Let’s start today by looking across the Pond.
I concluded my last post by saying that here in the U.S. we need CISPA, but beyond CISPA what we really need is both better private sector security performance and a stronger government-private sector foundation of trust in information sharing.
Dear Old Blighty
A few weeks ago, the UK government launched a voluntary information sharing partnership with private industry. The goal is to build not only a “practical information-sharing platform for industry and Government to share information on cyber security threats and mitigations”, but also to lay the foundation for trust between industry and government going forward.
This is one area where I think CISPA does a very good job in its current formulation and it is important that this quality be maintained. Building trust between government agencies and private industry is almost more important than the specific protocols implemented and I’m happy to say that CISPA lays a positive foundation for trust between industry and government.
A Tricky Balance
Striking the right balance isn’t easy. For its program, the UK objected to the European Union’s obligatory breach disclosure proposals, and it’s strictly voluntary. CISPA supporters in the U.S., from Time Warner Cable to Oracle, IBM, EMC and Comcast all seem comfortable with CISPAs ease of use and user friendliness from a corporate point of view. Facebook was too, at first, but it seems to have gotten cold feet as far as CISPA is concerned, and the company was not included in a recent list of supporters of the bill.
In my last post I outlined the 5 key domains of malicious cyber activity and I advocated that over 50% of CISPAs legislative muscle should be focused on e-Crime. Currently, I believe CISPA is too evenly focused on other domains of CyberSecurity, such as Nation State Espionage, CyberWarfare, Corporate Espionage and Hactivism to the ultimate detriment of consumers and citizens.
Yes, the focus on the “China attacks” in the past few years is warranted, but those attacks are not alone and a handful of countries even have certain, shall we say, gangster mentalities about both Nation State Espionage and CyberWarfare. But Corporate Espionage really is more of blip on the radar screen of CyberSecurity, because between corporations, the playing field is level and well patrolled by law enforcement, and while hard to detect, the punishments are severe.
And while the media celebrates the latest and greatest socially focused instigations of hacker groups like Anonymous, in general their attacks, successfully taking over a company’s home page for a few hours, etc., are more damaging from a public relations point of view than from a financial point of view.
I wouldn’t say that we should ignore these attack vectors, but we need to keep them in perspective. As far as legislation like CISPA is concerned, its effects on national security are likely to be most decisive if CISPA successfully secures our free market economy, not if CISPA is used to place too much focus on Nation State Espionage and CyberWarfare, which ultimately are domains of state.
Pursuit of Happiness
When it comes to privacy, we should remember this: our privacy is being violated daily by malicious users at staggering rates. Each individual incident gnaws away at our overall ability to engage in the “pursuit of happiness.” From these types of attacks we can see a dramatic pilfering of consumer personably identifiable information (PII), finances, intellectual property and yes, state secrets. Focusing on e-Crime ultimately is focusing on reinforcing our privacy, and our rights to security and the attendant ability to pursue our own private versions of happiness.
I personally believe that the Senate version of CISPA can be steered towards putting more safeguards on personal digital liberties without losing its beneficial qualities and its favorable support from industry. My suspicion is that Facebook’s withdrawal of vocal support for CISPA is more of a PR move than anything else especially given their own periodic flare-ups with privacy issues from Facebook users. What happened between last year and now to cause Facebook to back away from CISPA? Once a “CISPA is bad for privacy” meme had been established, whether true or not, it became yet another yoke around Facebook’s neck to just be associated with a threat to privacy.
Again, I think these concerns are overblown and that CISPA does not damage or injure civil liberties. As individuals and consumers, we really have much more at stake in getting legislation passed to solve this problem than corporations.
Finally, from a practitioner’s point of view, the real question is why do organizations, corporations or other entities have such bad security to begin with? Why do these security compromises occur in the first place? This is where the real outrage is and I’m surprised
that more voices aren’t being raised to call attention to the core of our problems.
We need a uniform certification system for security practitioners, and we need everyone to raise their game in this space. As much as CISPA will help, I believe this is the root of the issue and it must be addressed. While executives are very supportive of the need for security there is typically a huge resistance to prioritize and properly fund initiatives, to staff them, to run and effectively manage them.
Security is a very nuanced and complicated industry. Unfortunately we have a lack of technical, managerial and executive skill and a fairly large percentage of organizations who are primarily reactive and deeply myopic because they don’t deploy a risk management approach or integrate higher-level threat mitigation functions.
Clearly companies are in the business of making money and that’s great. Most security impacts are not financial, and as a result, it's public awareness of issues that causes action, not the issues or an altruism or profit motive.
The Gap Between "Compliant" and Secure
In industry we have frameworks of how to apply security to our organizations but we don’t know what "good" even looks like. We have multiple regulatory and certification requirements that need to be adhered to for various reasons, but no one ring, as it were, to bind them all. Where both overlapping frameworks and certifications are good, unfortunately, they do not get us to true security. The gap between "compliant" and “secure” is huge and a main area of weakness in most security organizations.
CISPA can address the lack of legal protection to help track malicious users. If a company has been attacked and would like to share that information with law enforcement as a victim there is typically resistance from that company’s legal department, including concerns around liability, litigation costs, public reputation and others downsides. So doing the right thing by the business and for one’s customers should be easier with CISPA.
Companies need information on how the attacks are occurring so we can implement defensive methods. Law enforcement agencies need to be able to develop cases to bring malicious individuals and syndicates to justice. Without this information sharing we are stuck in the same position we are in today. Effectively, we are being robbed and can't tell the police what the perpetrator looks like.
But CISPA isn't the final point, it is only the beginning. Companies need to step up to the plate and raise their games when it comes to their own cybersecurity. This is where the rubber hits the road, and right now we’re seeing too many blowouts.