[Dataloss] Suggestion for changing status quo on data losses
Arshad Noor
arshad.noor at strongauth.com
Sat Aug 2 20:46:37 UTC 2008
security curmudgeon wrote:
>
> In my opinion, to do this correctly would involve someone drafting a
> well-written form letter that list subscribers could use to send to their
> own representative. One page, cite the issue, quote some statistics, say
> it affects them (faster way to make them care) and then to 'fix it'. Of
> course, 'fixing it' is generally a myth as there isn't a simple to
> implement solution to stop dataloss.
>
Jericho/All,
Thank you for reminding me of advice I used to give out many years ago,
but stopped bothering seeing how ineffective our representatives are in
so many other areas. Nonetheless, if I do not let them know, I cannot
expect them to address the problem.
That said, I have sent my CA representatives the attached letter. I
have also sent it to both Presidential candidates, and am disclosing
this letter for discussion and in case others may want to adopt it to
send to their own representatives (permission is freely granted to one
and all).
While the suggestion cannot guarantee a solution to the problem, it is
my strong belief that it is the first step towards a long-term solution.
Let the tomato/egg throwing begin....
Arshad Noor
StrongAuth, Inc.
----------------------------------------
I am writing to inform you of my concerns about America's current
Information Security policies and to propose a plan for addressing its
shortcomings.
Since California's seminal Breach Disclosure law (CA Senate Bill 1386)
and similar laws in 40+ states, this country has witnessed the public
disclosure of some of the largest breaches to private data in our brief
history with information technology (estimated to be well over 200M
identities in the last 5 years – http://etiolated.org/ and
http://www.privacyrights.org/).
While there are Federal laws stipulating data-protection (GLBA, HIPAA,
SOX, FISMA, etc.), we continue to see unrelenting breaches of data,
indicating the laws are ineffective in this regard. It is my belief
there are fundamental flaws in America's technology security policy that
need to be corrected before we see any change.
Every sector of US industry that can cause harm to humans is not only
regulated, but is required to disclose adverse events that either cause
harm, or have the potential to cause harm, to a regulatory body.
Automobiles, airlines, food, drugs, medical, chemical, banking,
environment, power, construction – they are all required to report
adverse events. Except the IT sector!
Just as the Center for Disease Control (CDC) would be hopelessly
ineffective if mandatory reporting of adverse health events were not
required, the IT sector is currently hampered because there is neither a
Federal agency with the mandate to collect such information, nor a law
requiring companies to report adverse security events to such a central
authority.
The history of science shows that improvements come only with research.
However, research requires comprehensive data. Without data that
supports root-cause analysis and statistical analysis, it is impossible
for scientists and engineers to solve the problem we face, and
consequently, for our nation to build a stronger IT infrastructure.
I propose that the US Congress enact a law stipulating the following:
- The creation of a “National Technology and Security Administration
(NTSA)” modeled along the lines of the National Highway Transportation
and Safety Administration (NHTSA) with the following mandate:
a) Collect information on computer-related breaches in the USA.
b) Create statistical reports from breach data and disseminate such
reports (including raw data) to the internet.
c) Establish a Security Baseline that all technology products must
deliver.
d) Establish a Security Profile for different classes of systems that
businesses, government agencies and individuals must achieve.
e) Mandate the recall of products that do not meet the Security Baseline.
- Requiring ALL businesses that store private data of US citizens on
computerized devices – regardless of geography – to report adverse
security events to the NTSA;
- Allocating the NTSA appropriate resources and giving it the
operational latitude to carry out its mandate;
- Eliminating the liability exclusion for defective IT products (no
other manufacturing industry is excluded from the liability of producing
defective products; why does the IT industry enjoy this exclusion more
than 25 years after the PC was created, and nearly 50 years of the
existence of the computing industry?)
With such a law the US will establish the foundation of a process to
make the internet and information technology products secure. This will
not happen overnight. But within 24 months of the creation of such an
agency, we can expect to start seeing some benefits, and within five
years, we can expect a dramatic reduction of breaches to private data.
While we can never eradicate all vulnerabilities or breaches, the NTSA
can make significant contributions towards protecting the private data
of US citizens. Given that the US economy is critically dependent on
computers, we cannot wait for a catastrophic IT event to take decisive
action.
I have had some discussions with people on security forums in this
regard, and am attaching some observations for your benefit. I look
forward to seeing some action from US Congress on this issue. If there
is anything I can do to help, please don't hesitate to have your
staffers contact me.
Regards,
1) What constitutes a security event?
A loss of resources (data, time, money, capacity) for the owner of the
computer asset due to any factor that can neither be deemed negligence
nor accident on the part of the owner. An assumption is that the owner
has defined a security policy and is in conformance to it. For
individual users, the security policy will be either the default
security policy of the manufacturer or a stronger policy if they have
implemented it.
2) How would the information provided to this new agency be protected?
All user/company information that can identify them is anonymized. The
detail must have a section that is legible to business-people and a
section that is gory for technical people. Names & versions of
operating systems, software, sufficient configuration detail to describe
protections in place (but without any identification information again).
Security specialists and researchers must have this detail so they can
learn from the experience, build models for future protection, etc.
FOIA rules would apply, but the information should be available as soon
as it is reported in an online database on the internet.
Mechanisms to verify the authenticity and integrity of the report should
be in place (once again, without identifying the reporter).
3) What are the penalties for not reporting security events?
Loss of insurance coverage for damages. Penalties for companies if they
are found out later.
4) And how are they enforced?
I would like to say that it should be on an honor-based systems because
the more data we have, the more benefit we derive from it. So, that
should be an incentive to report.
However, audits of randomly selected companies could be implemented to
see if the reporting is statistically in correspondence to the security
events visible on the internet. Non-compliant companies will be fined
and subject to mandatory annual audits for three years.
5) Do the rules apply just to corporations; or to individuals?
It has to apply to all - especially to individuals. However, since the
vast majority of individual users cannot be expected to know what to
report, manufacturers of computer systems must include diagnostic tools
that can be used to pick up reporting information after scrubbing
identification information. This can then be submitted separately by
the "victim".
----------------------------------------
More information about the Dataloss
mailing list