous opportunities to companies awash in data with little ability to even find what they’re looking for, let alone manage or secure it. Cloud computing can offer standardization and consistency, traits that are part of a sound security practice as long as the standards have been vetted by qualified security professionals and consistent in a good way. But before we break out the champagne, it’s important to understand whether we can deliver and what it will take to get there.

The trade press has simultaneously dubbed cloud computing as both the game changing phenomenon that will revolutionize computing and a rehash of a bunch of old technologies, some going back more than thirty years to the days of time sharing and batch computing, that have been cobbled together and marketed as innovation. The reality is that it’s a little of both. In essence, cloud computing is a business model. Whether it’s offered by Amazon’s Elastic Compute Cloud or done in-house as a sort of private cloud offered by the IT department, it is designed to commoditize and sell by the drink a variety of computing functions including storage, processing time, software applications, network bandwidth, and other services. Existing options like software-as-a-Service (SaaS), virtualization, and utility computing are routinely repurposed and leveraged to form a cloud.

The question then remains why security professionals should be optimistic. The reason is that the business model for cloud computing requires business functions and their respective technological representations to be discretely defined and associated with a particular cloud computing service. If implemented correctly, it tends to eschew the notion of a just being an all purpose storage repository for miscellaneous stuff. It forces users to think about what business function they want performed and what data will be involved. And because it is being outsourced, business managers are more likely to be directly involved in those decisions because it is harder to assume that a cloud provider will know what they want, an assumption that is frequently and inappropriately placed on an organization’s IT department.

In essence cloud computing offers organizations a framework for defining a data governance model that incorporates notions of both risk and compliance. Through it, we can decide when the risks associated with cloud computing can be justified based on the data and business processes involved. If compliance requirements dictate where data is stored or how it is protected, we can select the cloud service that meets those requirements. Ultimately it offers a well-defined way to marry security requirements with service offerings, something IT departments have been loathe to do for fear that talking about service levels with respect to security would be viewed with the same level of trepidation as a brain surgeon who offers silver, gold, and platinum packages to his patients.

So once again we stand at the precipice waiting to see how the market will shake out. As security professionals, there is a lot to be hopeful about as we batten down the hatches and keep those whips and chains handy.

Total Information Awareness - British Style

2009-01-02T06:22:00.001-08:00

Slashdot pointed out an interesting article from The Guardian about a proposal in the UK to create a kind of master database "that will keep track of everyone's calls, emails, texts and Internet use." However, it won't store making content making it a sort of pen register for Internet traffic. The goal is to provide an easy reference for law enforcement to tie an IP address or e-mail to an actual person when a crime is suspected.

This calls to mind programs like Total Information Awareness proposed by former National Security Advisor John Poindexter a few years back that proposed a massive data mining effort to look for patterns in information that could be used to identify potential terrorists and learn about possible threats. The program was killed in 2003 due in large part to the controversy it generated. More recently, but on a smaller scale, the Einstein program, which is focused collection and analysis of the federal government's Internet traffic and mainly intended to serve as a warning for network-based attacks. However, such capabilities could be extended to monitoring outbound traffic, including encrypted traffic accessible via proxies, to ensure that sensitive data is not being sent out without authorization.

Privacy advocates are quick to point that collection and aggregation of massive amounts of information from diverse sources, even if the government already possesses it, raises serious concerns about potential abuse. That, in essence, was the reason behind the Privacy Act of 1974. At the time, the Nixon Administration had been assembling data on US citizens in an effort to discredit individuals opposed to the Administration's policies. The Privacy Act required that the federal government System of Records Notices (SORN) prior to collection of personal information indicating the purpose of the collection, who would be given access to the data, and any other agencies that would make use of that data. Later laws, including the E-Government Act of 2002 required additional privacy assessments to ensure that the terms of the SORN were being followed.

But that raises a real practical issue with things like data mining. The whole purpose of that activity is to identify relationships and infer new knowledge that you didn't know was there. It's one thing to say I need Bob Smith's home address, so I can send him his quarterly Social Security statement. It's another thing to say I need Bob Smith's address, employment data, and international travel information so I can draw conclusions about potential terrorist activities. Law enforcement officials can credibly say that they couldn't have identified someone as a suspect until correlations were made using massive amounts of data spanning multiple investigations and government databases. The traditional approach was that police first identify someone as a suspect and then seek to gather information about him/her to prove their suspicions correct. In the complex international drug and terrorist network, it's not that simple.

The easy answer from a civil libertarian's point of view would be to say that police should just do their job like they've always done and get warrants based on probable cause. The response is that isn't what they always done as much as it's been what's feasible. Through Internet searches and public records database, the average citizen already has access to an immense amount of personal information without even a subpoena. Law enforcement should be expected to use these same resources. It's a bit unrealistic to expect law enforcement and intelligence agencies to not search information not already possessed by the federal government with a few exceptions (e.g., Census data, grand jury information, etc.). (Note: Where the information is securely held by a third party, such as a telecommunications provider, in the British example, the rules would necessarily be different.) After that, the real issue should be one of oversight. I don't want some overzealous cop snooping through my tax records any more than anyone else. But more than privacy concerns, my concern is one of productivity and governmental effectiveness. Every minute someone spends peering at someone's personal information for entertainment or personal gain is a minute not spent tracking down a terrorist, rapist, or pedophile. That's the real tragedy, and that's where oversight comes in. The same technology that allows us to search across vast amounts of information also allows us to track the searches down and the individuals doing the searches. Spending some of those funds dedicated for identifying unusual network activity, suspicious financial transactions, and questionable international travel on identifying and reporting suspiciousness "investigations" would be money worth spent. As the saying goes: "Sunlight is the best disinfectant."

Rearranging Deck Chairs?

2008-12-29T09:33:00.001-08:00

One often gets the feeling when working in the information security field that a lot of efforts to improve security are like rearranging deck chairs on the Titanic. Small tweaks here and there don't make a lot of difference on a sinking ship. While the state of information security isn't that bad, the legislation created to address it often is. Having worked on Capitol Hill for a while, I certainly sympathize with the urge to legislate solutions. After all, that's what legislators do. If they had the power to hunt down and capture hackers, they'd probably do that instead, but that's not their job. In a recent post I talked about the Center for Strategic and International Studies' Securing Cyberspace for the 44th Presidency Report. In a recent column, the sponsors of the study, Representatives Jim Langevin (D-RI) and Michael McCaul (R-TX) focused on some actions to be taken by the federal government. While laudable in their goals, they seem to be reminiscent of prior efforts to find all things bad. While not declaring a war on hackers, it has the feel similar to the war on drugs, the war on terrorism, and the war on poverty. What we've learned from all these adventures is that the devil is in the details. Until you force someone through threat of fine or imprisonment or actually appropriate scarce resources, no one really pays attention. So with that in mind, let's walk through some of the suggestions.

We would begin by announcing a national cyber doctrine, declaring the cyber infrastructure of the United States to be a national security and economic asset that requires protection using all instruments of national power —diplomatic, economic, military, law enforcement and intelligence.

This has the sound of Mom and apple pie. However, until you start saying that it's more important than another program, you're not really saying much. Everything is important so nothing is important.

The Federal government must be reorganized to effectively implement our national doctrine Today, many people and agencies are responsible for securing pieces of cyberspace, but nobody is in charge of the overall vision. We recommend creating a National Office for Cyberspace within the White House to provide oversight, clarify agency responsibilities, ensure accountability and increase transparency and collaboration for the many cybersecurity programs across multiple agencies.

Where have we heard this before? It seems like every solution has to start with some sort of reorganization. It's a way of appearing to do something without really doing anything. We created the Office of the Director National Intelligence so that someone would be in charge of the intelligence community. So far success has been limited because most of the budgets and operational capabilities exist in the individual agencies. For years the Office of Management and Budget has sought to limit cost overruns in IT budgets and make agencies more secure. These efforts have failed in part because the office had limited enforcement power and limited technical expertise. The proposed Office of Cyberspace would create another island of influence that would presumably have very limited staff and budget to make the changes needed. Ultimately what's needed is real leadership who is empowered to marshal resources to push forward real innovation while understanding the challenges faced by government agencies and private sector organizations. Keeping that role within the Department Homeland Security but giving the person more autonomy and budget may be the better option. DHS is already starting to assemble a variety of cyber security programs for government and private industry that are getting some traction. Placing strong leaders atop these efforts would seem to do the most good.

In order to secure and protect privately owned critical infrastructure from cyber attack, we must reinvent the partnership between government and private industry. We believe a new collaborative regulatory model that espouses sensible regulations, combined with incentives, will result in stronger cybersecurity throughout the private sector.

The statement implies that there's one regulatory model in place. The reality is that the model varies by industry. In some cases that may make sense, but in most cases, it doesn't. However, the real issue is enforcement. Banking has made greater strides in information security due, in part, to tighter regulations of information security practices (I realized the irony of suggesting that banking has tight regulations given the recent financial crisis, but the regulations and their enforcement are more significant compared to other industries). On the other hand, the enforcement of HIPAA in the healthcare industry is practically non-existent. Therefore, those organizations don't put a lot of emphasis on information security. That may be the right thing given cost factors and the greater importance of patient care. Nonetheless, it demonstrates the challenge of accomplishing such goals through regulation if the enforcement structure is virtually non-existent.

Finally, federal support for focused research and development is a critical component of any successful strategy. We must invest in longer term research and development designed to create a more secure ecosystem.

No argument there, but the devil is in the details. Any research needs to be focused on goals that are measurable and achievable and not simply done to show that something is being done.

Notwithstanding my criticisms, I applaud the efforts to make a difference with this very difficult problem. We just need to resist the temptation to keep reinventing the wheel.

A Farewell of Sorts

2008-12-22T21:01:00.001-08:00

In what amounted to his farewell address on cyber security, DHS Secretary Michael Chertoff spoke at Cyber Strategy Inquiry 2008 on the state of cyber security. While the current administration deserves its share of criticism on cyber security, Secretary Chertoff can probably be credited with being more cyber security savvy than other cabinet secretaries. I recall his talk at the RSA Security Conference last April and have to give him credit for recognizing the information security community and its relevance to the well being of our nation. We are not simply a niche group. Already the incoming Obama administration is trumpeting the importance of cyber security. It seems that our government, and hopefully the public at large, recognize the importance of the issue and are willing to devote resources to addressing it. With that said, we always should be wary of the kinds of policy prescriptions envisioned. Initiatives that give us the tools to better understand the threat and defend it are welcome. Those that merely seek to punish offenders are nothing more than lip service. Ultimately it comes down to risk and managing it appropriately.

Cyber Security Czar as Cheerleader

2008-12-21T14:15:00.001-08:00

As we anticipate the appointment a cyber security czar, it feels a bit like déjà vu. After all, we continually seek out saviors to solve intractable problems that no one can really solve on his/her own and then we are surprised when nothing happens. When the Department of Homeland Security created the National Cyber Security Center and implied that its head would be the cyber security czar, people were right to complain that a position buried in the DHS bureaucracy had little chance of succeeding. Not surprisingly, some of the best and brightest who have been appointed to that position have not stayed long. Part of this may be a matter of unrealistic expectations. After all, calling someone a czar, even informally, sort of implies that the position actually has some real power. In government real power is usually defined by two things: having the authority to spend money and to impose rules that people have to follow (i.e., they'll be fined or go to jail if they don't do it). Neither the current cyber security czar nor the one proposed seems to have either of these characteristics. And that may not be all that bad.

The Center for Strategic and International Studies' Securing Cyberspace for the 44th Presidency Report covers familiar territory in effectively describing what the President and his czar would do. Most of these ideas have been tried and failed, largely for two reasons, lack of money and lack of enforcement authority. The government will never have enough money to fix cyber security nor should it be spending money fixing what is largely a private sector problem. Instead, the czar should really be more like a cheerleader, using his/her influence, expertise, and facilitation skills to accomplish the goals laid out. The private sector wants secure systems, but it doesn't want prescriptive mandates that are narrowly tailored to address the most recent incident. Developing consensus from the position of an honest broker who is more interested in security cyberspace that building an empire or favoring a particular vendor is the preferred approach. I believe several of the individuals proposed for the position have that ability so long as they are unencumbered by a bureaucracy trying to score political points or win more appropriations. That would be one argument for moving the position to the White House. However, White House "czars" don't have a very good track record either. Being disconnected from the day-to-day operations of government, and where, like it or not, a growing cyber security capability is forming, is not such a good idea either. Ultimately the position requires a true leader who has the respect of the cyber security community, the private sector, and government. As Bismarck once said, "Those who enjoy good sausage and good laws should not see how either one is made." Real progress is possible, but it's going to be messy.

Better Late Than Never

2008-12-20T12:46:00.001-08:00

It appears that the recording industry is now ending their campaign of intimidation that had a sound legal basis but was always very questionable from an ethical and business perspective. As seems to be proven time and again, if you don't have a good product, hire good lawyers. Suing grandmothers and ten year olds is rarely an endearing quality. While the RIAA president insists the lawsuits were necessary, common sense and economics might say otherwise. The reality is that the business model was going to change regardless. We all need to accept the fact that some people will go out of business as a result. Intellectual property is extremely fungible. Its value is determined by how much someone is willing to pay for it. IP lawyers need to understand that every infringement should not be litigated. What's fair and what's profitable are two different things.

So much of what is produced today is intellectual property. It's not just the traditional movies, music, magazines, and books. This blog posting is intellectual property. However, I'd be thrilled if you stole this posting and posted it on your web site as long as you listed me as the author (although I will gladly accept royalty checks :-) ). The reason is that my reason for writing this post are not just to be paid for it. I want people to be convinced of my position. I want to advance my career and my "brand." And eventually I'd like to create enough interest in what I write so that people will pay me to advertise their products and services along with what I write. Do I ever expect someone to pay to read this post? Absolutely not. The costs have changed and so should the monetization model. I don't have to pay for the printing and distribution of what I write. Google is perfectly happy to give me this venue for free in exchange for advertising. And they'll even give me a cut if I bring in enough eyeballs to the site. Ultimately I could make a whole lot more money for doing a lot less work that I would have if I wanted people to pay per click. Most recording artists make little or nothing on their album sales, but more than make up for it on concert revenue. Recording companies produce value in their marketing and distribution engines. The distribution part is all but gone now and viral marketing campaigns that cost virtually nothing but rely on giving away a fair amount of intellectual property have done wonders for some artists. Now if the radio stations would just stand up to the recording industry, we could just circumvent it all and leave the RIAA with nothing to litigate, artists doing what they love and getting paid for it, and music lovers getting a wealth of choices at reasonable prices.

We Don't Need No Stinking Compliance

2006-12-22T12:02:00.001-08:00

The Securities and Exchange Commission recent statement expressing approval of the Public Company Accounting Oversight Board's (PCAOB) vote proposing a new auditing standard for section 404 of Sarbanes-Oxley that would make audits more risk-based, more targeted, and less exhaustive. The hope is that it would make the process less onerous. Such is the problem with many information security compliance efforts. The hope is that they will ultimately result in lower risk to the organization. However, many auditors, coming largely from the financial side, wouldn't know a security risk if it hit them in the face. Instead, they resort to audit standards that are exhaustive, unwieldy, and petty. The failure to post a system use notification may results in the same finding as a gaping hole that you could drive a truck through. In an auditor mindset, every finding needs to be addressed somehow by management. And there lies the rub. Financial audits have been around for a long time. We've already determined, for the most part, what issues to worry about and what don't require action. But with information security, auditors are often flying blind. They rely on checklists that they didn't write and were often written as suggested practices that may or may not work depending upon one's environment, which is, of course, the other problem. It's just not feasible to implement all these controls in certain environments, nor should all environments start out with the same checklists. In fairness, though, it's often the organizations themselves that fail to define the right controls. If auditors were handed a set of controls that the organization feels they should be bound to, they'd be in a better position to argue that the auditor's additional proposed controls are inappropriate. What would you prefer: the ability to write your own rules or have some outside entity write them for you?

FISMA Security Metrics and Gaming the System

2006-12-12T07:27:00.001-08:00

Sometimes it can be mind boggling why some agencies are getting A's and some are getting F's for their annual FISMA score. Last April, GCN questioned the validity of many FISMA scores. In a recent post, Joel on Software discusses how trivial it is to game metrics in knowledge organizations. What we clearly need are better ways to measure improvements in a way that makes gaming the system more difficult. Unfortunately, the FISMA scores are more likely to reflect management's attention to improving FISMA scores rather than improve security. For example, completing certification and accreditations improves one's FISMA score regardless how many findings turned up if the DAA accepts the risks and grants an ATO. In fact, the more findings there are, the more an agency can appear to be doing in its quarterly POA&M reporting. When your network is swiss cheese, it's a lot easier to claim that you've plugged holes. Why should agencies get credit for having lots of low hanging fruit?

Compliance Conundrum

2006-12-11T14:01:00.000-08:00

Federal agencies trying to comply with FISMA requirements face a multi-pronged challenge. They not only face the difficult task of correcting vulnerabilities, but they also need to define what those vulnerabilities are. While NIST provides useful starting point in their 800-53 Controls Framework, the details are often left up to the agency. Unfortunately most have not been up to the challenge. Instead of defining detailed controls at an agency or system level, auditors are instead pointed to standard checklists, such as the DISA Security Checklists and the Center for Internet Security's checklists. While that is a useful starting point, usually the effort stops there with the result being that an agency has adopted a standard they cannot hope to meet. Consequently, auditors are left wondering which controls an agency meant to adopt. Findings then become voluminous and repetitive for multiple systems and ultimately such requirements may be waived. Nonetheless, substantive time and funds could be saved if realistic security configuration checklists were developed first. That would also allows agencies to avoid embarrassment having to explain why they never intended to adopt controls that they were found to not have met.

The trouble with information sharing

2005-07-28T12:57:00.000-07:00

Call it the tragedy of the commons. Call it a problem with collective action. But whatever you call it, the problem ultimately is a lack of information sharing of vital information security event data within the private and public sectors. Gilman Louie, president and CEO of the CIA's In-Q-Tel venture capital firm, weighed in on this issue while speaking at the Black Hat Briefings in Las Vegas. "'We fundamentally don't have it,'" Louie said. "'We are crippled beyond your wildest imagination. We can't even get a simple thing like e-mail to work across agencies'" because no one trusts anyone else, he lamented." Such lack of trust is echoed by the private sector, where members of Information Sharing and Analysis Centers (ISAC) frequently lament the lack of useful data that is shared among members.

There are no doubt legitimate concerns that boil down to lack of trust, potential for embarrassment, and the competitive nature of the environment. However, the issue ultimately boils down to the underlying incentive: what's in it for me? Many may simply opt to take the free-rider approach of taking without giving. After all there are plenty of non-profit and for-profit security companies that plaster their web sites with all kinds of threat data. However, one only can guess on the size of their samples if no one is sharing information.

The real question, however, is what will it take to share this information. After all, it's taken acts of Congress, most recently the Sarbanes-Oxley Act of 2002, to prod public companies to give their shareholders an accurate view of a company's performance. Will the same thing be necessary for information security, and if so, will it work? SB-1386 served as the starting point when it came to a breach of consumer data. However, it remains to be seen whether much useful information can be gleaned from these breach reports that will help others protect themselves. For the government, the problem is deeper as enforcing its own laws is more a matter of politics than law. Getting agencies to play nice has been a fixation of reformer for decades. Ultimately, it has to come down to self-interest. When an agency's or an individual's performance is measured more by what they share than what they hoard, then maybe we'll see some progress.

Information Security Liability

2005-05-31T12:10:00.000-07:00

Over the last decade we have seen a tremendous growth in the use of computer networks, most notably the Internet, to serve nearly every need from commercial activities to very personal communications. As with so may other technologies, our burgeoning electronic world has spawned a less desirable element. Whether they are out for an easy profit or choose to simply be malicious, computer-related crime has also grown significantly causing billions of dollars in losses. Like the physical world, the strategy for mitigating these losses has been to implement management, operational, and technical controls to keep the bad guys out and devise a series of civil and criminal penalties to punish and extract compensation from offenders and to deter others.

Unfortunately, where substantial ill-gotten gains are possible with a small chance of apprehension, the incentive to commit computer will remain. That leaves us with trying to keep the bad guys out through improvements in information security. While technology companies are constantly offering new information security products and services, would-be buyers need to implement these controls and need sufficient incentive to spend limited resources on information security, a cost with dubious value to many. While some may choose to bolster information security controls based on the premise that they will prevent successful attacks, many need additional incentive. That incentive is frequently coming in the form of government regulation and contract obligations. However, the law has always offered protection to victims of intentional and unintentional wrongdoing through the common law provisions of tort law. Organizations and individuals have always faced potential accountability for their negligent behavior.

Unfortunately, defining what constitutes negligent behavior and holding the right people and organizations responsible has presented challenges in the fast-changing world of information technology. Moreover, information security has the added challenge in the fact that damages to one’s negligence only tend to arise as a result of the intentional wrongdoing of a third party. It’s the equivalent of being hit over the head by a baseball bat and then suing Louisville Slugger for splinters. However, we all are responsible for our behavior and should be held accountable for our mistakes. In information security, that means that those who build, install, and maintain information systems should be held to the same standard of care as the people who build our cars or serve us lunch.

Under common law tort principles, to obtain recovery for another’s negligent behavior, a plaintiff must show that the defendant had a duty to follow a standard of care, that the standard of care was breached, that the resulting harm was caused by the breach, and that actual damages resulted. Successfully demonstrating negligence in information security is difficult under each of these elements. As we see below, the difficulties arise from logistical challenges and unsettled legal theory.

Duty
[Disclaimers, foreseeability of harm, duty to whom?]

Breach
[Standard of care, Carroll Towing, T.J. Hooper, product liability standards for manufacturing and design defects]

Causation
[Multiple tortfeasors (e.g., hackers, ISP, software publishers, IT services vendor, end user, etc.)]

Damages[Economic loss doctrine, applicability of consequential damages, tangible/intangible product]