The current state of Leadership and Responsibility for Cyber Security in the "Real" world 2015

leaders

So... Going back approximately at least a good few years I have become more than astounded by the sheer number and magnitude of extraordinary computer compromises/breaches and the data leaks associated with them. Usually this data is Personally Identifiable Information (PII) that has been exfiltrated in the form and context of a public consumer. But over the past year and very recently the data that has been leaked has now escalated in value to that of Children's, Investor/Financial and even Personnel Security Clearance Data that has been sourced from Standard Form (86).**

The mainstay of these tragic events ('hacks/breaches/compromises') utilized attack vectors that were 'low hanging fruit' or time persistent OWASP Top Ten vulnerabilities that are easy to address and remediate. We seem to be overly focused on the 'attackers' themselves, and not the senior leadership that is associated with the respective organizations themselves and the responsibility the that they themselves bear ultimately for the protection of their customers, clients, members and constituent's PII, both in an legal, financial and complete absolute sense. This is what being a leader entails, the ethics do not change for you due your position in the chain of command, power, or income quintile ladder. If you accept the Risk of running an organization and making the hard decisions then you are accountable when your Risk management skillset fails.

We keep spending inordinate amounts of time, money, and resources tracking down bad actor(s) (e.g. haxors) and prosecuting them. Yet... we are not doing the same when it comes to Senior Leadership failing to live up the most fundamental modicums of maintaining a sane, stable and secure information security policy, both in it's breadth of policy and technical fortitude.

Alarmingly enough we have seen the nation's Judge's all the way up to SCOTUS and the Federal Trade Commmission using weak legal precedents and faulty logic to dismiss cases that address negligence when it comes to Corporate Accountability and it's federal counterparts in leadership roles within government

Since 2001 I have had PII data of myself and my spouse compromised by Nashbar, Tricare Southwest, United States Army (Fort Monmouth) and the Office of Personnel Management. This year I was in my local Target store, standing around by the Refunds, Customer Service, and Digital Photo pickup counter, and I directly observed what was a flash drive laying literally right on the other side of the counter. I quickly called over a employee and reminded her that Target was successfully targeted in a successful hack not too long ago in 2013.

Everywhere, everyone has the same thought process of why are these breaches becoming so common place, and I for one would be hard pressed to believe that the cyber-crime community, hacker underground, nation states or hackers at large are just way too cunning for these organizations to effectively defend at least against their adversaries so that these attacks are not so common place. This is a myth and just not true.

There are a number endemic issues here:

a. No accountability for these breaches at the C Level and Boardroom personnel, to the point that as I have stated above even SCOTUS and high level judges (not all but a large number), continue to dismiss cases where these people would be held accountable for not doing their part.

b. Most organizations are too complacent and politicized to effectively empower security engineers, and Project Managers that are trying to do the right thing in protecting the organizations against adversaries. Many Organizations just outsource their IT Staffing operations and/or HR does not have the right level of knowledge or experience to ensure the hire skillful, impassioned security professionals.

c. Fundamentally for some reason many in Senior Leadership positions, see Profit(s), Churn Rate reduction, and Organizational Success directly at Odds with the establishment and sustainment of an effective Security Policy, especially in the tactical sense of running an organization but not so much in the strategic sense.

d. In most Organizational Structures - accountability in a negative sense is always meted out at the lowest level when things go wrong (I mean really wrong), and accountability is smoothed over or covered up and taken out with the trash at the highest levels of Power

e. The Security "Industry" is one that has always been one borne out of fear, in it's current incarnation it stems originally in some aspects directly from the events of 9/11 2001. The industry is like a celtic snake forever eating it's own tale, replete with a carny wagon load of snake salesman. I really do hate to generalize on this last point, but much of it is true, yet it is a not a binary assassination of the Security Industry as a whole but a large portion of it. Feel free to disagree.

Nearly 4 years ago, Melissa E. Hathaway, wrote a rather short (10 Pages) but very effective essay on basically the same topic I am talking about here, and her credentials are beyond merely stellar, I would say the she is a genuine and authentic cybersecurity expert if there ever was one Leadership and Responsibility for CyberSecurity yet here I guess her expertise and her excellence in her writing and the message it expresses has fallen upon deaf ears.

Following the OPM hack the last two widely reported computer breaches involved lots of money and also a treasure trove of children's PII data. What bothers me the most concerning both of these attacks are the organization's post attack action or in-action. First... lets talk about the United Arab Emirates investment bank, the bank refused to give in to cyber extortion, but it does appear that they as per many other victims dragged their feet regarding disclosure.

At this time unfortunately I cannot find a legitimate sources, posts or articles that possess any insight into what the the exact technical vulnerabilities, or attack vectors were concerning how "Hacker Buba" exfiltrated the data the he "dumped" at this point. This is another really frustrating point of information here, regarding detailing every aspect of an attack. Disclosure, disclosure, and disclosure!

The next hack or breach victim is VTech, who are a Toy maker that specializes in creating electronic toys in order to cultivate a sense of wonder and learning for young children. VTech has created a product called the Innotab3S and a service for the purchasers of this product. The website for registering this product was rife SQL Injection issues and Adobe flash was being used within the code for it all over the place. Troy HuntWhen Children are breached inside, Troy is someone whom I just stumbled upon while doing research and his site has a large number of security based posts that rival the writing of Krebs Security.

As always when we talk about Law and holding Leaders of Organizations accountable for Data Breaches the body of law and the precedents set are notable not just at a the federal level, but even more importantly so at the State level. To give you the reader just a small taste of the matter at hand.

What you will notice and it naturally just make's sense is that there exists a wide berth of disparity regarding each state's body of laws and legal precedents regarding data breach laws, and the speed at which the law in each respective state continues to evolve regarding cyber space/information security. Let us examine a very recent precedent setting decision in Pennsylvania made by Judge Wettick in Dittman v. UPMC. It is important for me to point out the case was not binding statewide, so it is a bit misleading I guess. In my best professional opinion Judge Wettick ruled completely in favor of all Corporate and Governmental entities by leaning on already existing legislature and policy thereby exonerating these Organizations en mass to be not accountable when they fail to demonstrate at a minimum to the court both managerial and technical due diligence to protect and secure customer data.

In stark contrast Maine has had a recent high visibility data-breach case where the original decision at the state level was for the defendants, but the plaintiffs appealed the case to the U.S. Court of Appeals for the First Circuit and was handed down ultimately in favor of the plaintiffs by Chief Judge Sandra L. Lynch's opinion, joined in by Circuit Judges Juan R. Torruella and O. Rogeriee Thompson. This case helped pave the way for Data Breach lawsuits in the State of Maine and on a Federal level as well. The Defendant in this case Hannaford Groceries suffered a Data Breach and it's customers and other individuals/organizations comprised the plaintiffs.

Now, at both the State and Federal levels of the United States Justice System, the average American must ask themselves the question. Why do judges keep throwing out Data Breach law suits? Why do most Data Breach Law Suits Fail?

One of the biggest obstacles to providing legal relief and protection to plaintiffs against the defendants (e.g. C Level personnel and the "Organization" or "Corporation" itself). Is that so far, in the not so recent past we see that many judges have dismissed a number these cases because the plaintiff(s) could not prove "Article II" standing, and many of these cases impinge upon the precedent set forth by Clapper v. Amnesty International. Two things that the plaintiffs argued and presented to the judge in order for them to challenge the Foreign Intelligence Surveillance Act (FISA) are listed below:

  • The possibility of future injury
  • The Plaintiffs were likely to be the target of surveillance and would suffer injury based upon a 'predicted chain of events'.

First and foremost realize that this was the final ruling by the Supreme Court of the United States (SCOTUS), and I really am stunned and rendered incredulous at the ruling. The plaintiffs are not a Corporation or LLC'ed, they are a Non-Governmental Organization (NGO) as well as a Non-Profit Organization (NPO). I don't see a clear legal parallel in applying the body of law as it relates to Corporate entities when it comes to applying the particular ruling. But the most widely publicized ruling was applied to bone crushing juggernaut of Corporate Profitability in 2014 U.S. District Court Judge Susie Morgan whereby she successfully dismissed E-bay's data breach case and let them off the hook for any accountability whatsoever.

Obviously, as most of us know in the Target case, the judge ruled for the plaintiffs legal relief and protection, and Target was directed by the court to pay out in totality 35.75 Million dollars. 72,596 Million dollars were made by Target in total revenue for 2013. We are talking a pretty big chunk of change when you look at everything Target was directed to pay for due to the judge's ruling. However, this was just monetary which is all well and good, however there huge and wide spread miscalculations regarding risk management and the relationship between the information security team and senior leadership to the point where the ship "Target" could feasibly have sunk. Why wasn't an individual within senior leadership at the very least scolded if not prosecuted for criminal neglect. The most widely publicized event that captures this accountability is the departure of the Company's CEO Gregg Steinhafel

So if we frame the definition of "Harm" as it applies to the body of law currently being defined it is clearly quite obvious that both the body of attorneys and judges directly involved within the rapidly evolving and ephemeral sphere of cyber law it is more than quite clear that a reexamination, reinterpretation and redefining of "Harm" must be made is past overdue.

Additionally, it appears to me that many judges and justices are selectively applying FISA v. Amnesty International. This is clearly not appropriate when millions of American citizens safety, security, identities and fiduciary well-being is in the hands of Organization that is directed to protect such data be it personal, financial or a combination of the two. I find it hard to believe that judges and justices cannot successfully navigate the new sector and body of law. If they no not they must act with urgency to become educated quickly. American citizens deserve no less than that.

The judges themselves often look merely and unidirectionally at the financial "Harm" that has been brought upon the customer or user of the breached data system. Because in the case of Credit cards themselves there is already a legal tool and protection in place for customers which is the Fair Credit Billing Act, the (FCBA) does not cover Debit card purchases at all.

Those of us with a passionate interest in the evolution of Cyber Law itself, await the SCOTUS ruling on Spokeo v. Robins, which will possibly set a new precedent or legal foothold that either so the customer (plaintiffs) can leverage in successfully establishing legal standing in Data Breach Lawsuits or it will continue to rule in favor of Corporate Entities and Government Organizations which appears to be the trend from where I sit.

In 2015 Veracode and the New York Stock Exchange collaborated on Survey/report aptly named "Cybersecurity and Corporate Liability in the Boardroom". This survey provides empirical data and demonstrable proof that it's not just the customers, hackers, malcontents, or your everyday person on the street that is crying out for Corporate Liability and Accountability at the Board and Director level, but also many of those peers currently in Director and Board positions within the Global Ecomony itself. Physician... Heal Thyself!!!

Passcode which is the Christian Science Monitor's new section on security and privacy in the Digital Age, created a poll in which global Technology Influencers were asked the following question. "Should the OPM Chief be held responsible for the breach?" Passcode: Should OPM Chief be Terminated, in a nutshell 84 percent of respondents answered yes. But again, don't just take my word for it, take the time to read the article, just like the outcome and conclusion of the Veracode report, there are some very hard hitting words here, many from some of the most successful Information Security Practices on the planet.

I believe that in a nutshell we are at an a crossroads between the profit, convenience, and apathy, These three factors will drive what lies ahead for the legal protections afforded to netizens and consumers and what Organizations are accountable for when it comes to protecting their information resources. As netizens we all must rise to the challenge to fight the forces that are truly making the Internet an ugly and hateful place to reside.

In the midst of finishing up this article CISA was passed with nary a peep of outrage from anyone at all, Juniper Networks Screen OS has a two completely insidious vulnerabilities that can lead you to some seriously disturbing conclusions, and the Central Voter Registration Database has leaked 191 million PII.

These last 3 events, clearly demonstrate that our the need for accountability, however these recent events, go far beyond mere legal constructions, here we are talking about Orwellian pieces of legislature that were passed in a very shady manner, as well as backdoors placed by bad actors at the state level and that state might even be your own country, and the last one was literally a poorly configured database. Wrong on all accounts.