[Dataloss] Suggestion for changing status quo on data losses

Arshad Noor arshad.noor at strongauth.com
Sat Aug 2 20:46:37 UTC 2008 

security curmudgeon wrote:
> 
> In my opinion, to do this correctly would involve someone drafting a 
> well-written form letter that list subscribers could use to send to their 
> own representative. One page, cite the issue, quote some statistics, say 
> it affects them (faster way to make them care) and then to 'fix it'. Of 
> course, 'fixing it' is generally a myth as there isn't a simple to 
> implement solution to stop dataloss.
> 

Jericho/All,

Thank you for reminding me of advice I used to give out many years ago,
but stopped bothering seeing how ineffective our representatives are in
so many other areas.  Nonetheless, if I do not let them know, I cannot
expect them to address the problem.

That said, I have sent my CA representatives the attached letter.  I
have also sent it to both Presidential candidates, and am disclosing
this letter for discussion and in case others may want to adopt it to
send to their own representatives (permission is freely granted to one
and all).

While the suggestion cannot guarantee a solution to the problem, it is
my strong belief that it is the first step towards a long-term solution.

Let the tomato/egg throwing begin....

Arshad Noor
StrongAuth, Inc.

----------------------------------------
I am writing to inform you of my concerns about America's current 
Information Security policies and to propose a plan for addressing its 
shortcomings.

Since California's seminal Breach Disclosure law (CA Senate Bill 1386) 
and similar laws in 40+ states, this country has witnessed the public 
disclosure of some of the largest breaches to private data in our brief 
history with information technology (estimated to be well over 200M 
identities in the last 5 years – http://etiolated.org/ and 
http://www.privacyrights.org/).

While there are Federal laws stipulating data-protection (GLBA, HIPAA, 
SOX, FISMA, etc.), we continue to see unrelenting breaches of data, 
indicating the laws are ineffective in this regard.  It is my belief 
there are fundamental flaws in America's technology security policy that 
need to be corrected before we see any change.

Every sector of US industry that can cause harm to humans is not only 
regulated, but is required to disclose adverse events that either cause 
harm, or have the potential to cause harm, to a regulatory body. 
Automobiles, airlines, food, drugs, medical, chemical, banking, 
environment, power, construction – they are all required to report 
adverse events.  Except the IT sector!

Just as the Center for Disease Control (CDC) would be hopelessly 
ineffective if mandatory reporting of adverse health events were not 
required, the IT sector is currently hampered because there is neither a 
Federal agency with the mandate to collect such information, nor a law 
requiring companies to report adverse security events to such a central 
authority.

The history of science shows that improvements come only with research. 
  However, research requires comprehensive data.  Without data that 
supports root-cause analysis and statistical analysis, it is impossible 
for scientists and engineers to solve the problem we face, and 
consequently, for our nation to build a stronger IT infrastructure.

I propose that the US Congress enact a law stipulating the following:

- The creation of a “National Technology and Security Administration 
(NTSA)” modeled along the lines of the National Highway Transportation 
and Safety Administration (NHTSA) with the following mandate:

   a) Collect information on computer-related breaches in the USA.
   b) Create statistical reports from breach data and disseminate such 
reports (including raw data) to the internet.
   c) Establish a Security Baseline that all technology products must 
deliver.
   d) Establish a Security Profile for different classes of systems that 
businesses, government agencies and individuals must achieve.
   e) Mandate the recall of products that do not meet the Security Baseline.

- Requiring ALL businesses that store private data of US citizens on 
computerized devices – regardless of geography – to report adverse 
security events to the NTSA;

- Allocating the NTSA appropriate resources and giving it the 
operational latitude to carry out its mandate;

- Eliminating the liability exclusion for defective IT products (no 
other manufacturing industry is excluded from the liability of producing 
defective products; why does the IT industry enjoy this exclusion more 
than 25 years after the PC was created, and nearly 50 years of the 
existence of the computing industry?)

With such a law the US will establish the foundation of a process to 
make the internet and information technology products secure.  This will 
not happen overnight.  But within 24 months of the creation of such an 
agency, we can expect to start seeing some benefits, and within five 
years, we can expect a dramatic reduction of breaches to private data.

While we can never eradicate all vulnerabilities or breaches, the NTSA 
can make significant contributions towards protecting the private data 
of US citizens.  Given that the US economy is critically dependent on 
computers, we cannot wait for a catastrophic IT event to take decisive 
action.

I have had some discussions with people on security forums in this 
regard, and am attaching some observations for your benefit.  I look 
forward to seeing some action from US Congress on this issue.  If there 
is anything I can do to help, please don't hesitate to have your 
staffers contact me.

Regards,


1) What constitutes a security event?

A loss of resources (data, time, money, capacity) for the owner of the 
computer asset due to any factor that can neither be deemed negligence 
nor accident on the part of the owner.  An assumption is that the owner 
has defined a security policy and is in conformance to it.  For 
individual users, the security policy will be either the default 
security policy of the manufacturer or a stronger policy if they have 
implemented it.

2) How would the information provided to this new agency be protected?

All user/company information that can identify them is anonymized.  The 
detail must have a section that is legible to business-people and a 
section that is gory for technical people.  Names & versions of 
operating systems, software, sufficient configuration detail to describe 
protections in place (but without any identification information again). 
  Security specialists and researchers must have this detail so they can 
learn from the experience, build models for future protection, etc.

FOIA rules would apply, but the information should be available as soon 
as it is reported in an online database on the internet.

Mechanisms to verify the authenticity and integrity of the report should 
be in place (once again, without identifying the reporter).

3) What are the penalties for not reporting security events?

Loss of insurance coverage for damages.  Penalties for companies if they 
are found out later.

4) And how are they enforced?

I would like to say that it should be on an honor-based systems because 
the more data we have, the more benefit we derive from it.  So, that 
should be an incentive to report.

However, audits of randomly selected companies could be implemented to 
see if the reporting is statistically in correspondence to the security 
events visible on the internet.  Non-compliant companies will be fined 
and subject to mandatory annual audits for three years.

5) Do the rules apply just to corporations; or to individuals?

It has to apply to all - especially to individuals.  However, since the 
vast majority of individual users cannot be expected to know what to 
report, manufacturers of computer systems must include diagnostic tools 
that can be used to pick up reporting information after scrubbing 
identification information.  This can then be submitted separately by 
the "victim".
----------------------------------------

More information about the Dataloss mailing list