Author: Mike

The Wolf Approaches

In the government, the use of the term “grave” means something very specific. That meaning should be obvious to you, but on the off chance that you haven’t had your first cup of coffee yet, it means that whatever the issue is, messing it up could cost someone (or more than one person) their life.

The attack against the water system in Oldsmar, Florida was a potentially grave situation. A water system is not a trivial technology enterprise and as such it has numerous checks – including a human in the loop – to make sure malicious activity or honest mistakes don’t end lives. But the fact that an outsider was able to get such access in the first place makes it clear that there exists a disconnect between what such systems are supposed to be, and what they are.

We give the Sheriff of Pinellas County a pass on the use of the term “wake-up call” because he has not spent a large portion of his life in the belly of the cybersecurity beast. A wake-up call only happens once, how we respond indicates how serious we are about taking action:

  • In 2015 DHS Secretary Jeh Johnson calls OPM breach a “wake-up call”
  • In 2012 General Alexander, Director of the National Security Agency, calls the hacker attack on Saudi ARAMCO a “wake-up call”
  • In 2010 Michael M. DuBose, chief of the Justice Department’s Computer Crime and Intellectual Property Section, called successful breaches such as Aurora “a wake-up call”
  • In 2008 Deputy Secretary of Defense William Lynn called the BUCKSHOT YANKEE incident “an important wake-up call.”
  • In 2003 Mike Rothery, Director of Critical Infrastructure Policy in the Attorney-General’s Department of the (Australian) Federal Government called a hack into a wastewater treatment plant “a wake-up call.”
  • In 2000 Attorney General Janet Reno called a series of denial of service attacks against various companies a “wake-up call.”
  • In 1998 Deputy Secretary of Defense John Hamre called the SOLAR SUNRISE incident “a wake-up call.”
  • In 1989 IT executive Thomas Nolle wrote in Computer Week that poor LAN security was a “wake-up call.”

The details of this particular case are probably never going to see sufficient sunlight, which only adds to the ignorance on these matters at all levels, and sustains the fragility we so desperately need to improve. This is particularly important when you consider how our relationship with technology is only getting more intimate.

These are issues that are decades old, yet if you want to have some idea of what it will take to spur action, keep in mind that we intentionally poisoned 100,000 people via a water system for five years and no one is in jail (yet). The idea that the people rooting around in such systems have the ability to cause such effects but don’t because they appreciate the moral, ethical, and legal implications of the matter is increasingly wishful thinking.

We in security have long been accused of “crying ‘wolf’” and for a long time those critics were right. We knew bad things could happen because Sturgeon’s Law has been in full effect in IT for ages, but it has taken this long for matters to go from merely serious to grave. Like everyone who puts off addressing a potentially fatal issue until the symptoms cannot be ignored anymore, our ability to survive what comes next is an open question.

Posted on by Mike

The Wall: Undermining National Security in More Ways Than One

The nation’s longest federal government shutdown continues, along with the debate on the issue that triggered it: a wall on the border between the U.S. and Mexico. While every serious voice agrees on the importance of secure borders, what constitutes effective border defense varies widely. Largely ignored in these discussions: how the financial and emotional impact of the shutdown puts the nation at risk not from external threats, but internal ones.

From the beginning of this shutdown, we’ve heard numerous stories from the ranks of the 800,000 laid off government employees, as well as the massive number of government contractors who are also not getting paid (and won’t get back-pay when this is all over), on social media and in the press about how the shutdown has and will continue to impact them and their families:

“Last week we had soup for dinner and my son asked if it was because we didn’t have money.”

“I’m really worried my landlord will not be happy when I can’t pay my rent.”

A federal employee with diabetes who is running out of insulin “…can’t afford to go to the ER. I can’t afford anything. I just went to bed and hoped I’d wake up,”

These stories point out the precarious financial situation at least part of the nation’s federal workforce faces, not just during the furlough, but on a regular basis. ‘Living paycheck to paycheck’ is a phrase one usually does not associate with college-educated professionals on the General Schedule, which is a signal to the intelligence services of our adversaries that one of the primary means of getting someone to spy for you – Money – is more likely to produce results across a wider spectrum of targets than may have been thought.

Such efforts do not necessarily have to be applied to feds with security clearances; you don’t have to have a clearance to provide information of value to our adversaries. The collection of intelligence about an adversary is often described as akin to building a ‘mosaic’: a lot of little pieces of this and that, no one piece being particularly valuable, assembled over time into a comprehensive picture.

As an example, one of the classic little ‘asks’ that counterintelligence training used to tell you to be wary of is requesting a facility or agency phone book. What harm could that do, right? It’s not even classified. We always have extra and they just go in the trash at the end of the year. Well, you’ve just handed over a list of who does what in your organization, and provided a means to reach them. You’ve also confirmed, or filled in gaps, in an adversary’s knowledge of the organization and what it does.

A modern equivalent? “Hey, I’ve been trying to bid on this contract your agency is putting out. Could you provide me with the email of <a senior defense executive>?” What’s one email address, right? Well, for all the talk of “APT” and “sophisticated” nation-state hacking, phishing is still a leading method of cyber attack. And based on professional experience, the more senior the individual, the less attentive they are to cyber security threats.

With a little more time and effort, one could come up with an extensive list of potential scenarios. None of them have to be obviously linked to security or safety issues that might make a frustrated-but-loyal fed feel suspicious, because that’s the magic of building a mosaic: every little tiny bit helps.

This isn’t exclusively a nation-state-based threat. Contractors with questionable ethics, organized crime, terrorists, or other threat actors could all take advantage of the precarious financial situation Uncle Sam has placed his people in. This is of particular concern in environments where the trustworthiness of the workforce is already questionable.

Federal shutdowns are not new. But this one comes at the end of a string of insults and injuries the federal workforce has had to face in recent years. The most significant of these being the breach of computer systems at the Office of Personnel Management. OPM didn’t just lose personnel records, it lost the background checks and related paperwork for feds with security clearances. To maintain a clearance, one has to re-submit to a background check every few years. Questions about your financial situation will be asked. Investigators will understand what caused people to miss payments or take a ding to their credit scores in the winter of 2018/spring of 2019; but if a missed paycheck sends you into a financial Mariana Trench, that’s going to be an issue. Being in financial straits could cost you your clearance, the loss of which could cost you your job. The real impact of the shutdown for some might not come home to roost for months or years.

The opposite is also true: if the bulk of the workforce took a financial hit, but you managed to come out unscathed, why is that? Everyone assumed Aldrich Ames’ stories about his wife’s family’s wealth were true, until they found out it wasn’t.

How do we deal with this?

Congress and the White House should focus on border security, not a wall per se. While there are places along the U.S.-Mexico border where a literal wall might make sense, we need to apply all the tools and technologies available to us – steel, concrete, sensors, drones, and people – to address the problem. People want a check on illegal immigration, the form that check takes is less important than the fact that it exists, and is functional.

A comprehensive study of the federal pay scale. No one joins the gov’t to get rich, but if the financial troubles of the workforce are as deep and wide-spread as the media would have us believe, is that a function of a whole lot of people living beyond their means, or are we really not paying people a livable, much less market, wage? Its ‘federal service’ not ‘federal servitude.’

If you’re a fed, particularly one with a clearance, maybe don’t talk to reporters or get on social media to discuss your plight. This is not the old days: identifying the missives of potential targets is neigh on trivial to actors like Russia and China (especially if they have your OPM file and SF-86 paperwork). And while no one thinks they’re the one who is going to sell out their country to pay the mortgage, under the right conditions, anyone can be pressured to do a little, seemingly innocuous thing, that could contribute to serious damage down the road.

/* Full credit and extensive thanks to Freshman, who came up with the idea for this post and was instrumental in its creation. */

Posted on by Mike

Cyber Stars

/* Warning: Extensive over-use of the word “cyber” ahead. */

 

The other day my old friend and colleague Bob Gourley Tweeted:

Random thought: There are 24 four-star flag officers in the U.S. military. Every 4 star I have ever met is really smart. But only one of those 24 has real cyber war experience, and he is retiring soon. How do we change that for the better?

My friendly, snarky-a** response at the time was:

First: Get a time machine

The services have had “cyber” components for several years now, and the US Cyber Command has been active since 2009. But a military officer could have been exposed to what we would recognize as the cyber mission these days at roughly the turn of the century. For the sake of discussion let’s say this was their first assignment out of training. The average amount of time officers spend at various ranks breaks down something like this:

Rank / Time in Service

 

2nd Lieutenant / 1 year

1st Lieutenant / 1.5 years

Captain / 4 years

Major/ 10 years

Lieutenant Colonel/ 16 years

Colonel/ 22 years

 

So if our notional lieutenant started her career in cyber in ‘99, she attended all the right schools, got sufficient command time, and punched all her staff assignment tickets, she might be a G2 (chief intelligence officer) or battalion commander. If she was a “rock star” she may have received several “below the zone” promotions (getting advanced ahead of her peers) and might even be looking at colonel in the very near future.

But…

Time in service doesn’t mean time spent doing the job. The first 4-6 years of an officer’s career is learning the ropes. It is probably when they’re the most technically oriented. Once they get a company-level command their life is basically paperwork (and shaking their head ruefully and the shenanigans of the junior enlisted in their charge).

After company command is staff jobs (more paperwork), and higher civilian and military education. Lieutenant colonel is an officer’s next opportunity at command, and where they’re exposed in-depth to sub-disciplines and how to make all those moving parts work as a coherent whole. Then more staff time until colonel, and with luck brigade command.

In 20 years Colonel Duty Bound is a very well-rounded officer, but she has spent less than half of that time actively working the mission.

“But Mike, there were more senior officers who were working the mission back then. The pipeline of experienced cyber offices isn’t so grim.”

True, but you know who I never heard of back then? Paul Nakasone. You know who I did know? Dusty Rhodes (not the other one). “Who?” you ask. Exactly. Then Captain Jay Healey could have been a Colonel by now. Then Lt. Commander Bill Peyton a Rear Admiral. Then Major Marc Sachs a Lieutenant General. My man Bob Gourley could have been an Admiral and running US Fleet Cyber Command by now, but you know what the Navy decided not to do to one of the pioneering officers in the cyber field? Make him a Captain. We’re not lacking in talent, we’re lacking in talent management.

We have been training, equipping, and staffing for the cyber mission – in fits and starts – for over two decades, and yet the cyber career field is still a newborn. To put things into perspective, the Army Air Corps went from biplanes to the B-29 Super Fortress and nascent jet fighters between the ~20 years of its formation and the end of WWII. Moore’s Law indeed.

The various service schoolhouses can turn out 1,000 cyber lieutenants and ensigns a year, but there are still only a handful of flag officer billets for service-level and national-level command in the field. To be successful as warfighters in the information age, we have to ensure that “cyber” is an element within every career field. As odd as this sounds, we can’t treat technology, the use thereof, and the associated risks and threats to same, as something special. Everyone has to know something about it. Everyone has to be responsible for it to some degree. Every commander at every level in every career field needs to know what cyber can do for them (and if they’re not careful what it can do to them and their ability to execute the mission).

Success is a constellation, not a supernova.

Posted on by Mike

The Global Ungoverned Area

There are places on this planet where good, civilized people simply do not voluntarily go, or willingly stay. What elected governments do in safer and more developed parts of the world are carried out in these areas by despots and militias, often at terrible cost to those who have nowhere else to go and no means to go if they did.

Life online is not unlike life in these ungoverned areas: anyone with the skill and the will is a potential warlord governing their own illicit enterprise, basking in the spoils garnered from the misery of a mass of unfortunates. Who is to stop them? A relative handful of government entities, each with competing agendas, varying levels of knowledge, skills, and resources, none of whom can move fast enough, far enough, or with enough vigor to respond in-kind.

Reaping the whirlwind of apathy

Outside of the government, computer security is rarely something anyone asks for except in certain edge cases. Security is a burden, a cost center. Consumers want functionality. Functionality always trumps security. So much so that most people do not seem to care if security fails. People want an effective solution to their problem. If it happens to also not leak personal or financial data like a sieve, great, but neither is it a deal-breaker.

At the start of the PC age we couldn’t wait to put a computer on every desk. With the advent of the World Wide Web, we rushed headlong into putting anything and everything online. Today online you can play the most trivial game or fulfill your basic needs of food, shelter, and clothing, all at the push of a button. The down side to cyber-ing everything without adequate consideration to security? Epic security failures of all sorts.

Now we stand at the dawn of the age of the Internet of Things. Computers have gone from desktops to laptops to handhelds to wearables and now implantables. And again we can’t wait to employ technology, we also can’t be bothered to secure it.

How things are done

What is our response? Laws and treaties, or at least proposals for same, that decant old approaches into new digital bottles. We decided drugs and povertywere bad, so we declared “war” on them, with dismal results. This sort of thinking is how we get the Wassenaar Agreement applied to cybersecurity: because that’s what people who mean well and are trained in “how things are done” do. But there are a couple of problems with treating cyberspace like 17th century Europe:

  • Even when most people agree on most things, it only takes one issue to bring the whole thing crashing down.
  • The most well-intentioned efforts to deter bad behavior are useless if you cannot enforce the rules, and given the rate at which we incarcerate bad guys it is clear we cannot enforce the rules in any meaningful way at a scale that matters.
  • While all the diplomats of all the governments of the world may agree to follow certain rules, the world’s intelligence organs will continue to use all the tools at their disposal to accomplish their missions, and that includes cyber ones.

This is not to say that such efforts are entirely useless (if you happen to arrest someone you want to have a lot of books to throw at them), just that the level of effort put forth is disproportionate to the impact that it will have on life online. Who is invited to these sorts of discussions? Governments. Who causes the most trouble online? Non-state actors.

Roads less traveled

I am not entirely dismissive of political-diplomatic efforts to improve the security and safety of cyberspace, merely unenthusiastic. Just because “that’s how things are done” doesn’t mean that’s what’s going to get us where we need to be. What it shows is inflexible thinking, and an unwillingness to accept reality. If we’re going to expend time and energy on efforts to civilize cyberspace, let’s do things that might actually work in our lifetimes.

  • Practical diplomacy. We’re never going to get every nation on the same page. Not even for something as heinous as child porn. This means bilateral agreements. Yes, it is more work to both close and manage such agreement, but it beats hoping for some “universal” agreement on norms that will never come.
  • Soft(er) power. No one wants another 9/11, but what we put in place to reduce that risk, isn’t The private enterprises that supply us with the Internet – and computer technology in general – will fight regulation, but they will respond to economic incentives.
  • The human factor. It’s rare to see trash along a highway median, and our rivers don’t catch fire Why? In large part because of the crying Indian. A concerted effort to change public opinion can in fact change behavior (and let’s face it: people are the root of the problem).

Every week a new breach, a new “wake-up call,” yet there is simply not sufficient demand for a safer and more secure cyberspace. The impact of malicious activity online is greater than zero, but not catastrophic, which makes pursuing grandiose solutions a waste of cycles that could be put to better use achieving incremental gains (see ‘boil the ocean’).

Once we started selling pet food and porn online, it stopped being the “information superhighway” and became a demolition derby track. The sooner we recognize it for what it is the sooner we can start to come up with ideas and courses of action more likely to be effective.

/* Originally posted at Modern Warfare blog at CSO Online */

Posted on by Mike

Cyber War: The Fastest Way to Improve Cybersecurity?

For all the benefits IT in general and the Internet specifically have given us, it has also introduced significant risks to our well-being and way of life. Yet cybersecurity is still not a priority for a majority of people and organizations. No amount of warnings about the risks associated with poor cybersecurity have helped drive significant change. Neither have real-world incidents that get worse and worse every year.

The lack of security in technology is largely a question of economics: people want functional things, not secure things, so that’s what manufacturers and coders produce. We express shock after weaknesses are exposed, and then forget what happened when the next shiny thing comes along. Security problems become particularly disconcerting when we start talking about the Internet of Things, which are not just for our convenience; they can be essential to one’s well-being.

To be clear: war is a terrible thing. But war is also the mother of considerable ad hoc innovation and inventions that have a wide impact long after the shooting stops. War forces us to make those hard decisions we kept putting off because we were so busy “crushing” and “disrupting” everything. It forces us to re-evaluate what we consider important, like a reliable AND secure grid, like a pacemaker that that works AND cannot be trivially hacked. Some of the positive things we might expect to get out of a cyberwar include:

  • A true understanding of how much we rely on IT in general and the Internet specifically. You don’t know what you’ve got till it’s gone, so the song says, and that’s certainly true of IT. You know IT impacts a great deal of your life, but almost no one understands how far it all goes. The last 20 years has basically been us plugging computers into networks and crossing our fingers. Risk? We have no idea.
  • A meaningful appreciation for the importance of security. Today, insecurity is an inconvenience. It is not entirely victimless, but increasingly it does not automatically make one a victim. It is a fine, a temporary dip in share price. In war, insecurity means death.
  • The importance of resilience. We are making dumb things ‘smart’ at an unprecedented rate. Left in the dust is the knowledge required to operate sans high technology in the wake of an attack. If you’re pushing 50 or older, you remember how to operate without ATMs, GrubHub, and GPS. Everyone else is literally going to be broke, hungry, and lost in the woods.
  • The creation of practical, effective, scalable solutions. Need to arm a resistance force quickly and cheaply? No problem. Need enough troops to fight in two theaters at opposite ends of the globe? No problem. Need ships tomorrow to get those men and materiel to the fight? No problem. When it has to be done, you find a way.
  • The creation of new opportunities for growth. When you’re tending your victory garden after a 12 hour shift in the ammo plant, or picking up bricks from what used to be your home in Dresden, it’s hard to imagine a world of prosperity. But after war comes a post-war boom. No one asked for the PC, cell phone, or iPod, yet all have impacted our lives and the economy in significant ways. There is no reason to think that the same thing won’t happen again, we just have a hard time conceiving it at this point in time.

In a cyberwar there will be casualties. Perhaps not directly, as you see in a bombing campaign, but the impacts associated with a technologically advanced nation suddenly thrown back into the industrial (or worse) age (think Puerto Rico post-Hurricane Maria). The pain will be felt most severely in the cohorts that pose the greatest risk to internal stability. If you’re used to standing in line for everything, the inability to use IT is not a big a deal. If you’re the nouveau riche of a kleptocracy – or a member of a massive new middle class – and suddenly you’re back with the proles, you’re not going to be happy, and you’re going to question the legitimacy of whomever purports to be in charge, yet can’t keep the lights on or supply potable water.

Change as driven by conflict is a provocative thought experiment, and certainly a worst-case scenario. The most likely situation is the status quo: breaches, fraud, denial, and disruption. If we reassess our relationship with cybersecurity it will certainly be via tragedy, but not necessarily war. Given how we responded to security failings 16 years ago however, it is unclear if those changes will be effective, much less ideal.

/* Originally published in CSOonline – Modern Warfare blog */

Posted on by Mike

End-user security requires a shift in corporate culture

An internal culture change can help organizations put end-user security on the front burner. If an organization only addresses security once a problem arises, it’s already too late. But it’s common for companies, especially startups, to overlook security because it can get in the way of productivity.  (TechTarget)

Organizations that take security seriously are the ones who make security a part of the every-day routine. Not because it is not important, but to ensure that the message of how important it is is driven home every day, multiple times a day. Too often security improvement efforts fail because it is treated as ‘special’ not ‘important.’ There is a difference, and those who recognize it are the ones who realize the benefits of investing in training, policy, and procedure. Aligning security incentives a’la performance incentives exploit the fact that we’re all human, and that’s a good thing.

Posted on by Mike

What Cybersecurity and a Trip to the Dentist Have in Common

It was that time of year again. The day I lie and promise to be good the rest of the year: dental check-up day. During this most recent visit I was struck at how much people treat the security of their computers and accounts in the same way they treat their oral health.

You know what you’re supposed to do, but you don’t do it. “How often do you floss?” the dentist asks us, knowing full well that we’re lying through our bloody gums. If we flossed regularly we wouldn’t have bloody gums. When it comes to security we know we’re supposed to do all sorts of things, like create strong passwords and never re-use them, or lock our screens when we leave our desks, or use two-factor authentication on everything we can. When do we do these things? When a bunch of passwords get stolen and cracked, or when a phish leads to a data breach; the equivalent of flossing like a maniac the night before your annual check-up.

You have tools, but you don’t use them well. Mechanical toothbrushes, water flossers, even the metal tools the hygienist uses to scrape away plaque, are all readily available. When do you use them? You brush in the morning for sure and usually at night. We already know you don’t floss. You bought the Waterpik but it makes such a mess you only use it after corn on the cob or brisket. Likewise, you may run anti-virus software but you’re not diligent about updating it. You delay installing patches because it is inconvenient. You allow Flash and pop-ups and cookies and all sorts of things that could cause problems because who wants to use the web like it’s 1995?

Solutions are rarely permanent. Fillings replace the gap left when a cavity is removed, but eventually fillings can develop cracks. Crowns can come loose. That new IDS or firewall or end-point solution, where there was none, is a significant improvement in your security posture, but there are ways to bypass or undermine every security mechanism, at which point you’re back in the hands of expensive professionals (to fix the problem and/or clean up the mess) and looking at another pricy – and temporary – investment.

You have to get your hands dirty to do the job right. Understanding just what a sorry state your oral health is in means letting someone put their hands in your mouth. They’re spraying water and its splashing on your face. They’re getting their blood on their fingers. Bits of gunk are flying around. Sometimes they have to put you under because what’s necessary would make you scream. There is no such thing as a quick fix to security problems either. You have to attack the problem at the root, and that means blood, sweat, and tears.

These issues don’t exist in a vacuum. Dental health impacts more than just your mouth, and illnesses that impact other parts of your body can impact oral health. Bad or poor security can have a negative impact on your organization in myriad ways, and if your organization doesn’t place a priority on security you’re not going to get the best security capabilities or resources. In both cases you have to view the situation holistically. Just because you have a pretty smile, doesn’t mean you don’t have problems.

 

Posted on by Mike

Cybersecurity Through the Lens of Rock Climbing

I’ve been to a lot of kid’s sporting events in the last decade plus. They have their moments, but I think I speak for all parents who are not living vicariously through their child’s prowess on the field of play when I say there are a few dozen places you’d rather be than sitting on a cooler of orange slices and water bottles on a Saturday morning.

But since we’re fond of making sports a metaphor for so many other things in life — or is it the other way around — I thought I’d point out a couple of lessons that rock climbing (yes, they have competitions) teaches us in security.

Everything is harder than it looks. When my son started rock climbing he was all about using his arms, with predictable results. It wasn’t until he realized the importance of using all four limbs that he really started to have success. There is no shortage of recommendations or guidance or frameworks that one can use to help secure an enterprise, but if it was as easy as installing anti-virus, telling the CEO there are bad guys out there, and checking boxes on a list, my SF86 wouldn’t be in Beijing.

There is a significant difference between practice and real life. Climbing gyms have all sorts of different configurations on their walls, but they cannot always replicate what you’ll find in the wild. Sometimes, there isn’t a convenient hand- or foot-hold to get you over the top. Sometimes you hit a dead end and have to find another way around. In security maybe that’s a corporate policy (or raison d’etre). Maybe its a regulation or even a physical constraint. Regardless, you need to be prepared to take a long, winding route to your goal, or accept that what needs doing is one crag too far.

You need strength in your core and at the extremities. Having a strong grip is great, but without a high level of strength and mobility in your abdomen, shoulders, and hips, you will find it very hard to get up and out of tight spots. Better security requires a range of talents, tools, and methods. You’ve got to work on them all, and in a coordinated fashion with the rest of the organization, to succeed.

Energy drains quickly. A given bouldering problem may be both vertical and horizontal. The distance traversed may not be long, but crawling on all fours, upside-down, is not a party. Trying to achieve security goals can be equally challenging and exhausting. You’re always the person who says, ‘no’. You’re always fighting for resources, and respect. You’re always the scapegoat. At some point everyone asks, “why bother?”

No one gets through the hard stuff the first time. Everyone who makes going through a high V-rated route look easy only does so because they fell on their backsides more often than they reached the top. They make it look easy because they know what doesn’t work. Senior practitioners, successful CISOs, they all failed a lot before they won.

Posted on by Mike

Breaches Forever!

The computer security industry is not stopping breaches. Not for lack of trying, but if you’re familiar with the myth of Sisyphus, such efforts are the definition of pointless. If this sounds strange coming from a computer security person, it shouldn’t. I’m not here to blow smoke up your fourth point of contact; I’m hear to point out that the impetus for progress is not going to come from anything a bunch of nerds conjure up.

The arguments that spring up whenever there is an epic breach are predictable and can be broken down into two major themes:

    1. Everyone in the victim company is an idiot. If they just employed people like me and my friends, this never would have happened.
    2. Securing data on an enterprise scale is hard. The idea that there is one or a hundred things that could have been done to prevent this disaster dismisses the complexity of what’s involved in protecting an “enterprise” and not “my basement lab.”

Now, the argument over whether or not the C-levels of Equifax were equipped — intellectually or materially — has been made, but the result doesn’t matter. Day to day the dynamic in corporations around the world is the same. The world’s greatest CISO still has to fight for budget, human resources, technical equipment and software, etc. The CFO still has to balance budgets and attempt (futile as it may be in security) to assess if the CISO’s requests produce a sufficient ROI, etc. The CEO really only cares about making his numbers in a fashion that keeps him out of jail.

There is no requirement for a secure enterprise. There is a requirement to have an enterprise that is secure enough to maintain compliance with applicable laws and that enables effective business operations.

Did Equifax do wrong? From what we can tell via publicly available information they did things, to varying degrees of effectiveness, and with questionable timing. They could have done a better job, but Equifax is just like every corporation in that security is something they have to comply with; profit is why they get up in the morning.

Breaches, regardless of their size or the sensitivity of the data involved, have become so commonplace that they are no longer automatically considered problematic. A breach alone is no longer justification for a lawsuit. Increasingly you have to show actual damages to have standing. Credit card number compromised? The bank makes you whole and happily issues you a new card. Medical data compromised? Insurance fraud is readily solved by a rate increase you hardly notice. Intimate details of your life lost to a foreign adversary? Well I guess the Forbidden City really is at this point.

And life goes on.

Breaches are a part of our way of life. By and large they do not impact our lives enough (or enough lives) to merit the kind of attention they get. As a friend recently pointed out, we are now living in a “post-authentication” world: so much data about us has been lost/stolen that anyone can be anyone else for a length of time. There is no point in trying to keep your personal information personal because it’s all effectively public, and has been for some time. Many times over.

The idea that this breach, or any breach hereafter, is going to be ‘the one’ that mobilizes the populace to a degree that they’re willing to do what is necessary to achieve political/legal change is wishful thinking. An angry mob, to the extent that anyone outside of the usual privacy/security community is going to get off their couch, is no substitute for the well-funded and organized industry lobbying effort.

I’m not saying it’s right, I’m saying that’s how it’s always played out, and there is no indication history is not going to repeat itself.

Posted on by Mike

The Equifax Breach is Not Special

The hue and cry over the Equifax hack has subsided to a dull roar. We’ve passed the stage of ‘initial reports,’ which are usually wrong, and are firmly in armchair cybersecurity pundit mode. ‘What did Equifax executives know and when did they know it?’ inquiring minds want to know, among other things of varying relevance. All of this is de rigeur for massive breaches, along with a few other things…

First, there is more to the breach than meets the eye. This means some things won’t be as bad as initially thought, some things will be horribly worse. Today’s villains will end up looking like martyrs and everyone who seems competent will be remembered as buffoons…or maybe not. It doesn’t matter. What matters is that everyone could have done everything right and they’re still just gears in a corporate machine working off of imperfect information, under impossible deadlines, without enough funding, and without the right human resources. You know: the same problems we all have.

The leadership team of Equifax is not better or worse than any other company. This means both behavior and capabilities and actions. Much has been made about the academic qualifications of the firm’s CISO, but it’s much ado about nothing. Experian isn’t her first job in security, and her previous positions were not for outfits that were slack about security. Let’s also remember that Equifax is not in the security business, so their primary concern was never going to be security.

Equifax will still be in business a year from now. Pick a major breach at a publicly traded company. Go back as far as you like. How many of those companies are still in business? How many of them have stock prices that are the same or better as they were just before the breach? I’ll save you some time: None that I can find have gone bankrupt and their stock prices are doing just fine, thankyouverymuch. If things hold true to form they’ll suffer no long-term impact. I’m so confident about this I’m actually buying Equifax stock.

This will not be the breach event that brings about change or reform.Remember the Target breach? Home Depot? TJ Maxx? OPM? Remember how those were the breaches that were supposed to change everything? Remember how breaches stopped, executives went to jail and paid stiff fines, and everything was right with the world? This breach is no different, and there is nothing to indicate the result will be different.

Finally, nobody cares. Not enough anyway, and not for long. Security people care because of myriad reasons. Individuals care because they’re afraid of being impersonated or defrauded. Lawmakers care because their constituents care and because being outraged on behalf of the little people makes for good passive campaigning. But let me tell you what is going to happen:

  • Some other security drama is going to pop up in a couple of weeks and all the angry nerds will channel their anger in that direction because nothing helps improve security than snarky hot takes on social media.
  • Individual citizens are going to realize that most if not everything lost in this breach has been lost a dozen times before. Even if this is the time they get ripped off, banks and retailers will make them whole.
  • Lawmakers will move on to the next crisis du jour because constituents have stopped pestering them about Equifax, and the data broker/credit rating industry lobbyists will have spent a sufficient amount of money on donations, scotch, cigars, and steaks to convince the honorable gentleman from the back 40 that the industry can regulate and take care of itself.

The Equifax breach is not special. It’s just like every other breach that preceded it, and it is almost assuredly going to be another data point that supports the template for the one that follows it. Security is not the issue we think it is, and it will never be until the consequences are high enough.

Posted on by Mike