Archive for the 'government' Category

Krebs on Cyber vs Physical Crooks

Published by adam on March 9, 2010 in breach laws, data and government. 0 Comments

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them.

I can’t help but notice one other important distinction between these two types of bank crimes: The federal government sure publishes a lot more information about physical bank robberies that it makes available about online stick-ups.

Go read “Cyber Crooks Leave Traditional Bank Robbers in the Dust” by Brian Krebs. Then ask why we sweep these crimes under the rug.

Everybody complains about lack of information security research, but nobody does anything about it

Published by Russell on March 9, 2010 in Science of Risk Management, government and research papers. 8 Comments

For some years, I’ve been following the world of academic and industrial research on information security, especially interdisciplinary research.    There is wide-spread agreement on what needs to be done:

But no one seems to be able to mobilize any signficant research into solutions.   It’s been very frustrating to see so much talk and so little action.   

This reminds me of the quote by Mark Twain, shown at left, which is the inspiration for the title of this post.

The latest iteration of this was a panel at RSA: “The role of research in industry and government“.  SC Magazine summarized the discussion this way:

A disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals.

(read on for a diagnosis and two proposed solutions…)

Continue reading ‘Everybody complains about lack of information security research, but nobody does anything about it’

‘Don’t Ask, Don’t Tell in Davos’ — Act 3 in the Google-China affair

Published by Russell on February 1, 2010 in Amusements, breaches and government. 2 Comments

Taboos are willful ignorance, socially-enforced.  They are so not New School.  We have to deal with them, but we don’t have to be happy about it.

The Great Family Shame of incest between Oedipus and Jocasta

The public display of taboo is one of the more interesting aspects of Operation Aurora, a.k.a. the Google-China affair (summary and analysis is here, more details here.).  It’s unfolding almost like a like a Greek tragedy. 

Act 1 in the play was Google’s strategic decision to go public and recruit other breached companies to join them (without success).  Google went public anyway, violating the InfoSec disclosure taboo, and also the taboo against corporations speaking out against China.

Act 2 was the public and institutional reaction to Google’s announcement, the political posturing between US and China, and even the tempest of chatter in the InfoSec community about “Advanced Persistent Threats“  (or “Advanced Persistent Adversaries“, a term I prefer).

Act 3 is now under way at that great annual public meeting of Big Thinkers, the World Economic Forum in Davos, Switzerland.  While they discussed almost every other topic and idea, they avoided the Operation Aurora as if it was the Great Family Shame, as highlighted here:

“BusinessWeek reports that the cyber attack on Google was the elephant-in-the-room at the annual meeting of world leaders in Davos. ‘China didn’t want to discuss Google,’ Josef Ackermann, CEO of Deutsche Bank AG and a co-chair of this year’s World Economic Forum, said in an interview. China’s Vice Premier Li Keqiang made that clear, he added. Even Google CEO Eric Schmidt didn’t bring up China, and Bill Gates was mum on the topic in an interview. The reluctance of companies to talk about China illustrates the pressure on them to protect their business in the country, while the U.S. government doesn’t want to upset Chinese investors, said Andy Mok of Red Pagoda Concepts LLC. ‘People have their commercial interests,’ explained Deutsche Bank’s Ackermann.” [emphasis added]

The Business Week article is here.  (Funny: here is a great Saturday Night Live skit that satirizes the power of China over the US in matters like this.)

While the Operation Aurora taboo is rooted in international politics, similar taboos exist within both the public and private sectors and no international politics are involved.   While we must deal productively with these taboos, we also can’t let them block meaningful progress toward the goal of data-driven information security and collective learning.

An Open Letter to the New Cyber-Security Czar

Published by adam on December 23, 2009 in government. 7 Comments

Dear Howard,

Congratulations on the new job! Even as a cynic, I’m surprised at just how fast the knives have come out, declaring that you’ll get nothing done. I suppose that low expectations are easy to exceed. We both know you didn’t take this job because you expected it to be easy or fun, but you know better than most how hard it will be to make a difference without a budget or authority. You know about many of the issues you’ll need to work through, and I’d like to suggest a few less traditional things which you can accomplish that will help transform cyber-security.

There are important things which you can achieve which are aligned with President Obama’s agenda and orientation that aren’t in the current strategy to secure cyberspace. They’re opportunities which have arisen in the last few years to increase transparency and accelerate new research that’s focused on security outcomes, rather than process.

Over the last 5 years, in the wake of California’s 1386 and ChoicePoint’s big breach, we’ve learned about thousands of security breaches. We’ve discovered that most of our fears don’t come to pass. Companies don’t go bust, and customers don’t flee. It’s time to embrace transparency, and admit that we all have security failures. Only by studying what goes wrong can we really expect to improve. So the first step is to de-stigmatize failure. That’s not to say accept failure, it’s disclose them, discuss them, and focus on what we can improve. You can set the right tone from your bully pulpit.

Next, as the nation’s cyber-security advisor, you’re in a position to push the heads of the federal agencies to open up about what they’re doing and how it’s working out. The data is already being collected by US-CERT, it’s a matter of transparency. Of course, some subset of the data will need to be appropriately redacted, but let’s embrace a need to share in information security. The President has committed to getting our data online, let’s make sure security data is included on Data.gov. (I’ve already sent a request for this to data.gov) As you work to expand public-private partnerships, why not start by sharing the data that the government has? It could reset the tone of the conversation. You can also support the non-profit Open Security Foundation’s work on DatalossDB.org. The value they deliver on a volunteer basis is amazing, and the amount that would be required to take that to the next level by making it their day jobs would be a rounding error for any of the folks you’ll be working with daily.

Finally, I’d urge you to evolve our nation’s security research agenda. There are many smart, dedicated people working in information security. Many have been promoting approaches which have yet to take hold. You must bring new voices and perspectives to research. Emergent fields like “economics and security,” usable privacy and security, and security and human behavior bring important new perspectives of security as a human-centered discipline.

Each of these steps can be taken with your budget and authorities. Together, they’ll transform cyber security into an empirical, effective and outcome-centered discipline, and that would be an amazing legacy for any leader.

What should the new czar do? (Tanji’s Security Survey)

Published by adam on August 19, 2009 in government. 5 Comments

Over at Haft of the Spear, Michael Tanji asks:

You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will?

My three:

  • De-stigmatize failure. Today, we see the same failures we saw yesterday because we don’t talk about what went wrong. We laugh and point fingers. We need to admit that everyone gets hacked, get over it, and start talking about how it happened and what we can do to learn from it. (This isn’t the same as accepting failure, it’s saying that we understand it happens, and starting to distinguish between what failures might be in our control, and how to expound that set.)
  • Gather data. This is a mirror to the de-stigmitization of failure. The czar should gather as much data as they can on a need-to-share basis, starting with federal systems. What happened? How did the failure manifest? Were there controls in place? Were they credible? Were they managed and monitored?
  • Shoo the mathematicians. No, not shoot, shoo. Send them off the pedestal for a while. Security is a social value, and as a social value, we need to study the human aspects of it like we did at the workshop on security and human behavior. [Update: What I really want is not to eliminate math, but to move to a diverse set of analytic tools. Of course we need math to analyze data, but I think we've gone too far with mathematical models, proven security, and need more engineering rigor. Engineering rigor is obviously based on math, but not done by mathematicians.]

These three goals are possible from a bully pulpit. They don’t require a lot of budget. (Heck, the datalossdb.org guys do it on a volunteer basis.) They’ll be transformational in the way we approach security.

Bonus fourth task: fine anyone $20 each time they say “best practices.”

What’s your take? What should the czar be trying to accomplish?

[Update: Pete Lindstrom takes up the challenge in "If I were a Czar." Who else wants to take a whack at it?]