Extrapolating from what we have seen in this country, what the ICO learns about is clearly only the tip of the iceberg there. I view the numbers in the BBW report as a significant underestimate of the number of breaches that actually occurred because not only are we not hearing from 9% of entities, but many authorities that did report probably did not detect or learn of all of the breaches they actually experienced. BBC notes, “For example, it does seem surprising that in 263 local authorities, not even a single mobile phone or memory stick was lost.” “Surprising” is a very diplomatic word. (“What They Didn’t Know: Big Brother Watch report on breaches highlights why we need mandatory disclosure“)

Under these circumstances, then, it becomes more likely that the charges are indeed weak (or false) ones made to seem as though they are strong. Conversely, if there were no political motivation, then the merits of the charges would be more closely related to authorities’ zealousness in pursing them, and we could take them more at face value.

Alex,

Just imagine (or try at your own risk) this –

Step 1. Carry out risk assessment
Step 2. In your organisation, boycott all COBiT recommendations / requirements for 3-6 months
Step 3. Carry out risk assessment again

Do you see increase in risk? If Yes, then you will agree that adoption of Cobit has reduced the risk for you so far.

You might argue that its ‘a Control’ that ultimately reduces risk & not Cobit.. however I sincerely feel that ‘effectiveness’ of the control can be greatly improved by adopting cobit governance framework & Improvement of controls can be translated into reduced risk.

I can go on writting about how cobit also governs your risk universe, but I am sure you are experienced enough to understand these overlapping concepts without getting much confused.

Nice try, Sid!  However, remember my beef is that Information Risk Management isn’t mature enough.  Thus I’ve asked for “valid scales” (i.e. not multiplication or division using ordinal values) and publicly available models (because the state of our public models best mirrors the maturity of the overall population of risk analysts).

And that’s my point, even if I *give* you the fact that we can make proper point predictions for a complex adaptive system (which I would argue we can’t, thus nullifying every IT risk approach I’ve ever seen), there isn’t a publicly available model that can do Steps One and Three in a defensible manner.  Yet ISACA seems hell-bent on pushing forth some sort of certification (money talks?).  This despite the inability of our industry to even use the correct numerical scales in risk assessment, more or less actually performing risk assessment in a means that can be even used to govern on a strategic level, or even showing an ability to identify key determinants in a population.

Seriously, if you can’t put two analysts with the same information in two separate rooms and have them arrive at the same conclusions given the same data – how can you possibly “certify” anything other than “this person is smart enough to know there isn’t an answer”?

LET’S TALK COBIT

I want to make one thing clear.  My beef isn’t with ISACA, it’s not with COBIT, it’s not with audit.  I think all three of these things are awesome to some degree for some reasons.  And especially, Sid, my beef isn’t COBIT – I’m a big process weenie these days because the data we do have (See Visible Ops for Security) suggests that maturity is  a risk reducing determinant.  However, this is like a doctor telling a fat person that they should exercise based on vague association with a published study of some bias.  How much, what kind, and absolute effectiveness compared to existing lifestyle is (and esp. how to change lifestyle if that is a cause) is still very much a guess.  It’s an expert (if I can call myself an expert) opinion, not a scientific fact.

In the same way your assertion about COBIT fails reasoned scrutiny.  First, there is the element of “luck”.  In what data we do have, we know that while there is a pretty even spread in frequency of representation in data breaches between determined and random attackers.  That latter aspect means that it’s entirely likely that we could dump COBIT and NOT see an increase in outcomes (whether this is an increase in risk is another philosophical argument for another day).

Second, maybe it’s my “lack of experience” but I will admit that I am very confused these days as to a proper definition of IT Security Governance.  Here’s why; there are many definitions (formal, informal) I’ve read about what ITSec G is.  If you argue that it is simply the assignment of responsibility, that’s fine.  If you want to call it a means to mature an organization to reduce risk (as you do above), then we have to apply proper scrutiny towards maturity models, and how the outcomes of those models influence risk assessment outcomes (the wonderful part of your comment there is the absolute recognition of this).  If you want to call it a means to maturity or if ITSec G is an enumeration of the actual processes that “must” be done, then we get to ask “why”.  And once that happens, well, I’m from Missouri – you have to show me.  And then we’re back into risk modeling, which, of course, we’re simply very immature at.

Any way I look at it, Sid, I can’t see how we’re ready for a certification around Information Risk Management.

Side Note: My problem with IT Security Governance is this: If at any point there needs to be some measuring and modeling done to create justification of codified IT Security Governance, then the Governance documentation is really just a model that says “here’s how the world should work” and as a model requires measuring, falsification, and comparative analytics. In other words, it’s just management.  In this case, the management of IT risk, which sounds like a nice way of saying “risk management”.

But you can find them all through Google using this search string because they put “NOI” into every file name:

NOI site:http://www.nist.gov/itl/upload/

You’ll see official submissions from Microsoft, IBM, Google, Verisgn, Cisco, TechAmerica, US Chamber of Commerce, plus a few submissions from crazy individuals like me.

INFANTS or young children left inside a vehicle can die of hyperthermia in a few hours, even when the temperature outside is not especially hot. It is a tragedy that kills about 30 children a year, according to the National Safety Council.

…

Janette Fennell is the founder and president of KidsAndCars.org, a safety advocacy group based in Leawood, Kan., that focuses on issues involving children and automobiles. In a telephone interview, Ms. Fennell made her view clear, saying she believed that carmakers must develop reminder devices to warn drivers if a child is left behind.

Second, “The Hard Sell on Salt:”

High blood pressure is rising among adults and children. Government health experts estimate that deep cuts in salt consumption could save 150,000 lives a year.

Bets on which problem is “addressed” first are encouraged in the comments.

Date:            May 19, 2010, 1:30-5:00pm PDT

Location:       Claremont Hotel, 41 Tunnel Road, Berkeley, CA 94705

NITRD representatives from NSF, DHS, and other agencies will present Federal cybersecurity R&D themes. This event will take place at the Claremont Hotel in Berkeley, California, and follows immediately after the IEEE Symposium on Security and Privacy. The themes will guide future Federal research activities and are components of the framework for cybersecurity R&D called for in the President’s Cyberspace Policy Review. This event will be the first discussion of these Federal cybersecurity R&D objectives and will provide insights into the priorities that are shaping the direction of Federal research activities.

Registration: http://www.nitrd.gov/CSThemes.aspx.  This event is free of charge.

Webcast:       http://www.nitrd.gov/CSThemes.aspx 

This is a follow-up to the National Cyber Leap Year process that I have previously critiqued.  Of their original five themes, they have down-selected to three (described here), including:

Cyber economic incentives — foundations for cyber security markets, to establish meaningful metrics, and to promote economically sound secure practices.  [emphasis added]

I’m thrilled that this made the cut and I’m also thrilled that it has been recast to focus on incentive systems and metrics.  I will attend this event and be listening for information about how this “theme” will be turned into tangible reality.

As for his priorities, Schmidt says education, information sharing and better defense systems rank high.

That includes efforts to train more security professionals and have the government share more information with the private sector — including the NSA’s defensive side.

“One thing we are looking at is how do make sure that the private sector has the information it needs from the government,” Schmidt said, referring to what he called “some of the unique visibility the government has from the attacks on our systems.”

An excellent idea, if I do say so myself.

Recommendation 14.9: The Executive Branch, in collaboration with relevant regulatory authorities, should develop machine-readable repositories of actionable real-time information concerning cybersecurity threats in a process led by the White House Cybersecurity Coordinator.

This is a pretty clear step forward. It will be a much bigger step forward if the data shared includes evidence of effectiveness of defensive steps. Without such evidence, budget and authority are unlikely to flow, therefore, actionability requires such evidence.

Also interesting is section 14.10:

Due to the diffuse nature of cyberattacks, sharing of information is critical when responding to, mounting sufficient defenses against and remediating attacks. However, businesses are often reluctant to share information, either with other private sector entities or the government, due to worries about the potential disclosure of such an attack and related concerns about corporate liability, despite the fact that the resources necessary to successfully respond often exceed those of individual private sector organizations…To ensure that this occurs, protocols and incentives should be developed for the sharing of cybersecurity information, threats and incidents in a non-attributable manner. [Emphasis added]

I think this is a pretty big win in a couple of ways. 14.10 is most interesting because we’ve moved from need to share to discussions of what the blockers are. The use of the term “non-attributable” is a move forward from the typical “anonymous.” I’d prefer to see a strategy that called for protocols and incentives to overcome the problems and concerns, giving us more room for innovation and experimentation.

Is the strategy a silver bullet for information security? No, obviously not. On the other hand, these elements are (as far as I know) new in Federal strategies or plans.

Thanks to Brent Rowe for the pointer.

In a keynote speech at RSA 2010 (full text), Microsoft’s Scott Charney proposed proactive solutions to systemic problems like botnets.  Drawing analogies with  public health and environmental protection, he said it might make sense for ISPs quarantine infected consumer PCs. Then he said:

And then there’s a question of who would pay for that. Well, maybe markets will make it work, but if not, there are other models: use taxes for those who use the Internet. We pay a fee to put phone service in rural areas, we pay a tax on our airline ticket for security. You could say it’s a public safety issue and do it with general taxation. [emphasis added]

In other words, some collective action might be beneficial and either markets might pay for it, or taxes might be necessary.  Two days later, a Microsoft spokesperson clarified:

“Scott Charney did not suggest a new Internet tax to fund cybersecurity programs. As part of his keynote at RSA he recommended that the industry and government look at developing the equivalent of the World Health Organization to combat malware on the Internet,” the spokesperson said. “Within this context he mentioned the need to explore how to develop a sustainable funding model for this initiative, not suggesting that any particular funding model is best.”

To be even more clear, he definitely didn’t say that Microsoft should get the proceeds or play any part in how it is spent.   

In the following days, industry analysts, executives, and bloggers weighed in and their judgment was mostly negative.  A prime example is the Computerworld article with a headline that called it  ”a horrible idea”, quoting John Pescatore of Gartner Group.   Here are more ‘expert’ reactions quoted in the same article:

• Pescatore: ” ‘Why not a tax on all retail goods for a standard antishoplifting service all merchants would have to use?’ A business, he said, can now select what it thinks is the best anti-malware solution, but that choice would presumably vanish if funding for battling the bad guys went national.”
• Pescatore: “A general tax would reduce the services to the lowest common denominator”
• Wolfgang Kandek, CTO of Qualys:  ”I have a hard time seeing [a tax] work. The Internet is an international body; you can’t regulate it, and you cannot levy a tax. ISPs might have to up their fees to pay for something like this, I can see that, but a tax that brings government into play — I can’t see that.”
• Randy Abrams, Director of Technical Education at ESET Security: “A tax may be a bad idea, but people will pay for it one way or another.”
• Andrew Storms, Director of Security Operations at nCircle Network Security: “I don’t have a problem with charging a fee and giving it to good works for the whole.  The problem is that one, you have to find a big, smart and trustworthy organization to handle this. And most people will agree that’s not the government, and that’s not Microsoft.”
• Storms: “More likely is that an ISP will take the plunge, charge its users a little extra to keep their machines clean, and prove that it’s possible.  Then I could see a consortium of ISPs getting together to do that.”

Here are some of the negative reactions from bloggers:

• Adrian Kingsley-Hughes shouts, “No!”:

“Let’s also not forget that Microsoft has gone out of its way to create a monoculture where one OS dominates, through legal and illegal methods. So the idea that we should now all pay to solve a problem that Microsoft not only wanted to create, but made billions of dollars in the process is frankly … ridiculous.”

• Don Tennant is equally scathing:

“Microsoft’s “Trustworthy Computing” shtick has gone so far over the oxymoronic top that it’s just no longer possible to give the company the benefit of the doubt. … Really, Scott? … Did you really think we’d all look at each other with nods of agreement, impressed by the brilliance of your epiphany? Didn’t you realize that revelation might just backfire on you?
…
It’s unfathomable that a company with Microsoft’s resources can be so clueless and out of touch. … If Microsoft expects to be taken seriously as an enabler of “trustworthy computing,” it needs to do a lot more than this to demonstrate trustworthiness. Taxing users who find the software they bought is non-secure is like taxing Toyota owners for finding they have faulty gas pedals.”

• Marc Handelman called it “Blatant Stupidity“.
• Dr. Roy Schestowitz: Microsoft’s Government Insider Wants Mac Users and GNU/Linux Users to Pay Microsoft for Its Incompetence

This is where I step in an call “BOGUS!”

Q:  How many of these ‘experts’ know any thing about information economics and public policy responses to negative externalities?  A: Zero.

Even more basic Q: How many of them bothered to find out what Charney was really proposing – rather just reacting to the headline version: “Net tax to clean computers” or the fact that someone from Microsoft said it?  A: Of the articles and blog posts I saw, only two bothered to dig into the speech and seek to understand or clarify Charney’s comments: BetaNews and yinhuan.net.  Conversely, the comments by Pescatore and Kandeck lead me to believe that they didn’t really understand the proposed idea.  Others used this opportunity to throw rocks at Microsoft rather than deal with the substance of the ideas. 

Regarding the idea itself, I think the comment by Randy Abrams is on the mark: “… people will pay for it one way or another.”    Right now, we pay for it through the cost of security breaches and through the cost of inefficient security spending.

The idea of taxes as a way to counteract or pay for mitigation of negative externalities has been thoroughly researched in economics, especially environmental economics.  Here are some links if you want to learn more:

• Also known as Pigovian tax
• Short Tutorial
• Longer Tutorial in the context of environmental economics
• “Green taxes” — public policy analysis from UK
• Economic analysis of negative externalities and possible solutions (PPT)

Myself, I’m more in favor of market-based funding methods (e.g. insurance, etc.): Incentive-based Cyber Trust.  But mandated insurance or other mandates can be seen as a form of “tax”, so the main question is what form of incentives and funding is most effective and most efficient.

This is just one small case in the on-going public policy discussions regarding economics of information security, but given the reaction of the ‘experts’, this was a step backward.

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them.

I can’t help but notice one other important distinction between these two types of bank crimes: The federal government sure publishes a lot more information about physical bank robberies that it makes available about online stick-ups.

Go read “Cyber Crooks Leave Traditional Bank Robbers in the Dust” by Brian Krebs. Then ask why we sweep these crimes under the rug.