Thursday, May 31, 2012

5000th Tweet

Today I posted my 5000th Tweet. I've apparently been a Twitter user since 1 December 2008. I remember not Tweeting anything until 15 July 2009, when I attended a Webcast about "security monitoring." The speakers were using Twitter to gather questions, so I decided it was a good time to try participating.

With the advent of Twitter I've blogged a lot less. It's tempting to think that I've been sacrificing long, thoughtful blog posts for short, mindless Tweets. It turns out that a decent portion of my blogging volume, especially in my early blogging years (say 2003-2006) involved short posts. I recently reviewed a lot of my earlier blog posts, and noticed many of them looked just like Tweets. They may not have fit within the 140 character limit, but they were short indeed.

For me, Twitter is a very compelling medium. It's more interactive, more frequently updated, and just easier to use. I have only ever blogged from a laptop. I use Twitter a lot on my phone and increasingly on my tablet. The ability to send a Tweet while reading a Web page is especially compelling.

On the down side, Twitter surely lacks the "institutional memory" of a blog. I can easily search my blog for past content, navigate via time or label, and read fairly complete thoughts in a narrative format. I can build a new book around ideas on my blog; I can't do that with old Tweets.

Note: can anyone remember who posted the analysis of blogging vs Tweeting output? I was listed in that post but I don't remember who wrote it. Also, thanks to activating a setting on the blog, I now get an email whenever a visitor posts a comment for moderation. Expect faster response times now!

Tuesday, May 22, 2012

Whistleblowers: The Approaching Storm for Digital Security

Last week in my post SEC Guidance Is a Really Big Deal I mentioned the potential significance of whistleblowers with respect to digital security. I came to this conclusion while participating in a panel for those involved with Directors and Officers insurance. This post provides a few more details.

This morning I reviewed slides by Frederick Lipman, author of Whistleblowers: Incentives, Disincentives, and Protection Strategies, pictured at left. Mr Lipman spoke about whistleblowers at the same conference, but I didn't see his presentation.

You can read Mr Lipman's slides on this shared Google drive in .pdf format.

To briefly summarize Mr Lipman's work, Dodd-Frank, the False Claims Act, IRS rules, and other regulations have created an environment more favorable to those who wish to report wrongdoing within their organizations. Bounties for whistleblowers can amount to tens of millions of dollars. Yes, that's right: individuals have received millions of dollars after reporting violations by their employers. If that weren't enough, following penalties levied by the government against companies, the private sector also joins the fray through shareholder law suits.

I'm predicting that due to the increase in regulation during the last decade, whistleblowers will begin to report digital risks or incidents to their boards and/or outsiders.

Consider the following scenario: a publicly traded firm targeted by the APT suffers a major loss of intellectual property. The loss will likely result in decreased revenues for a particular product line because foreign companies will clone and sell the technology, undermining the victim's competitiveness and qualifying as a material event.

The firm decides to not report the event in its SEC disclosure documents. Frustrated with the cover-up, members of the security team act as whistleblowers. If the firm is lucky the whistleblowers use the firm's reporting process to notify the audit committee of the board. If the firm is not lucky, or if the whistleblowers don't feel their concerns are addressed, they report to the SEC or other outside entities.

I could imagine many permutations of this scenario to make it better or worse for all parties involved. The bottom line is that I expect this aspect of additional regulations to be a new driver for disclosure, once it becomes more widely recognized and understood.

For fun, imagine a different scenario where hacktivists compromise the same victim and publish its email. Regulators read the email (or learn via those who read the email) that the hacktivism victim is also failing to report material losses due to APT compromise...

Thank you to Mr Lipman for agreeing to let me post his slides publicly. I plan to check out his book too.

Sunday, May 20, 2012

Comparing IEDs and Digital Threats

Two weeks ago Vago Muradian from This Week in Defense News interviewed Army Lt Gen Michael Barbero, commander of the Joint IED Defeat Organization. I was struck by the similarities between the problems his command handles regarding improvised explosive devices (IEDs) and those involving digital security professionals.

In fact, you may be aware that papers and approaches like Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin, Ph.D. were inspired by the desire to move "left of boom" regarding IEDs.

In this post I will highlight elements from the interview which will likely resonate with those working digital security problems.

  • The threat "shares information globally," and engages in an "arms race" with defenders, sometimes by "sitting in front of a computer" devising the latest tools and techniques.
  • The adversary can introduce changes to tools and techniques in weeks and months, not years or decades as was the case with conventional or strategic weapons.
  • For a "meagre expenditure," the adversary can impose "huge costs on defenders."
  • The goal of the security program (i.e., JIEDDO) is to provide commanders freedom of maneuver to conduct operations (business) in an IED environment.
  • "If you're worrying about the device, you're playing defense." Don't focus only on the device, put pressure on the networks (of adversaries who design, build, and operate the weapons.)
  • Intelligence plays a key role in defeating adversaries. Winning involves applying "lethal pressure, "along with government techniques. "It takes a network to defeat a network."
  • Defeating the device attracts the most attention and funding, but training users and attacking the network must also be pursued. Training involves ensuring that operators are using countermeasures effectively and appropriately.
  • JIEDDO shares threat intelligence in unclassified form so industry partners can devise countermeasures. The unclassified documents are backed by a classified appendix that describes how troops deploy countermeasures in operational settings.
I find the first four minutes of that interview, then comments about unclassified intel sharing at the seven minute mark, to be fascinating. It's clear to me that "malware" is the equivalent to IEDs in this context. Sure enough, just as in the IED world, defeating malware attracts a log of "attention and funding," but training users and "attacking the network" are just as, if not more, important.

If you'd like to see examples of the IEDs encountered in the field and some US countermeasures, check out the first segment.

Monday, May 14, 2012

SEC Guidance Is a Really Big Deal

In November I wrote SEC Guidance Emphasizes Materiality for Cyber Incidents, my thoughts after reading an article by Senator Jay Rockefeller and former DHS Secretary Michael Chertoff. They explained why the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC in October is a big deal.

Since then I attended a conference on Director's and Officer's insurance in Connecticut, and spoke on a panel about that SEC guidance. During the conference I learned that the SEC guidance isn't a big deal -- it's a really big deal. We're talking a game changer, potentially on three fronts. Here's what I heard at the conference.

  1. First, lawyers who read the language in the SEC guidance treated it as a "stop whatever you're doing and read this" moment. The lawyers I spoke to said the SEC guidance absolutely defined new reporting duties for companies, despite talk of it being merely a "clarification" or restatement of existing guidance.

    Clients bombarded insurance firms asking what language they should use in their SEC disclosure documents. They asked "what are other companies saying? What should we say?" The firms noted similar boiler plate shared among clients, most of which insufficiently met the SEC's requirements.

    One lawyer I spoke with said she expects the SEC to give publicly traded firms a "one year pass" before bringing enforcement actions against them for insufficiently outlining digital risk, pre- and post-breach.

  2. Second, the SEC language will encourage shareholder lawsuits against companies by disgruntled parties who believe boards are not disclosing risks and actual breach details to investors. This will probably not be the primary cause for a suit but it will likely be one of other factors a shareholder action uses to show that a board is not fulfilling their duties to investors.
  3. Third, the SEC language may prompt whistleblower reports from dissatisfied IT and security staff to organizations like the SEC Office of the Whistleblower. (That is a real organization!) In the seven weeks beginning with this new office's launch in August 2011, parties reported 334 tips from 37 states and 11 countries, with successful enforcement actions in up to 30% of cases.

    Although it doesn't appear that this new office has paid any whisteblowers yet, it is apparently gearing up to do so. Imagine a case where security staff believes that management is not treating a breach as the staff thinks it should be treated, and decides to report the incident to the SEC -- with the possibility of a payout waiting!

Right now Congress doesn't seem to think that the SEC rules are working. Joe Menn reported in Hacked companies still not telling investors the following:

At least a half-dozen major U.S. companies whose computers have been infiltrated by cyber criminals or international spies have not admitted to the incidents despite new guidance from securities regulators urging such disclosures.

Top U.S. cybersecurity officials believe corporate hacking is widespread, and the Securities and Exchange Commission issued a lengthy "guidance" document on October 13 outlining how and when publicly traded companies should report hacking incidents and cybersecurity risk.

But with one full quarter having elapsed since the SEC request, some major companies that are known to have had significant digital security breaches have said nothing about the incidents in their regulatory filings.

Now Senator Rockefeller is taking a closer look as reported by Jennifer Martinez of Politico this week:

Senate Commerce Chairman Jay Rockefeller thinks the SEC needs to ensure hacked companies are adequately informing their investors about when they suffer a security breach or cybersecurity risk that could jeopardize their financial standing.

The West Virginia Democrat wants the full commission to issue guidance for companies — right now they only have staff-level instructions — on when they have to report cyber breaches or threats and what steps they’re taking to minimize the risks.

“It’s crucial that companies are disclosing to investors how cybersecurity risks affect their bottom lines, and what they are doing to address those risks,” Rockefeller said in a statement to POLITICO.

Rockefeller will soon introduce an amendment that calls on the SEC to issue interpretive guidance on when companies must disclose cybersecurity risks and intrusions. Staffers for the Commerce Committee are finalizing the amendment and aim to introduce it before Sen. Joe Lieberman’s (I-Conn.) cybersecurity bill goes to the floor.

This is the sort of activity that I think is going to mark a sea change in digital security over the coming years. I don't expect engineering or technical developments to have anywhere near the same level of impact as issues that involve legislators, lawyers, insurers, and financiers. Stay tuned!