My Review of White House Cybersecurity Strategy and Legislative Proposal

In the past couple of weeks we’ve seen two things come out in the forward progression of cybersecurity.  The White House released it’s “International Strategy for Cyberspace” and the “Cybersecurity Legislative Proposal”.  In reading over both of these I’ve been quite surprised in some aspects and disappointed in others.  Where these documents are typically created by academia and policy makers, it’s my intent to provide a practitioners perspective on them.

To cover these two documents we first need to look at the issues that are driving them and some foundational issues.  Over the past ten years corporations and government agencies have been under significant attack.  As the years have progressed these attacks have become more significant and threatening.  The past five years alone have resulted in an astronomical amount of data loss and crime.  We must look at these attacks differently as not all “attacks” are the same.  I, as a good amount of others, break these attacks into a couple of categories.  We have Ecrime, Cyber Espionage, Cyber War and Evandalism.  Evandalism is the result of individuals causing harm to a system for bragging or simple destruction.  A good amount of historical malware and website defacements can be included in this category and can be considered a simple crime.  

Ecrime is the attacking of systems for the purpose of gaining access to data, accounts, etc for financial gain.  This area has dramatically increased over the past seven years as organized groups have figured out how to steal money from ATM’s, sell personal information, wire funds out of financial accounts, etc.

Cyber Espionage is the modern day version of legacy espionage.  A significant amount of this activity has gone on in the past eight years and has challenged government agencies as well as corporate ones.  There are two main areas of cyber espionage, not unlike in the physical world, where one is corporate espionage and the other is state espionage.  Both have been occurring and have been publicly noted.

Cyber War is the compromise or destruction of systems for the destruction of property or loss of life.  We have not seen this short of 3 instances.  The most recent is this years Stuxnet worm.  Where a lot of conversations have surrounded this topic, it’s not in my view a significant current threat compared to the other ones.

The conversation of cybersecurity, in the context of legislation and strategy, is mostly around state sponsored cyber espionage and cyber war.  The term “critical infrastructure” is the main scoping of the conversation on the legislative proposal and the term means “a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters whether publicly or privately owned...”.  The majority of ownership of these systems is under the control of private industry

Over the past thirteen years there’s been a discussion around critical infrastructure, private / public information sharing and cyber security.  The main assumption is that private industry will work to secure the systems commiserate to the threats we face.  This is the first fundamental logic flaw of the methodology.  Private companies do not see themselves responsible nor capable to defend against state sponsored war or espionage.  It’s never been part of our purview and conflicts with some foundational profit theories that exist.  However, it’s been discussed and misinterpreted between the public sector and private industry.  Having this sole requirement would need a dramatic change in the operation as well as the culture of the private industries that manage these environments.  As a result, the overall costs would be prohibitive to operate moving forward.  Defending against Ecrime and Evandalism is one thing, however, state sponsored attacks is another.

This leaves us with the list of companies that would be included in the “Critical Infrastructure” definition as well as the level of security necessary.  When we look at the various companies that store, process and maintain these data elements or environments that can cause significant impact to our nation, the list is much larger than has typically been used.  When we add this list of companies to the supply chain problem we start to see the significance of the threat.

International Strategy for Cyberspace

As a practitioner I’m more supportive of defense for our data and service availability than anyone as I see the challenge every day.  In reading the Strategy, I was happily supportive and still didn’t go far enough.  The Strategy details, quite eloquently, the future environment we want to be in.  Yet, it makes strong statements around how we should not deploy security defenses to protect ourselves.  The core issue I have is that there will be no limitation of data flow for security.

In my entire career I’ve been supportive of an open and unrestricted Internet.  Yet, I believe we need a change.  A change that is not only necessary but also one that is based on precedent in the physical world.  Today we have private industries managing trade and commerce between the U.S. and other countries.  In all of these instances, there is a governmental monitoring and inspection component that is to ensure protection of our defense as well as our public.  The Internet should be no different.  We need and should have a national monitoring and defense capability that protects our digital borders.  This protection would be to identify and defend against external based attacks.

Private industry has fought against this in the past as it would disrupt innovation and freedom.  Having been in the industry for my entire career, not only do I not see the validity to this defense, I see the harm that it has caused private industry in costly attack remediations.  We have placed the current Ecrime industry at a trillion dollars.  Without a more active monitoring and policing I don’t see this changing it’s momentum.  Other countries have already implemented programs to filter negative traffic from affecting them, we should be no different.  How can we defend the critical infrastructure without an entity that is focused on defending to the level necessary.  Private industry does not and should not maintain their own state level defense programs.  We find it challenging enough to limit insecure consumer or personal devices on our network how can we have the cultural capability to defend against a state espionage organization.

The majority of the strategy is good and sound.  I was quite happy with the statement and direction of international cooperation, norms and deterrence.  As a practitioner this really establishes two major entities to focus on.  NATO for Cyberwar and INTERPOL for Ecrime.  INTERPOL is only a coordination body, however, their ability to drive cybersecurity, for Ecrime, coordination and experience is critical to track down and disrupt the activities that are currently going on.  Of course, their ability is really the ability of local law enforcement and therein lies the inability that exists today in disrupting the organized criminal activities.

Cybersecurity Legislative Proposal

May 12th the White House submitted the amendment proposals to existing laws.  These amendments cover data breach, criminal activity, etc.  All in all it’s a good start but not where we want to end up (yes, I read it all)

Data Breach Notifications.  We have had state driven data breach notifications for so many years and this has had a significant negative affect on how we manage notifications today.  We drive a “high bar” rule and notify everyone at the smallest issue.  Establishing a national notification lessens the complexity and enables us to focus on the investigation and remediation.  Unfortunately, protection rules are not included.  As we see in other breach laws, California and Massachusetts, there are specifics around the protection requirements to ensure compliance.  There are no such rules for the national level.

  • Sec 1, G, 2 - It states that a non-truncated SSN, DMV, etc number is included, but it doesn’t detail out to what extent.  Can dropping the first digit of the SSN be sufficient?  I hope not. - Bad
  • Sec 1, G, 3 - Unique biometric data is included.  This would put to rest some of the debate over “hashes” that represent the fingerprint not being sensitive.  It is now.  - Good
  • Sec 1, G, 4 - Any account number is now PII.  Some applicability might be extreme.  Good / Bad
  • SEC 101, A - Notification does not need to be made if a risk assessment is done (by the company) and they conclude no reasonable risk of harm or fraud could occur.  This is a pretty big loophole, in my opinion, where proving harm is nearly impossible and now everyone can claim they don’t see it.
  • SEC 101, A - Notification does not need to be made if the company doesn’t collect more than 9,999 individuals information in a 12 month period.  So if you get your SSN and CC stolen and it’s less than that no harm? - Bad
  • SEC 101, B - Notice is only done but no fraud protection for SSN, etc.  It has been industry best practice to pay for a year of fraud protection for victims.  Not having this established leaves it to be discretionary.
  • SEC 101, C - Notification must be made within 60 days of identification.  In my experience if you are having to go beyond 7-14 days you have some serious problems.  I would expect 30 days to be sufficient.
  • SEC 102, B, 1, A - Notification does not need to be made if the data is “rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted by experts in the field of information security”.  The intent is to not be specific on encryption technologies, however, this language is very broad and creates a huge insecure loophole for companies to deploy poor methods.  All of it being dependent on “methodology generally accepted by experts”.  This opens pandoras box on who’s an expert and lengthy court litigation.  This should be limited to  accepted encryption technologies by NIST.
  • SEC 102, B, 2, B - Risk Assessments must include logging data for a period of at least six months prior to submitting the RA.  With a great amount of the PII data being housed in outsourced or SaaS provided environments this will be very challenging.  Necessary and good but challenging.  I have not seen a SaaS provider provide logs for their multi-tenancy environments to a customer.  This would be extremely good for us that want the data, however, it’s not an easy feat.  I can see cloud providers being necessarily concerned on this as they will have to provide the data in normal course.
  • SEC 103, 1, C - Email notification can be made if their is an opt in and the message is compliant with section 101 of the electronic signatures in global and national commerce act.  I struggle to see any cloud provider adhering to this today.
  • SEC 108, A, 1, C - Civil penalties from $1,000 to $1,000,000 per violation (individual).  This will be interesting to watch.  The main issue is what negligence rates what dollar value.

DHS Cybersecurity Authority.  

I’m glad we are getting more granularity and authority for DHS’s role in protection of cybersecurity.  I do have questions around their ability to fulfill this as we have, historically, wanted an information sharing partnership and it’s been a relative failure.  DHS still owns this responsibility and, in my opinion, is not at the top of their list.  We have to be honest with ourselves, it’s not that challenging to share the information and we really don’t see DHS coming anywhere close.  As a result, private industry has taken upon itself to share information with each other.  Mostly in the past 3 years due to attacks we have seen.  Yet, the conversation with no actual effort behind it has driven most of us to resist any future conversations as they are perceived as a waste of time.  Most of it comes down to public sector wanting data but not providing any.

However, on the private industry side, we need to be very honest with ourselves.  The data we have asked for is attribution data but that data is not very beneficial.  What we want is attack methodology and vector information.  In addition, we’ve gotten very frustrated with the FBI as they haven’t provided it.  It’s not possible for the FBI to provide this information with us as they are legally restricted due to investigation constraints.  We should be focusing our efforts on DHS (US-CERT) to provide this information to us in a timely and detailed manner.

  • SEC 243, C, 7 - Develop and lead a nationwide awareness and outreach effort to educate members of the public about “security”.  This is, not only a huge responsibility, but THE most beneficial capabilities anyone could have in resolving the cybersecurity problem.  It is my belief that culture of consumers and company executives limit the ability to implement controls to mitigate the cybersecurity threats.  Having a focused initiative to drive this effort in could have the most significant affect in changing our defensive posture.  This is the main conversation point in my talks as well as my methodologies.  My “Equilibrium Theory” drives this point as awareness and culture is the main problem with security industry today.  I hope that the limitation of text doesn’t denote a limitation of resources and attention.
  • SEC 245, A - Anyone who lawfully collects logs can submit them to DHS.  (see comments above).  I’m not sure how this will work since the “trust capital” has been spent by USG.  It could be reversed and facilitate information sharing.  However, if private industry does it for USG are we also allowed to share the same information for other countries?  Most private industry organizations are global and if we share information for one we should share it to others.  I’ve had conversations in understanding UK’s and others information sharing programs.  However, I see no clauses in here that allow the sharing of information to non USG entities.

Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act.  

  • SEC 3, C - Establishment of Risk-Based Tiers.  For CI there will be tiers that each corporation will be placed into.  The tiers are based on threat, vulnerabilities, impact and other factors.  I don’t believe the first two points (threat and vulnerabilities) are logical warranted points of differentiation.  Impact of attack based on the first two show the risk level of an organization.  This is a fundamental flaw in the logic of “Risk” and shows a lack of applied and theoretical security understanding.
  • SEC 6 (all) - External auditors will evaluate companies (audit) for compliance and risk.  Throughout our history of auditing and accreditation the inability to get objective, skilled and experienced auditors has resulted in numerous failures.  Some of the most recent conversations, in industry, is around PCI QSA auditors.  Most of us do our own audits because the skills are incredibly lax on the audit side.  I have no confidence that any auditor will be skilled enough for the task of assessing risk based on a complex state sponsored attack to our critical infrastructure.  In addition, the existing auditing firms still have a questionable conflict of interest.  This one requirement will drive a failure of the entire initiative unless not managed directly by DHS or strong liabilities are applied to the auditor directly.  Unfortunately, I don’t see how this can be successful regardless.
  • SEC 7, A - Annual certifications are signed by CEO and show that there is a plan, evaluation was done and if it is effectively mitigating.  I would like to see more teeth here where the disclosure requires a remediation plan of outstanding issues.  In addition, justification as to why the issue exists there to begin with.  What risk assessment process was done to allow the risk to be introduced?  Is there a repeatable failure of maturity?  All of these should be standard in the disclosure.
  • SEC 8, A, 1, C - Secretary shall not, in enforcing the provisions of this Title, issue a shutdown order, require use of a particular measure, or impose fines, civil penalties, or monetary liabilities on the owner or operator.  I have to say I’m very disappointed in this.  Perhaps I’m reading it wrong.  In the event that there is a failure of protection of USG’s national security by way of Critical Infrastructure, the governing body (DHS) is limited to “wagging of the finger”.  All they can do is publicly disclose that the company is not providing a secure processing facility.  This section has simply detoothed the entire purpose.  Why would I worry about complying if there really is no penalty?  We’ve seen this with SOX and PCI.  We need a stronger governance.