IT Breach Laws

Information security breaches need to be made public.  They need to be made public in a much more proactive and efficient way than they are today.  Sony is a fine example.

Senator John Rockefeller IV, chairman of the US Senate Committee on Commerce, Science and Transportation, agrees.  He and four other senators said so today in a letter sent to the US Securities and Exchange Commission (SEC) asking them to bolster corporate breach notification requirements.   The letter stated “Securing cyberspace is one of the most important and urgent challenges of our time.  In light of the growing  threat … it is essential that corporate leaders know their responsibility for managing and disclosing security risk.”  “Our review of recent corporate disclosures suggests that material breach reporting, like information risk, is inconsistent and unreliable.”

IT still struggles with the dual edged sword of making a system or application usable, and making it secure.  IT teams generally have a mandate based on Availability.  InfoSec teams have a polar objective; keep the information Confidential and maintain its Integrity.  Those three words are capitlized because they are the classic pillars of Information Security.  C-I-A.  Rarely if ever does security trump IT or Business needs.  Until there has been a breach.  Then the daggers come out…

I have spent more than three decades in Information Technolgy and one third of that time focused on Information Security.  My background originates with PC technician and field repair work, and I have progressed through the ranks of Inside Sales, Helpdesk, Technical Support, Desktop Technician, Network Engineer, Infrastructure Engineer, Supervisor, IT Manager, IT & Security Consultant, Security Incident Response Specialist, to Informaiton Security Manager, consulting widely on IT and Security projects.

In my opinion, we need standards, guidance and hard rules on the Internet that are equivalent to the rules of the road.  We didn’t create networks of roads to eliminate traffic accidents.  We built them to enable faster travel.  Some accidents on these highways were going to be inevitable.  We built protective devices and safety features to keep the cars on the road and to protect the occupants when they collided.  We restricted how fast and in which directions one could travel.  We mandated certain equipment as required.  We demanded that each person using the roads be adequately trained and licensed before having priveleged access.  We put forth laws and regulations that every user must follow, and provided the police with the powers to enforce those laws.

Technology moves so fast that we’re adopting and adapting it faster than we can think of the consequences.  Every single Internet consumer should have to pass a basic aptitude test, or at least security awareness training.  They should understand that their communications traverse multiple networks, and that each of these networks may or may not be trustworthy, and will have varying policies regarding privacy and access.  They should know that there are inherent risks in using the Internet and that not all information or personas should be trusted.  It should be made clear what phishing is, what social engineering is, why credit card and personal information should be kept confidential, what the heck malware is and how it can be avoided.  Imagine if everyone on the Internet understood what a password actually was, how it should be created and protected, and what the consequences are if compromised?  What if we all understood those 53 page privacy agreements that nobody reads, but everyone accepts?

In my time within IT, I cannot count the number of times I have heard the Project Manager or worse, the Executive Sponsor extort “Get the system up and running.  We will add security on later!.”  Security as an afterthought is usually forgotten.  It doesn’t make it onto the Project plan, and is trumped by convenience.  Convenience of the implentor, the developer, the consumer and the business’ need to generate revenue.  My grandfather once gave me a lecture regarding my money.  He held a bread bag in one hand, and dropped nickels into the bag with the other.  He gathered a large number of coins in the bag and made me count them as he dropped them in.  He then poked quarter sized holes in it and walked around the room as he added more and more coins.  He told me that the only person that would get rich with a bag like that was the guy that followed behind him and picked up the lost money.  That is the state of e-commerce security today.

Industry surveys commonly attribute major data breaches to ‘insider threats’ but carelessness, misunderstanding or unreasonable policies may also be valid reasons why  these security breaches occurr and re-occurr.  Just my 2¢, collect the whole dollar.