[Dataloss] Suggestion for changing status quo on data losses

Arshad Noor arshad.noor at strongauth.com
Sat Aug 2 23:35:23 UTC 2008 

I have to publicly apologize to Lyger, Jericho and others of the
dataloss listserv and attrition.org for my faux-pas.  I neglected
to mention attrition.org in my letter to my representatives because
I was under the mistaken impression that etiolated.org belonged to
the same group.

If anyone chooses to use the text from my letter, please don't make
the same mistake I did and give attrition.org the credit it deserves
in your letter to your representatives.

Once again, I believe the work done by the people behind this listserv
is highly commendable, but even with the best of intentions, people
can make mistakes - I know I did.  My apologies.

Arshad Noor
StrongAuth, Inc.

Arshad Noor wrote:
> security curmudgeon wrote:
>> In my opinion, to do this correctly would involve someone drafting a 
>> well-written form letter that list subscribers could use to send to their 
>> own representative. One page, cite the issue, quote some statistics, say 
>> it affects them (faster way to make them care) and then to 'fix it'. Of 
>> course, 'fixing it' is generally a myth as there isn't a simple to 
>> implement solution to stop dataloss.
>>
> 
> Jericho/All,
> 
> Thank you for reminding me of advice I used to give out many years ago,
> but stopped bothering seeing how ineffective our representatives are in
> so many other areas.  Nonetheless, if I do not let them know, I cannot
> expect them to address the problem.
> 
> That said, I have sent my CA representatives the attached letter.  I
> have also sent it to both Presidential candidates, and am disclosing
> this letter for discussion and in case others may want to adopt it to
> send to their own representatives (permission is freely granted to one
> and all).
> 
> While the suggestion cannot guarantee a solution to the problem, it is
> my strong belief that it is the first step towards a long-term solution.
> 
> Let the tomato/egg throwing begin....
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> ----------------------------------------
> I am writing to inform you of my concerns about America's current 
> Information Security policies and to propose a plan for addressing its 
> shortcomings.
> 
> Since California's seminal Breach Disclosure law (CA Senate Bill 1386) 
> and similar laws in 40+ states, this country has witnessed the public 
> disclosure of some of the largest breaches to private data in our brief 
> history with information technology (estimated to be well over 200M 
> identities in the last 5 years – http://etiolated.org/ and 
> http://www.privacyrights.org/).
> 
> While there are Federal laws stipulating data-protection (GLBA, HIPAA, 
> SOX, FISMA, etc.), we continue to see unrelenting breaches of data, 
> indicating the laws are ineffective in this regard.  It is my belief 
> there are fundamental flaws in America's technology security policy that 
> need to be corrected before we see any change.
> 
> Every sector of US industry that can cause harm to humans is not only 
> regulated, but is required to disclose adverse events that either cause 
> harm, or have the potential to cause harm, to a regulatory body. 
> Automobiles, airlines, food, drugs, medical, chemical, banking, 
> environment, power, construction – they are all required to report 
> adverse events.  Except the IT sector!
> 
> Just as the Center for Disease Control (CDC) would be hopelessly 
> ineffective if mandatory reporting of adverse health events were not 
> required, the IT sector is currently hampered because there is neither a 
> Federal agency with the mandate to collect such information, nor a law 
> requiring companies to report adverse security events to such a central 
> authority.
> 
> The history of science shows that improvements come only with research. 
>   However, research requires comprehensive data.  Without data that 
> supports root-cause analysis and statistical analysis, it is impossible 
> for scientists and engineers to solve the problem we face, and 
> consequently, for our nation to build a stronger IT infrastructure.
> 
> I propose that the US Congress enact a law stipulating the following:
> 
> - The creation of a “National Technology and Security Administration 
> (NTSA)” modeled along the lines of the National Highway Transportation 
> and Safety Administration (NHTSA) with the following mandate:
> 
>    a) Collect information on computer-related breaches in the USA.
>    b) Create statistical reports from breach data and disseminate such 
> reports (including raw data) to the internet.
>    c) Establish a Security Baseline that all technology products must 
> deliver.
>    d) Establish a Security Profile for different classes of systems that 
> businesses, government agencies and individuals must achieve.
>    e) Mandate the recall of products that do not meet the Security Baseline.
> 
> - Requiring ALL businesses that store private data of US citizens on 
> computerized devices – regardless of geography – to report adverse 
> security events to the NTSA;
> 
> - Allocating the NTSA appropriate resources and giving it the 
> operational latitude to carry out its mandate;
> 
> - Eliminating the liability exclusion for defective IT products (no 
> other manufacturing industry is excluded from the liability of producing 
> defective products; why does the IT industry enjoy this exclusion more 
> than 25 years after the PC was created, and nearly 50 years of the 
> existence of the computing industry?)
> 
> With such a law the US will establish the foundation of a process to 
> make the internet and information technology products secure.  This will 
> not happen overnight.  But within 24 months of the creation of such an 
> agency, we can expect to start seeing some benefits, and within five 
> years, we can expect a dramatic reduction of breaches to private data.
> 
> While we can never eradicate all vulnerabilities or breaches, the NTSA 
> can make significant contributions towards protecting the private data 
> of US citizens.  Given that the US economy is critically dependent on 
> computers, we cannot wait for a catastrophic IT event to take decisive 
> action.
> 
> I have had some discussions with people on security forums in this 
> regard, and am attaching some observations for your benefit.  I look 
> forward to seeing some action from US Congress on this issue.  If there 
> is anything I can do to help, please don't hesitate to have your 
> staffers contact me.
> 
> Regards,
> 
> 
> 1) What constitutes a security event?
> 
> A loss of resources (data, time, money, capacity) for the owner of the 
> computer asset due to any factor that can neither be deemed negligence 
> nor accident on the part of the owner.  An assumption is that the owner 
> has defined a security policy and is in conformance to it.  For 
> individual users, the security policy will be either the default 
> security policy of the manufacturer or a stronger policy if they have 
> implemented it.
> 
> 2) How would the information provided to this new agency be protected?
> 
> All user/company information that can identify them is anonymized.  The 
> detail must have a section that is legible to business-people and a 
> section that is gory for technical people.  Names & versions of 
> operating systems, software, sufficient configuration detail to describe 
> protections in place (but without any identification information again). 
>   Security specialists and researchers must have this detail so they can 
> learn from the experience, build models for future protection, etc.
> 
> FOIA rules would apply, but the information should be available as soon 
> as it is reported in an online database on the internet.
> 
> Mechanisms to verify the authenticity and integrity of the report should 
> be in place (once again, without identifying the reporter).
> 
> 3) What are the penalties for not reporting security events?
> 
> Loss of insurance coverage for damages.  Penalties for companies if they 
> are found out later.
> 
> 4) And how are they enforced?
> 
> I would like to say that it should be on an honor-based systems because 
> the more data we have, the more benefit we derive from it.  So, that 
> should be an incentive to report.
> 
> However, audits of randomly selected companies could be implemented to 
> see if the reporting is statistically in correspondence to the security 
> events visible on the internet.  Non-compliant companies will be fined 
> and subject to mandatory annual audits for three years.
> 
> 5) Do the rules apply just to corporations; or to individuals?
> 
> It has to apply to all - especially to individuals.  However, since the 
> vast majority of individual users cannot be expected to know what to 
> report, manufacturers of computer systems must include diagnostic tools 
> that can be used to pick up reporting information after scrubbing 
> identification information.  This can then be submitted separately by 
> the "victim".
> ----------------------------------------
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> 
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml

More information about the Dataloss mailing list