DISCLAIMER

The commentary is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Furthermore, all commentary is based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors.

Cyber risk and insurance advisor Gregory Eskins sat down with CISOs Connect for a wide-ranging discussion about cyber insurance and developments in the industry.

 

Personal liability is weighing on Chief Information Security Officers as the SEC becomes more aggressive in demanding individual accountability for corporate cybersecurity practices and disclosures. 

Be proactive, says Gregory Eskins, Global Cyber Product Leader and Head of the Global Cyber Insurance Center at New York-based insurance brokerage Marsh.

“There are avenues to ensure that CISOs are personally protected,” Eskins said. 

“A starting point is to look at their organization’s directors and officers policy, ensuring that the CISO is included as an Insured within the policy. There may also be an opportunity to secure a personal indemnity, often as a condition of hiring.”

Although cyber policies are entity-based, i.e. designed to primarily protect the organization that purchased the policy, the definition of insured is generally expansive and can include directors and officers, employees, and others. A CISO, as an employee of the organization, would thus generally fall within scope of coverage if there is a covered claim under the cyber policy, he added.

“If a CISO is concerned about their personal exposure or financial ruin, I suggest proactively speaking with legal and the risk team to explore avenues of protection,” Eskins said. “It is reasonable for a CISO to expect to be protected via their organization’s D&O and Cyber policies. To the extent there are gaps – such as CISOs working pro bono outside of their organization or as a contractual consultant, either of which can translate into professional liability exposure– the market is introducing products to fill those gaps.“

In addition, CISOs who are concerned about their physical safety can explore coverage designed to offer physical security stemming from kidnap and ransom.

CISOs have a strong voice when it comes to cyber insurance and they should actively utilize it, Eskins said.

“Because cyber insurance continues to evolve, we recommend that you engage, work with your broker, your insurer, express your perspectives in terms of what you think is working effectively, and especially things you are dissatisfied with,” he said.

“CISOs have gone from often being reluctant participants in the process of underwriting and procuring insurance to being advocates of balancing security investment and risk transfer. The CISO’s perspective is invaluable in helping us shape the market to design more effective coverage and generally understand what we can do better.”

When CISOs, especially those working in critical infrastructure, expressed concerns about the evolution of the war exclusion within cyber policies, including reservations around the scope of those exclusions and how they would be applied, that helped brokers advocate with regulators and insurers in formulating options for them, Eskins said. 

Dissatisfaction around the time it takes to resolve business interruption claims is another area where CISOs’ voices are heard, and solutions are being worked on, he said. 

Brokers and insurers are also experimenting with ways to reduce underwriting questions after CISOs clearly signaled their frustration about the number, types and overlapping questions, along with the lack of feedback regarding the market’s perspective of their organization’s risk, including how such information is being protected, Eskins said.

“There had been a wide array of potentially overwhelming and overlapping questions.  Over time, we gained a deeper understanding of the controls, processes, software and single points of failure that reduce or amplify risk,” he said. “Underwriters are not looking for the perfect risk, but rather strong signals indicating sound controls and hygiene practices, organizational governance and overall resilience.”

“That being said, change is constant,” Eskins added. “Now with generative AI, there are questions about how this technology changes risk, and how to underwrite and price exposure. Currently, we are in a period of calibration.”

Generative AI doesn’t fundamentally change things on the insurance front because there is not yet a new novel risk that emanates from the use of large language models, Eskins said. 

“Generative AI reflects an evolution that builds upon existing technology.  In comparison, the emergence of the internet ushered in a whole new set of digital exposures and risks. To date, generative AI has amplified existing risks and added nuances that impact underwriting and pricing considerations. If, over time, generative AI converges with other emerging technologies, we may see new categories of risk arise, and almost certainly, a post-quantum cryptographic world would look entirely different.”

Telemetry is another area where CISOs have been expressing their views. Some say they will never permit an insurer to even have read-only access to inside the firewall information, whether on premises or via hyperscalers. Others welcome providing a real-time view provided the incentives are concrete, such as premium discounts that reflect their positive security posture, Eskins said.  

“That type of feedback helps us build for the future,” he said.

At this point, telemetry is not something that insurers require, he said. In the short term, insurers will continue to experiment capturing telemetry data from those willing to share.  Ultimately, insurers will evaluate if the data has a meaningful impact on risk modelling, what actions positively and negatively impact cyber events, and how to accurately reflect the relative client and portfolio risks through premiums, he said.

“We’re still in the process of validating the hypothesis as to whether telemetry moves the needle in a meaningful way around the understanding of risk and the ability to model and price,” Eskins said.

“That said, we know it does not hurt. I do see this effort gaining momentum, especially as the adoption of cloud environments increases,” he said. “The hyperscalers all have strong security support mechanisms for which organizations can remediate vulnerabilities, update configurations to harden their environments, turn on new security tools, and benchmark themselves against any number of standards. Smaller, resource constrained organizations stand to benefit greatly from such support, and are generally more open to sharing that information in return for pricing reductions.” 

Eskins sees cyber insurance moving toward a greater degree of convergence specific to standardizing the less innovative components of a contract to create greater clarity, contract certainty, and consistency pertaining to what’s covered, where appropriate.

“There is fertile ground to improve existing products by reducing complexity relating to risk assessment, coverage and claims.  The near future may reflect an evolution rather than a revolution of thinking, with incremental changes being more impactful than the creation of niche products,” he said.

“An important evolution, to my mind, is about solving for the existing pain points, like the long time it takes to sort out business interruption claims, for example.”

For small and medium enterprises, it’s also making sure that the turnkey solutions that embed risk engineering and security services right into the product are understood and appreciated, Eskins said. 

“Cyber insurance can be a financial safety net that is subordinate to our brokers and insurers’ shared objective to help make organizations more secure and resilient,” he said. 

“It’s critical for them to get back to business quickly because their ability to withstand revenue disruptions typically is a lot less than a large organization, where it’s painful, yet not fatal.”

The post Expert Spotlight: Gregory Eskins, Marsh appeared first on Security Current.

CISOs want to be on boards. Veteran tech executive Roosevelt Giles wants to help them get there.

Four years ago, Giles founded a program aimed at helping C-suite executives and senior leaders— including Chief Information Security Officers—secure board appointments, positioning them as key contributors to organizational growth and strategic direction.

“I use an analogy that the board represents the Supreme Court of stakeholder capitalism,” said Giles, the Chairman of Endpoint Ventures and President of Stakeholder Impact Foundation, Inc.

“Just like a Supreme Court ruling is the law of the land, so is a board ruling the law of the land on strategic issues in that company. The board hires the CEO, and it is the board that gives the CEO the level of authority. So that’s why I say the board is the epicenter of an organization.”

For a CISO, sitting on a private, small cap, midcap or Fortune 500 board offers a potent combination of prestige and remuneration – anywhere from $100,000 to $400,000 per appointment, Giles said. But to be an effective board member, it’s essential to have a servant leader mindset, and the ability to walk away, he added.

“On that board, you also are the voice of the voiceless,” he said. “All of those suppliers, community non-profits, company employees who are out there showing up to work every day and making $10 to $15 an hour depend on you to make the right decision. You can’t take that responsibility lightly. If you’re doing it for the money, you won’t last.”

What makes someone attractive as a board member is being a cultural fit, strategic, insightful, and with a diversity of experiences, Giles said. But while CISOs must understand the impact of technology and how breaches would impact the business, “they do not have to be a genius on financials to sit on a board,” he said.

CISOs need to scan the horizons to see what boards they would like to sit on where they could add the most value, Giles said.

“Don’t outsource this responsibility—take charge of it yourself,” he said. “Conduct the analysis and identify the companies that can benefit from what you bring to the table that they need by enhancing their total shareholder returns and earnings per share.”

Giles is the son of a sharecropper whose parents believed in the power of education. With dual degrees in computer science and business administration, he has built and run technology companies for some 40 years.

When he was fresh out of college, working as a programmer, a mentor took a liking to him and arranged that he sit in on board meetings.

“There I witnessed the power and the influence of the people who sit around the table and how they interact with management, along with the impact on all stakeholders,” he said.

After growing and building companies himself, Giles has been asked to sit on multiple boards, beginning at age 31 – then about half the average age of other board members.

“It changed my life,” he said. “I went on to other boards, because once you get on one board, that gets telegraphed.

“It is much more difficult to get the interview than it is to get that first board seat. But once you get that first board seat, you’re in the club, and the majority of new board seats come from the club before they go outside the club.”

The 4 ½-month Board of Directors Program he founded teaches C-level executives and two levels below the technical and governance aspects of sitting on a publicly traded or private board, as well as the nuances.

The tuition-free program has trained about 140 fellows so far; 17 have gone on to get board seats. More recently, it has been working to accelerate results by asking companies to add an advisory slot to their boards for program fellows, who would fill the skill sets deficit that the boards currently have while getting board experience and building a board brand.

In today’s economy, the value of a company is intangible assets—brand reputation, intellectual property, and innovation—which are more valuable than physical assets. Boards that cultivate diverse perspectives, industry expertise, and strategic foresight are better equipped to anticipate risks, seize opportunities, and drive sustainable growth.

“The value of a company today is based around what sits on technology,” Giles said. “Therefore, for the company to thrive and live in perpetuity, you have to have those individuals who understand the transformational impact of technology on the business. That’s why technology professionals are starting to be in demand.”

The average age of board members has dropped, sometimes significantly. If, when Giles was first invited to join a board, he was a youthful anomaly, today boards are increasingly bringing on younger members – some in their twenties — because they’re digital natives, and the customer base of the company, he said.

Historically, boards were made up of CEOs, CFOs and COOs. But that paradigm is also changing, he said.

“In today’s business landscape, 80 % of the value of a S&P 500 company doesn’t sit on its

balance sheet its intangible assets such as (Brand, patents, IP, workforce etc.) Today, there is so much risk to a company because of technology and change,” he said. “So having individuals who understand the impact of technology, the value of technology, and how technology is a driver of earnings per share and total shareholder returns – that is what is starting to fuel the shift.”

The other piece is the Security and Exchange Commission’s rules on cybersecurity, Giles said.

“In the past, boards put technology skills in the specialized skill set bucket and didn’t view technology skill directors as culturally relevant, but that has changed,” he said. “They see how AI’s transformative potential and cyber risk will put the company’s reputation on steroids. They understand that the board composition has to both change and expand to implement this degree of fiduciary oversight.”

Board opportunities with private companies are more plentiful because the number of public companies is limited, he said. “But I would not focus on a private board versus a public one. I would go for both of them,” he said.

When looking at a possible board seat, CISOs shouldn’t rush into a commitment, Giles said.

“Sometimes because they’re so anxious to get on a board, candidates make the mistake of taking the first one to come along. That’s a bad idea. You’re talking about a 10-year commitment on average, so you have to be sure that you want to be in a relationship with those individuals sitting around the table for 10 years.”

When interviewing for a board seat, candidates ought to meet individually with each board member to get a sense as to whether the placement would be a good fit, he advised.

Board members will need to devote about 400 hours a year to their board duties, and crises that erupt can take them away from their day jobs, he said. Candidates must therefore get their employer’s permission to accept a board offer, Giles said.

To deal with competing claims on their attention, CISOs need to do tabletop exercises at their enterprises, be aware of developments in their own industry and have processes and oversight in place, he added.

To shield themselves from possible liability suits, prospective board members should get a copy of the company’s D&O insurance policy and consult with their personal lawyers to determine what sort of protections they would have, Giles said.

“Most people do not do that. They have no idea what exposure they may have from a personal perspective,” he said.

A top question boards will ask prospective candidates is how would your skills add value to our board of directors, Giles said. Another is, when was the last time you had to stand alone?

“You might have an issue where all the other board members say yes, and you say no, because the board’s fiduciary duty is individual, not collective,” he said.

A top question a candidate should ask the board is what does it see as emerging trends in the relevant industry or sector that technology can address, he said. Candidates should also ask whether the board has a speak-up culture, he added.

“Do your board members have direct access to major shareholders? Are they allowed to sit in on operational meetings in a listening capacity? Do you encourage board members to visit customers and suppliers? If the answer to these questions is no, it signals a deeper issue—an insecure CEO who treats the board as a rubber-stamping body rather than a true governance partner.

“A healthy board fosters open dialogue and strategic engagement,” Giles said. “If management dominates 70% of the conversation in board meetings, you’re not in a discussion – you’re attending a board governance concert. And that’s a key indicator of ineffective governance.”

The post Executive Program Preps C-Suite Leaders for Career-Shaping Boards appeared first on Security Current.

Last month the Tel Aviv University Blavatnik Interdisciplinary Cyber Research Center hosted the 13th annual “CyberWeek” event. The event, and activities surrounding it are a good jumping off point to look at what works, what could work, and what doesn’t work in public/private partnerships in a small but heterogeneous nation like Israel. For this article, we will put aside internal Israeli politics, but look at reasons that Israel has one of the highest per capita investments in cyber defense and cyber security and whether this is a sustainable model for other countries.

The Good

As a nation, Israel is known for its technological innovation and thriving cybersecurity ecosystem, both in the government sector and in the commercial sector. At the CyberWeek event, it was not unusual to see dozens of young Israelis with nametags identifying themselves as the “CEO” of some company — at an age where most people in the U.S. are looking to write a resume or find their first job. There appears to be a culture both of innovation, corporate and investor risk taking, and cooperation and coordination with the Israeli government. How much of this translates into either innovative product/solution or comprehensive adoption waits to be seen. But Israeli cyber defenders appear to be motivated to create and deploy home grown solutions, and to invest in them as necessary. While the cyber investment boom has been slowed somewhat by both COVID and the shrinking investment dollar, the skyline of Tel Aviv itself shows building after building springing up (oy, the traffic) many of which are dedicated to the high-tech sector in general and cybersecurity in particular. For a country the size of New Jersey, they have a disproportionate number of cyber companies, from tiny startups to well established concerns.

Israel’s cybersecurity landscape is fortified by robust public-private partnerships, emphasizing collaboration between the government, academia, and the private sector. These partnerships serve as a catalyst for knowledge sharing, joint research, and development, and effective incident response mechanisms. By pooling resources and expertise, stakeholders in the cybersecurity ecosystem foster a collective defense against evolving cyber threats. What is unclear however is the extent of cooperation between cyber-attackers (think Mossad, IDF) and cyber-defenders. While much of what was visible was standard cyberdefense strategies (intrusion prevention, incident response, use of AI, AI and AI for “cyber”) these same strategies can be (and are being) deployed by hackers and governments as well. Better defenders make better attackers and vice versa, AMIRITE?

There is also a genuine “go to market” strategy deployed in Israel. IDF officers, particularly those seeped in cybersecurity, are eager to commercialize what they have learned by starting or joining innovative cybersecurity commercial enterprises that dot the landscape of Tel Aviv. While this undoubtedly excludes classified military tech, start ups pop up all over with venture capital (a bit less these days, but still around) looking for the next thing – big and small.

Other countries, notably the U.S. and Western Europe, there is more distance (and in the U.S. more distrust) between the government (particularly the military) and the private sector. Years of movies like the Forbin project, War Games, Hackers, and Mission Impossible Dead Reckoning Part I reflect a genuine antipathy about government control of offensive and defensive cyber projects (unless a profit can be made in selling to the government). Government contracting regulations in the U.S. make many cybersecurity companies form separate divisions (or separate companies) to deal with “commercial” sales and “government” sales. The situation in Israel could be equally described as “cooperative” or, if you like, “incestuous.”

No Comprehensive Regulation of Cybersecurity

When it comes to Israel protecting its own infrastructure, the results are mixed.  Of course, information about how the government protects itself, particularly entities like Shin Bet, the Mossad, the Mishteret and the IDF, the tools and methods are, as one would expect, shrouded in secrecy.

When it comes to government actions to protect Israeli “critical infrastructure,” Israel, like many countries, falls victim to the “sectoral silo” problem. One critical challenge lies in the absence of universal cybersecurity requirements across industries. While Israel has implemented mandatory security requirements for critical infrastructure sectors, other industries, including healthcare, remain largely unregulated. This discrepancy creates vulnerabilities that adversaries could exploit, potentially undermining the overall cybersecurity posture of the nation. Essentially, the regulatory environment is split into thirds. “Critical Infrastructure” including power, water, telecom, etc., appear to be integrated into the nation’s Cyber command infrastructure, with individual CERTs for each sector (well, a room designated as a CERT for each sector). The national CERT takes feeds from each sector CERT, but incident reporting seems to be both automated and limited. The Israelis have set up a SCADA/ICS lab where they attempt to simulate (and resolve) attack scenarios on various ICS systems (including legacy ICS and IoT) with dozens of different ICS systems and controllers being simulated. This includes that German elevator company Schinder ICS systems being tested and evaluated,(“Schindler’s lift.”) So certain aspects of Israeli critical infrastructure is reasonably well protected — or more accurately, is the best protected of the infrastructures. Even here though, Israel takes a different approach to defining “critical infrastructure” based on its perception of threat and criticality. As an country with little access to fresh water, the water sector – generating, desalinization, distribution, storage — is critical. The Israeli National Cybersecurity Directorate applies basic cybersecurity principles of identification, protection, resilence and recovery to these infrastructures.

Another reason the critical infrastructure seems protected is the fact that they benefit not only from regulation, but also from information sharing with the government and the fact that Israeli CISO’s and cyber folk seem to be only a year or so removed from military service. While in the U.S. most cyber security people have little government experience and few government contacts in DoD, in Israel, there is near universal military service and therefore strong connections — both personal and technical — with the government.

Thriving Startup Culture: A Breeding Ground for Innovation

Israel’s vibrant startup culture has played a significant role in shaping its cybersecurity landscape. The nation’s entrepreneurial spirit, risk-taking mindset, and technological prowess have led to the establishment of numerous successful cybersecurity companies. These startups, led by young CEOs, bring fresh perspectives and cutting-edge solutions to address emerging cyber threats.

However, the lack of universal requirements for cybersecurity poses a challenge in ensuring consistent security standards across startups and small businesses. While some startups prioritize cybersecurity, others may fall short due to limited resources or a lack of regulatory frameworks. Bridging this gap is crucial to safeguarding the entire ecosystem and ensuring a resilient cybersecurity landscape. For companies outside the critical infrastructure, its a hard sell to ramp up their cybersecurity, and there, like in the U.S. cybersecurity is promoted as a good and reasonable thing to do, rather than regulatory compliance.

Government Initiatives and Regulatory Frameworks: Protecting Critical Infrastructure

The Israeli government has made commendable efforts to protect critical infrastructure and regulated industries through various initiatives and regulatory frameworks. For critical infrastructure sectors such as energy, water, transportation, finance, and communications, cybersecurity regulations exist to mitigate risks and protect essential services.

Similarly, regulated industries like banking and healthcare have implemented sector-specific cybersecurity requirements. For instance, the Bank of Israel and the Ministry of Health have established guidelines to protect sensitive data and maintain secure operations. However, the lack of universal regulations poses challenges, as unregulated sectors may become potential entry points for cyber attackers.

Challenges and Aspirations: Universal Requirements and CyberDome

Despite the progress made in specific sectors, the absence of universal cybersecurity requirements is a significant challenge for Israel’s cybersecurity landscape. Universal requirements would ensure a consistent and comprehensive approach to cybersecurity, reducing vulnerabilities across industries. Implementing such requirements would require concerted efforts from government bodies, industry leaders, and cybersecurity experts.

Additionally, the proposed CyberDome, inspired by Israel’s successful Iron Dome defense system, aims to protect critical infrastructure from cyber threats. However, the practicality of implementing CyberDome remains a subject of debate. The complexity of securing diverse and interconnected systems, along with the rapidly evolving nature of cyber threats, raises questions about the feasibility and cost-effectiveness of such an initiative.

Regional Cooperation: Strengthening Collective Defense

Israel has witnessed a growing trend of regional cooperation in the realm of cybersecurity. Despite political differences, countries in the region, including potential adversaries like the United Arab Emirates (UAE) and Saudi Arabia, recognize the mutual benefits of collaborating to combat cyber threats. This philosophy is based on the understanding that securing all nations’ digital infrastructure enhances overall stability and security, including that of Israel.

By engaging in regional cooperation, Israel expands its network of partnerships, shares threat intelligence, and collaborates on joint defense initiatives. This approach contributes to the collective defense against cyber threats, promoting stability and fostering trust among nations.

Call the Cybercops!

Israel has also established a national cybersecurity “call center,” where anyone — and I do mean anyone — can call a phone number (“119 – 911 backwards”) and reach a Tier 1 cyber responder. This ranges from a car salesman in Haifa to a elderly grandmother (Bubbie) in Bat Yam. While the call center numbers of responses is respectable (in the thousands), there are some issues I would raise. First, one party that seems to be missing in the infrastructure and response (maybe it just wasn’t that visible) was the Mishteret — the Israeli national police. Protecting critical infrastructure in Israel is seen as a technical, governmental and political issue – not as a law enforcement issue as far as I could tell. While U.S. hacking victims are encouraged to report to the FBI’s Internet Crime Complaint Center, Israeli’s appear to call engineers, not cops.

The Ugly

The coordination and relationship between the government and the private sector leads to problems like those the Pegasus problem — spyware created by an Israeli company and deployed in theory only to those entities which have a good track record on human rights. Right? The power of such software, and its ability to be deployed in ways that harm individuals and nations make the need for transparency urgent. When we speak of using the product for “good” purposes, who gets to decide? With the incestuous relationship between cyber companies and the Israeli government, those “good” purposes may simply be those that serve or benefit a specific government. That’s very dangerous.

Conclusion:

Israel’s cybersecurity landscape has achieved remarkable milestones, thanks to its public-private partnerships, thriving startup culture, and government initiatives. Collaboration between stakeholders has yielded innovative solutions and bolstered defenses against cyber threats. However, challenges such as the absence of universal cybersecurity requirements, practicality of proposed initiatives like CyberDome, and gaps in regulation across industries must be addressed for a more comprehensive and resilient cybersecurity ecosystem.

The philosophy of defending all countries, even potential adversaries, reflects Israel’s commitment to regional stability and security. By engaging in regional cooperation, Israel strengthens collective defense and fosters trust among nations.

As Israel continues to advance its cybersecurity ecosystem, a balance must be struck between innovation and regulation. Universal cybersecurity requirements, practical initiatives, and enhanced collaboration will ensure the nation’s continued leadership in cybersecurity and contribute to a safer digital landscape for all. L’Hitraot.

Mark D. Rasch, Esq.

Law Office of Mark Rasch

Admitted in MA, NY. MD

mdrasch@gmail.com

Tel: 301 547 6925

The post Lessons in Cybersecurity from Sabras – The Israeli Model of Innovation and Cooperation – the Good, the Bad, and the Ugly appeared first on Security Current.

The post 2022 CISO Choice Awards Vendor Recognition Interviews appeared first on Security Current.

The IRS, the Social Security Administration and other government agencies had a problem when dealing with the public. Scammers — often organized criminal groups or even state sponsors — impersonate genuine beneficiaries of entitlement programs (e.g. unemployment insurance, tax refunds or tax credits, social security retirement or disability benefits) and claim these benefits to themselves. The IRS has a publication devoted to helping people recover from ID theft in tax returns. The Treasury Department’s Office of Inspector General (its internal police department and auditor) found in 2020 that (as of 2018) “the IRS estimates it prevented the issuance of between $6.03 billion and $6.08 billion in fraudulent tax refunds (referred to as protected revenue). However, the IRS also reported that identity thieves were still successful in receiving an estimated $90 million to $380 million in fraudulent tax refunds (referred to as unprotected revenue).”

That’s a lot of cheese.

In 2019, the FTC reported that the losses to the Social Security Administration from identity fraud exceeded those suffered by the IRS.

So curbing ID fraud – particularly with respect to online filing – can save taxpayers a lot of money, and can save beneficiaries a lot of hassle. Strong authentication is great, multi factor authentication better, and multifactor authentication with a strong biometric is even better.

The IRS came up with a plan to allow a private company — ID.me — (as distinguished from its own authenticator login.gov) to collect the data to authenticate users — including the biometric data to bind them to their credentials, and then, using the biometrically authenticated credentials, to access the government sites. In that way, the government agencies would not themselves collect the trove of biometric data, but would benefit from its collection.

On February 7, in response to outcry from the public, privacy advocates, and data security professionals, the IRS abandoned this plan noting that it would “transition away” from private biometric authentication. This was in direct response to concerns about the massive collection, storage and use of an online biometric database. The id.me database not only collected the biometric data, but it also used biometric challenge/response (requiring the person seeking to be authenticated to interact on video with an id.me employee) to demonstrate identity.

Under the now-rejected proposal, if you wanted to file your taxes online, get social security benefits, or apply for a driver’s license, you would  have to provide a biometric sample to a private company (facial, voice or other biometric) which would then authenticate you (maybe), and provide you a token which you can use (instead of a weak userid and password) to log into the IRS or SSA website. While it’s clear that simple single factor authentication (userid and password) are insufficient for these financial transactions, those who are not comfortable with providing a biometric online to a private company which promises that it won’t sell it to anyone else — might just have had to file their taxes with an envelope and a postage stamp.

Years ago, at the main post office in Washington, D.C. (on Capitol Hill across from Union Station) a game was played on April 15. Taxpayers would drive to the main post office (now a postal museum) and postal workers would be outside with big canvas carts on wheels. Motorists and pedestrians would toss their completed tax forms into the basket, secure in the knowledge that, even though it was 11:30 at night, the returns would be postmarked April 15, and they would have been filed timely. Then the taxpayers would stop at the Irish pub (the Dubliner) for a pint (or more) of Guinness to celebrate. More than a few filers would actually print their 1040 forms — or their checks — on their T-shirts, and toss those into the bin (literally giving the government the shirt off their back). It was a simpler — and stupider — time.

However, there’s a new ritual for those seeking to file their taxes, or interact with the IRS, or interact with the Social Security Administration. According to a recent article by Brian Krebs in his blog Krebs on security, the proposal was to require users of the IRS or SSA websites to authenticate themselves through the commercial entity ID.me. As Krebs notes, “Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service. When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.”

So I popped over to the site. First thing it does is it wants to serve me cookies. If you aren’t a Girl Scout or a Double Tree Hilton, I don’t want your cookies. Their Privacy Bill of Rights notes that:

You have the right to privacy.

ID.me has built rigorous security and privacy requirements into our technology from inception. We are an ethical steward of your personal information and are committed to supporting your rights:

You are solely in control of your own data.

You must provide explicit consent before we will share any information.

You can see all authorized apps and data elements shared in your My Account portal.

You can revoke access to your data for any authorized app at any time.

You may destroy your ID.me credential and associated data at any time. ** Some data related to NIST 800-63-63 credentials will be retained after account deletion solely for fraud prevention and government auditing purposes.

Sounds good.  But even at the outset, inconceivable. Or, more accurately, “I do not think that word means what you think it means.” Once I turn over my biometric, authentication, data, etc. to ID.me, I am, almost by definition NOT in control over my own data. If ID.me is hacked, subpoenaed, a search warrant issued to them, etc., or any of their technological or business partners, I am NOT in control of my data. Sure, I can direct ID.me what entities I want them to give my credentials to (to authenticate me), but I certainly am not in CONTROL of the data that I transferred to them. And, unless that data is stored on their directories in a manner that is both encrypted AND for which I — and I alone have the decryption key (assuming the key is strong enough) or the data is forensically wiped from their machines, I most certainly am NOT in control of the data.

Same is true with respect to the statement that “You must provide explicit consent before we will share any information.” Have they never heard of a search warrant? A FISA warrant? A National Security Letter? A writ under the All Writs Act? Governments can (and do) not only compel entities to produce information ALL THE TIME, but government agencies and courts routinely compel the entity to which the orders have been directed to NOT tell their customers that the data has been sought or produced. Moreover, if a sophisticated hacker were to fake your identity to fraudulently obtain services or money that was yours, this policy seems to suggest that ID.me will not provide the information necessary to demonstrate that the person who faked your identity was not you, since they have agreed to not share THEIR data without THEIR consent. So the thief’s data is protected from disclosure? I hope not.

Additionally, there are concerns about the type of authentication that id.me does. Your iPhone or Android device has biometric authentication but the biometric is stored on and compared on the device itself. As far as has been reported the biometric is not ever sent to Apple or Google. The device asks the question, “Are you John Smith?” and Mr. Smith provides a biometric which is scanned and compared to the one stored encrypted in the device to answer that question. If the answer is “yes” then access to some protected credentials is then unlocked. But Apple and Google could not provide a fingerprint or face analysis to the government if compelled cause they don’t have it.

The ID.me mechanism is different because the private company would collect and store the biometric, making is vulnerable not only to hacking and theft but to compelled production. Not good for privacy.

The other problem is the 1-1 vs. 1-many problem. A 1-1 authentication merely asks the question “are you John Smith” yes, no or maybe (Magic 8 ball says, ask again later). The 1-many facial recognition says “here’s this unknown guy — who is that?” or “here’s John Smith — tell me every photo and surveillance video that has him in it.” A very different proposition from a privacy standpoint. While ID.me denied doing “1-many” facial recognition, the CEO of ID.me posted on his linkedin page that “ID.me uses a specific “1 to Many” check on selfies tied to government programs targeted by organized crime to prevent prolific identity thieves and members of organized crime from stealing the identities of innocent victims en masse. This step is internal to ID.me and does not involve any external or government database.” It starts with organized crime, then moves to international terrorism, then domestic terrorism, then child molesters, then thieves, robbers, tax cheats, and other “enemies of the state.” It’s not that there aren’t appropriate uses for facial recognition technology — its that, once created, it becomes too much of what the law would call an “attractive nuisance.”

 Third Party ID Verification

Another problem with using the ID.me model for authentication is the fact that many of the documents relied upon to establish identity — driver’s license, passport, etc., were actually generated using authentication credentials created or validated by — you guessed it — ID.me.

The idea of third party ID verification, whereby you prove to one party your identity with strong ID verification, and then obtain from them a credential which can be securely transmitted to authenticate you is nothing new. When you prove to your state government that you have the skills necessary to operate a motor vehicle, you provide your local DMV with some evidence of identity (birth certificate, baptismal record, naturalization record) as well as some evidence of residence (lease, utility bill, etc), and they create a biometric (your picture) and issue you a reasonably strong identification document (a driver’s license). The purpose of that ID was to show that it was YOU who was able to navigate a 1969 Dodge Dart through the crowded streets of Yonkers, New York in the summer of 1973 (actually, my first driver’s license was on unlaminated paper with no photo), but over time the driver’s license has morphed into some kind of universal ID. Now, if you want to vote, get into a bar, get a gun license (in states that require it) or get on a plane, you need to present the “Real ID.”

The ID.me model differs in a few ways. First, ID.me is a private company collecting massive amounts of identity information, with only the patchwork quilt of data privacy laws protecting that data from disclosure or use. Of course, there are few legal constraints on how your local DMV uses your driver’s data — which is routinely shared with law enforcement agencies and others. In fact, local DMV’s used to sell this data to marketers and others until celebrities were stalked and one killed from the use of DMV data. Second, because ID.me attempts to authenticate individuals remotely and digitally, it had to come up with a scheme to determine (to some degree) the identity of the individual. If you can fake a digital ID, you can effectively “be” that person for many different purposes.

ID.me says that the process of authentication is “simple.” They note that “The user takes a photo of their identity document (driver’s license, passport, or state ID) and a quick selfie. ID.me uses advanced facial recognition to compare the picture of the applicant on the ID document to the selfie.”

Not so simple. First, we assume that the driver’s license used is actually valid. It’s trivial to get a fake driver’s license from China. So, either ID.me is using the embedded authentication within the driver’s card, or has access to a database of driver’s license information to “validate” the driver’s license. If the latter, then what’s the point of “presenting” the driver’s license? If you have access to the picture taken at the time of issuance, then use that as the token. Second, this process depends on the authenticity of the DMV records. Guess what? ID.me is the one who collects the authentication documents needed for DMV. So they are at both ends of the authentication transaction — providing the documentation needed to get the strong ID, and then relying on that strong ID to issue a certificate. How does ID.me authenticate my birth certificate? How do they authenticate my water bill?

Identity management is tough. In fact, even a DNA sample would not necessarily distinguish me, a lawyer in Bethesda, Maryland from, say, a doctor in Pearl River, New York. (Sometimes it helps to have an identical twin, amirite?). The idea of a massive database of biometrics is too much even for the IRS. And that’s saying a lot.

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.

The post Arm and a Leg – and Eyeball – IRS/SSA Mandate Biometric Authentication appeared first on Security Current.

A battle is brewing for your heart and soul — and your eyes.  In one corner is Augmented Reality — AR. In the other, Virtual Reality – VR. My money is on AR, but I have been wrong before (see predictions on crypto).

Let’s understand the difference in hardware, software and philosophy between AR and VR, and why I think that, at the end of the day, AR will prove to be more useful and adopted.

AR

In a well designed and implemented AR system, content will be available to users in a way that supplements or augments the real world. The best example would be some variant on the Google Glass model — you know, those high tech glasses that made you look like — well, a glasshole. A more sophisticated (and more modern) application would look like, and perform like regular eyeglasses in terms of fit, size, style and weight — hopefully with at least an all day battery life. While near term implementations would make the smart glasses the display for the adjacent smartphone, if the glasses get smart enough, the phone could be dispensed with entirely. For greater utility, the glasses would be photochromic — clear indoors and sunglasses outdoors. Another essential feature would be stealthiness — neither the sounds from the built in headphones nor the display should be capable of being observed or captured by third parties. Sort of like being in your own little world, while being in the regular world. Or, Augmented Reality.

The advantage of this kind of setup is that the glasses take the display currently on the phone and moves it to where it really needs to be — continuously within your field of vision. I say continuously for both good and bad reasons. There is some information you want to see immediately — maybe texts, alerts, etc., and some you want to be immersed in like videos, sports, etc. So the hardware and software will have to strike the appropriate balance, and provide safeguards to prevent that douche in the Ferrari from driving at 110 while logging into some asian porn site. It’s all about balance. But I must admit, being able to get driving/walking directions in my actual field of view (displayed over the street itself and not a map of the street) is pretty cool.  

With greater sophistication, hand gestures can take the place of finger swipes for input, selection, etc. A virtual keyboard could be displayed in front of the user, and they could type in the air. Or something else. Do I look like a software engineer?

One of the promises of Augmented Reality is the ability to put virtual objects into the real world. Think Pokémon GO or things like that. First person shooter games could be played in a physical world.  

Other uses are a mixed bag of great utility and terrifying invasion of privacy. You walk into a party and as you scan the room the camera in the glasses captures images of faces, and displays on your glasses the names of the patrons, their social media or bios, how you might be connected to them, and how you may have interacted with them in the past. Great for people like me who often have to pretend that they remember someone (“um, yeah….honey, this is…um…”) The idea of having an always-on camera right on my face is both useful and scary, and once it becomes ubiquitous, that sound you will hear will be the death knell of privacy. Or the last gasp.

But all told, it would still be cool to be able to multitask while in a meeting without it being obvious. It might make the cell phone, laptop, desktop, keyboard and mouse all unnecessary. The North glasses (absorbed by Alphabet) had a useful ring navigation device which seemed pretty cool. More data. More connection. More biometrics. What could go wrong, amirite?

VR

On the other end of the spectrum is VR. You know, those giant glasses you wear over your eyes that immerse you into a virtual world. Things like Oculus Meta, HP Reverb, or HTC Vive. These devices eschew the ability to see the “real” world and plunge their users into a virtual world — or a “metaverse.” They can interact with others in this virtual world in a more natural way — on virtual roads, buildings, etc. These virtual worlds will become photorealistic and potentially indistinguishable from a “real” street, building, etc. Take the red pill. In a VR world, one can see the grand canyon in the morning, the sistine chapel in the afternoon, and pilot the USS Kelvin at night.  

I honestly don’t know the future of this kind of metaverse, but I do know that many high tech companies — including Meta — are investing heavily in various iterations of it. To me, who grew up in the generation when parents sent kids out to play in the streets until nightfall without supervision (and we loved it — at least those of us who survived) the idea of sitting around with that kind of headset on my face and interacting with others that way seems stifling and weird.  But to others it might seem freeing and enabling. For now, I just want to get my messages and emails. OK Boomer.

Which brings me to my final point. Both AR and VR are immersive and transformative technologies which increase the link to and dependence on networks and technologies. As a result, before we go down either path we must make damned sure that we understand the moral, ethical, privacy, and autonomy concerns as well as the security and authentication concerns for the use of these technologies. If we get it right, it can be pretty cool. If not, we are stuck in a virtual nightmare of our own creation. And the only way to win is not to play the game. 

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.

The post AR vs VR – A Meta World Fight appeared first on Security Current.

Traditionally, this time of year one either looks back at the previous year, or looks forward to the year ahead. While there have been great advances over the years with respect to informations security tools, technologies, training and awareness, significant challenges  remain. What follows is my estimation of the top information security challenges for 2022. Please note, that I could probably have written the same challenges for 2021, 2019, 2001, and perhaps even 1973. Some of these issues are perennial, some are new. As a lawyer, some of these challenges are ones faced by security lawyers rather than technical challenges which might be faced by CISO’s.

10. Document Retention Policies

People often forget that digital security is first and foremost about information management. It’s all about the data, not the hardware, not the software. At the end of the day, the goal of data security is to ensure that the right information gets to the right  people (with integrity) and that it does not go anywhere else.

To a great extent, this means doing things that are very very hard to do. It means mapping data flows (not networks). Knowing what data is located where, where it is supposed to go, and where it is backed up and stored. It also means knowing HOW the data flows through the system, where it passes through, what networks and devices it flows through, and how it is stored (permanently and temporarily). One problem is, much of the data created (think e-mail) may be stored or transmitted on or through third parties, or may be sent to third parties which may themselves retransmit the data, or incorporate it into other data streams. Sounds like fun, no?

After mapping the data flows, the next step is to classify the data. What’s secret, what’s confidential, what’s public? What data is critical from a confidentiality standpoint (what would happen to the enterprise or third parties if the data was released?) What  data is critical from the standpoint of data integrity (e.g., financial disclosures)? What data is critical from the standpoint of availability (e.g., that implanted pacemaker)? That’s just data classification from a data security standpoint. The data also  then has to be classified for a data retention and data destruction standpoint. How long do you have to keep it? How do you have to keep it? Where do you have to keep it? Can the data be exported? Can it be deleted? Must the data be “wiped” rather than  deleted? And, once again — if the data is to be deleted, do we know where it is?

These  issues are really hard because of — well, humans. People tend to want to keep data. They tend to want to keep it handy. Which means moving it from place to place — to thumb drives, onto mobile devices, and emailing it to themselves. They are also lazy. There’s little apparent utility in spending hours going through documents and emails and “classifying” them. So we end up with a huge pile of data that we never classify and never delete. Or more accurately, many huge piles of data. We have  no good tools  to automatically classify data, and automatically delete it. And if we did have such tools, of course, they would be powerful tools for hackers and fraudsters. So that’s a challenge right there.

9. Insurance

“Cyber” insurance has been around — in one form or another — for more than thirty years (although most carriers don’t know that). With the increase in “successful” ransomware and extortionate attacks (and claims related to them), carriers have responded by being  more selective in who and what they cover, by requiring prospective insureds’ to take certain actions as a precondition of coverage, by raising premiums, and by excluding certain losses from coverage. They have also responded by taking a narrow and defensive  position with respect to claims — rejecting for example claims related to files “damaged” by ransomware as not truly being “damaged.” In addition, insurance companies have forged relationships with digital forensics and investigation firms, as well as  cyber law firms to provide “one stop shopping” for risk reduction, risk mitigation, risk transfer, and incident response. The challenge for 2022 (like in the past) is to ensure that the insurance and the insurance market are poised to meet the actual threats  and challenges posed by the digital marketplace. Fraudulent wire transfers, supply chain interference, third party liabilities, business reputation management, and loss of cryptocurrency are all new threats (well, some are) for which most entities insurance  policies may be inadequate. Additionally, with the increase in the price of cyber-insurance, many Small and Medium Sized businesses are being priced out of the marketplace. Finally, the current commercial cyber insurance marketplace may be inadequate to meet two related problems — systemic supply chain (third party) claims, and claims related to state-sponsored cyber-attacks. It may be time for a government (or multiple governments) to step in to ensure that cyber policies are reasonably comprehensive, and are  reasonably affordable. Or maybe not. But it’s still a challenge.

8. Ransomware/Extortionware

Ransomware  remains a significant challenge for companies, not simply because it has become ubiquitous, but also because of the significant impact a single ransomware attack may have on a company and every company or customer that relies on that company.  Unlike previous  types of “hacks,” where data is stolen and then exploited or sold, ransomware and extortionware rely on payment by the victim themselves. Instead of having to steal data and then find a buyer for that data, a threat actor can sell the data (or mere access  to that data) to an already willing buyer — the victim themselves. Easy, peasy, lemon squeezy. With the ubiquity of anonymous payment processes through cryptocurrency, a threat actor may target a particular company, industry, computer or database, or may  simply go after targets of opportunity. The defenses to ransomware — whether they are intrusion prevention, network segmentation, data backup and restoration, or advanced incident response (including payment) are complex and not comprehensive. A classic  set up for a disaster.

7. “Supply Chain”

For these purposes, I take a very expansive definition of “supply chain.” For my purposes, a company’s “supply chain” is anything upon which the company depends for critical data, processes, or services. Software can be supply chain. Firmware too. Hardware  is part of supply chain. Services are part of the supply chain. People are included. When we talk generically of “supply chain security” or “supply chain resilience” (a better concept), we are really talking about examining all of our dependencies and interdependencies  (including who is dependent upon us) and asking hard questions like how do we know the provenance of that product or service, and what would happen if….  If the data was not available. If the cloud was not secure, if I could not access the data, etc. Supply  chains (under my definition) are hard to understand and ever more difficult to manage. Because of the interdependencies, the security (and resilience) of any entity is dependent upon the security (and resilience) of any and all of the hardware, software,  people, processes, etc., upon  which it depends. While third party audits, data protection agreements, and standards all may help, the problem is really complicated, and will likely persist.

6. Multi-Factor Authentication 

When we speak about authentication, we often mean “authorization.” Is the person accessing the data, computer, network, or process the person who is permitted to do so, and are they accessing and using the data etc. for a permitted purpose. Traditionally, we  have used “authentication” as a proxy for authorization by providing the authorized person with some form of credential which they then represent to us to establish authorization. In the transfer back and forth of such credentials, we create vulnerabilities, including MiTM attacks, spoofing, theft of credentials, etc. Cat, meet mouse. Or mole, meet mallett.   In addition, strong authentication can be an anathema to strong privacy, since a strongly authenticated individual can be tracked by their credentials through  every place they visit and everything they do. We can and will do better in authentication schemes (first thing, let’s turn on MFA by default) but, because of the power of authentication it is often the most ubiquitous thing attacked. It’s a difficult and  persistent problem, which is why it makes the list.

5. Data Protection Agreements

A corollary to the supply chain problem is the border problem. No, not THAT border problem. The problem that companies only directly control a tiny fraction of the infrastructure on which they depend. Their mail is provided by a third party cloud provider.  Same for their salesforce infrastructure, billing, invoicing, HR, etc., They employ consultants, independent sales representatives, lawyers, suppliers, vendors, etc., each of whom have access to data, networks, computers, etc. For any data or processes outside  our direct control, we can (and occasionally do) compel the third party to “do something” to protect our data.  Sometimes it is just a duty to inform us of a data breach. Sometimes it is a duty to comply with some data privacy or data security standard (think  ISO or NIST Security Standards). These agreements sit on a shelf like a ticking time bomb, until one of the companies suffers a data breach or other incident, and then we can sue them for breach of contract. In addition, we think that the fact that third  party has signed an agreement that they will protect our data, we are in the clear. So the problem with data protection agreements is like the problem with the food at the borscht belt hotel. It tastes terrible, and such small portions.

4. International Data Privacy Regulation

Just as we begin to achieve consensus on data privacy principles (limited collection, consent, legitimate use, data lifecycle, right to be forgotten, etc.) data privacy law and regulation becomes exponentially more complicated and difficult to comply with. The  other problem with privacy regulation is that the Internet has become dependent upon there NOT being data privacy — entities like Meta (Facebook, etc.), Alphabet (Google, etc.) Amazon, Apple and others depend upon the collection and analysis of massive amounts  of personal data. It is what gives the company value. The problem with data privacy regulation is that we want both privacy and the utility afforded to having third parties collect data for and about us. Like many other complex problems, they are problems  because we expect them to accomplish diametrically opposed goals. Sounds like fun.

3. Telework/Remote Access

If the pandemic has taught us anything it is that home is where the keyboard is. And the office too. The explosion of telework and remote access, together with some of the tools that enable such telework, has created a physical disconnect between the person  and the data. Data can be, and often is accessed anywhere and everywhere. The disconnect creates opportunities for hackers, fraudsters, and others to attack data and networks. And as people demand more remote services (thing telemedicine) and demand to be able to work remotely, the problem will only get worse.

2. Staff Shortages

We have always suffered from a shortage of good security peeps — partly because of the nature of the work itself.  A good security person follows complex rules. A good security person constantly disobeys complex rules and breaks things. A good security person  fixes things. A good security person knows how to connect with other people and share their insights. A good security person doesn’t care about other people and sharing insights, but wants to think creatively about how to exploit people’s vulnerabilities.  A good security person is a “team player.” A good security person can work for hours or days without any supervision. A good security person is a hacker at heart. A good security person would never do things that a hacker would do. And is it any wonder  why we have trouble recruiting and motivating good security people?

1. Security Awareness

We do lots and lots of security training. Well, not so much. The average employee is compelled to take a 15 minute training session on security (Alice shares her password with Bob… this is A good or B bad?) and then a refresher class every 18 months. It’s  a chore, and a passing grade is typically 75-80 percent, which means that they can be wrong 25 percent of the time and still “pass” their training. And yet, in many cases, users are either the first line of defense against attacks, or the first method of  furthering such attacks. We must find a way to go beyond training, beyond learning and to change and reinforce culture.  Sure, AFTER a major breach, AFTER a major ransomware attack, AFTER a major shutdown, everyone is more sensitive to data security. The  problem is both that many users don’t know what to do to maintain security, or that they don’t care. Most of the time, however, it is because users believe that it is either necessary or useful to bypass a security requirement in order to get their job done. Thus, part of the job of the CISO is to find out how and why people are bypassing security and find a way to help them get their job done. And to inculcate a culture of security, curiosity, and concern within and throughout the company. And unicorns. Because, why not?

So these are MY top 10 security challenges for 2022. And 2023. Most of these problems are intractable and are bound to be repeated. And they are hard to fix. If they were easy to fix, they wouldn’t be on the list.

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.

The post Top 10 Security Challenges for 2022 appeared first on Security Current.

​

Forty-three years ago, on November 2, 1988, the Internet lost its innocence.  Now, in reality, the Internet was never truly “innocent,” and, let’s face it, in 1988, it wasn’t even really the Internet. It was the ARPANet, or DARPANet, or MILNet… a loose confederation of large institutions like banks, government agencies and academics connected through a series of common protocols through a disambiguated network that permitted them to both share resources and to communicate with each other. There were as many as 60,000 “Internet” users in the United States at the time — more or less. The “Internet” was a club — a fraternity — and its members considered themselves somewhat elite. The nascent network, already more than a dozen years old at that point, allowed a researcher in Chicago to take advantage of the power of a “supercomputer” in San Diego to run programs. It allowed users to play Star Trek games like Netrek (“you have entered a new quadrant… type “L” to look around”). While certain entities were dependent upon the fledgling “Internet,” it was yet to become a tool for massive electronic commerce, social media, and mass communications. In fact, connecting to the Internet meant mastery of things like DIP switches, PIN settings, baud rates, and dial-ups, or reliance on network administrators and contracts with companies like Bolt Baranek and Newman. It was an exclusive fraternity.

There had been computer crimes before November, 1988. Fred Cohen had already written his book on computer viruses. Dr. Joseph Popp was a year away from releasing the world’s first ransomware attack. John Draper and other phrackers had learned how to hack the nations’ phone system — mostly for free phone calls. Hacks — they were already called hacks — to various computers had been going on for years — decades perhaps, for various reasons. The Hannover hackers were motivated by espionage, politics and money when they attempted to steal information about the U.S. “Star Wars” program. Kevin Mitnick was just a teenager exploiting social engineering for the thrill of it. Hackers had stolen money from places like the Bank of America, and other online institutions. Hackers had also accessed and altered systems at U.S. military installations, intelligence agencies, and related institutions. Hacking was not completely novel.

But on November 2, 1988, a graduate student at Cornell University launched a computer program — a worm — designed not to do anything in particular. The worm was designed to penetrate computers using a series of attacks that would be considered mundane today. Password cracking. Exploiting FTP and Sendmail vulnerabilities. Using the finger daemon. It used variants of many of the techniques used today — social engineering, establishing a bulkhead and drawing the malicious code in, using the equivalent of buffer overflow techniques to induce a target machine to run code, getting the host to do something it was designed to do, but not what it was expected to do. You know, hacking.

The author of the worm had no destructive intent. And little malice. The goal of the worm was simply to spread, announce its presence, and remain resilient. A reboot would remove the worm entirely — until a reinfection. Cybersecurity was a hobby of the author — testing, probing, and exploring to see how things worked — breaking them to figure out how to fix them. The hobby came naturally to the author — he was the son of the Chief Scientist of the National Computer Security Center at the National Security Agency. Both father and son had attended Harvard, both had majored in sciences related to computers, both had a passion for tinkering. Both had experience at major security research institutions — Bell Labs. For both, communicating and experimenting online came naturally.   The father was one of the luminaries in the fields of computer science in general, math theory, and information security — indeed testifying before Congress in 1983 about the dangers (and the exaggerated dangers) of juvenile hacking — something the dad equated to nothing more than “joy riding.” The son even gave presentations to the NSA about hacking — how to do it, and how not to get caught.

Yet, on November 2, 1988 something changed. The movie “War Games” focused attention on the potential for destructive hacking — particularly by minors. Hacking was considered a mix of vandalism and the end of the world as we know it. Misinformation about what computers did — and what they could do — was abundant. Much of this was fear of the unknown. The worm attack was front page news for days, and many institutions felt that the attack was part of a broader attack on the nations’ critical infrastructure. The worm’s author tried to reign in the impact of the worm, but effectively had lost control of his own creation. Ultimately, he was tried and convicted for what he did in a single-count indictment which represented the first use of the federal Computer Fraud and Abuse Act.

Following the worm case, the nature and character of “hacking” offenses changed dramatically. Hackers were, for the most part, not simply curious engineers attempting to figure out how the technology worked and how it could be manipulated (and exploited). At least not the “hackers” who were the subject of criminal prosecution. A new breed of malicious actors saw the Internet — together with the World Wide Web, social media, the so-called “dark Web” — and all the technologies they enable as a platform for theft, destruction, extortion, manipulation, espionage, and a host of other crimes. The “internet” had lost its innocence. It was no longer an exclusive club for the cognoscenti. It was democratized — for good and for ill.

None of this was the fault of the worm’s author. If anything, the author (either deliberately or inadvertently) sounded a wake-up call with respect to data security. But the thing about wake-up calls is that they are so easy to ignore. Today, we are much more vulnerable to threats, and much more reliant on technology. Barely a minute goes by when we do not use the technologies enabled by the Internet. But, to a great extent, November 2, 1988 was a turning point in the history of the web. Which way it has turned is going to be up to us.

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.

The post November 2, 1988 – A Day of Infamy for the Internet appeared first on Security Current.

The post CISO Choice Awards Judge Richard Stiennon talks about the value of the recognition as the CISO judges base their decisions on real-world experience appeared first on Security Current.

​

On June 3, the U.S. Supreme Court issued an opinion holding that a Georgia police officer could not be prosecuted under the federal computer crime law for accessing a criminal database accessible only “for law enforcement purposes” and then selling data that he received from that database. The Court did not say that the police officer could not be prosecuted — that he did not commit abuse of authority, embezzlement, conversion or misuse of property. The 6-3 decision written by Justice Amy Coney Barrett simply found that the federal “hacking” statute, which makes it a crime to “exceed authorization to access a computer” and thereby to “obtain information” didn’t apply to what the police officer did.

The case is significant not for its impact on Officer Van Buren, but as a wholesale redefinition of the nature and extent of computer trespass. The dissenting judges, Thomas, Roberts and Alito, point to the law of property and the law of trespass to point out that what the cop did clearly exceeded authorization and would be a crime in the real (non virtual) world. If, on a “day off” from school in Chicago you give your best friend’s dad’s Ferrari 250 GT California to a valet for safekeeping, and instead the valet takes it for a joy ride, Justice Thomas opines, they have done so without permission, noting “Both the common law and statutory law have long punished those who exceed the scope of consent when using property that belongs to others.”

The problem with this analysis is simply that information is a special kind of “property.” It’s not just that it is not tangible. It’s that questions of “ownership” and “rights to use” information are extraordinarily murky and difficult to decipher. Add to that the fact that the computer crime statute, first written in 1984 and then amended several times, by its terms deals not with “use of information” without authorization but with “access without authorization” or “exceeding authorization to access a computer.” It is the access to the computer which must be unauthorized — not the subsequent use of the information gleaned from an “authorized” access.

Uncivil Litigation

The Computer Fraud and Abuse Act, 18 U.S.C. 1030 has both criminal and civil provisions. Indeed, the overwhelming majority of cases arising under the statute are civil disputes — employer/employee lawsuits, divorce cases, unfair competition cases and similar matters. These cases often hinge on what the offending party was “authorized” to do on someone’s website, or with data that was shared between parties. For example, when a group of Korn Ferry employees used their computer access to take information they could use to compete with their (soon to be former) employer, Korn Ferry sued not just for unfair competition, but also under the Computer Fraud statute, alleging that the computer access “exceeded authorization.” The Ninth Circuit Court of Appeals found that this kind of dispute was not the kind of “hacking” prohibited by the statute — presaging the Supreme Court’s ruling on Thursday.

Similarly, when data analytics firm HiQ “scraped” public data from social media site LinkedIn (in violation of LinkedIn’s written policy that prohibited such scraping) LinkedIn sent a cease and desist letter alleging that the conduct violated the computer crime statute as it “exceeded authorization” to “access” the social media site. HiQ went to federal court to clarify the issue, and the Ninth Circuit found that the actions similarly did not violate the hacking statute.

These kinds of cases are the bulk of the matters that come under the CFAA — not going after Russian hackers, botnets and ransomware purveyors. As a result, the statute becomes a tool used by civil litigants to go after competitors, abusers, employees and others — often for violating contracts, terms of service, terms of use, or even just social norms.

Mother, May I?

The real distinction between the majority in Van Buren and the dissent focuses on the question of “authorization” or “consent” to access or use a computer or computer network (or data on them). A broad interpretation of the term “exceeding authorized access” would make it both a crime and a civil action to — as Justice Thomas noted — “joyride” not only on a computer network, but to “joyride” with data gleaned from a network. The scope of “authorization” to access a computer or to use data obtained from a computer is determined principally by reference to a contract or terms of service or terms of use meaning that violating any or all of these terms potentially renders ones’ access to a computer “unauthorized.” This means that a social media user who sets up a fake profile in violation of the hosting site’s policy is now subject to civil and criminal litigation. The Supreme Court noted:

If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.

Most people’s access to computers, databases or information online are dictated by Terms of Service, Terms of Use, Software License Agreements, Acceptable Use Policies, Data Privacy and Data Security policies, or the terms of employment or access agreements. These agreements can be hundreds of pages of legalese, and contain obscure, confusing and even contradictory or ambiguous terms that dictate what you may, or may not do online. For example, an Acceptable Use Policy may prohibit the use of a computer, network, or social media account for “abusive” or “improper” purposes, or for harassment, or to post information that is false, defamatory, or otherwise prohibited. So, if you link a Facebook or Twitter post to a broadcast by Fox News about Dominion Election Systems (which is now the subject of a multi-billion dollar defamation lawsuit), there is no doubt that the social media companies can determine that the posting violates their AUP, and restrict the posting. But can they have you arrested for “exceeding your authorization to access their computer?” I mean, when you signed up for Facebook, you agreed not to post false material; Facebook determined that the material was false (a factual issue you can dispute at your criminal trial); your access to Facebook was conditioned on your adherence to the AUP; you violated the AUP; therefore, you “exceeded your authorization” to access Facebook or Twitter. The slope is mighty slippery.

In other words, the things that can land you in Facebook jail can also land you in jail. That is probably not what Congress intended in 1984. As a result, the Court narrowed the definitions of unauthorized access and exceeding authorized access to the kinds of things we think of when we think of “hacking.” Things like breaking in, cracking passwords, bypassing security, etc. You know, crimes.

Forgive Me My Trespasses

One of the problems here is that Congress, in enacting the Computer Fraud and Abuse Act, was trying to emulate online the kinds of criminal activity it saw in the real world, and to fill in gaps that made it difficult to prosecute those crimes if they occured in cyberspace. For example, a real-world “theft” involved the “taking” or “property.” Online, such “theft” may simply involve the “reading” of “information.” Not a perfect analogy. In real life, one “trespasses” when one breaks into or remains unlawfully in a place without authorization to do so (or in excess of authorization to do so). Congress tried in the CFAA to emulate this type of crime with reference to “exceeding authorization to access” a computer. But the law of trespass is itself murky — as the dissenting judges point out. Justice Thomas points out that “A person is entitled to do something only if he has a “right” to do it”  and that “[e]ntitlements are necessarily circumstance dependent; a person is entitled to do something only when “proper grounds” or facts are in place.” If you don’t have permission to do something, you are not “authorized” and therefore you are trespassing. And you trespass in the real world not simply by virtue of your physical presence, but also by virtue of your authorization and your actions. If you are at a public hearing and become disruptive (or even off topic) your “authorization” to attend the meeting is expressly or impliedly revoked and you are “trespassing” — sometimes after having been asked to leave, but often not. If you sleep in a hotel lobby in violation of a “no loitering” sign, you can be arrested for trespass. If your access to a location is conditioned on a promise to do, or refrain from doing something (e.g., no eating on the subway, no weapons in a bar) then violation of those terms constitutes revocation of authorization and voila! Trespass.

So when Congress imported the law of trespass into the virtual world, in theory, they were importing this “permissions based” or “consent based” doctrine. Under this broad theory, it’s not that you are not permitted to be somewhere online — it’s that you are not permitted to be there for the purpose for which you are there, or that you are not permitted to do something you are doing there.

Problem is, there are no “walls” in cyberspace, and the rules are created and enforced on an ad hoc basis. A “permissions” based system for criminal law means that any violation of the conditions of access or use — a multipage turgid and indecipherable document — creates criminal liability. As Matthew 6:12-14 notes, “…forgive us our trespasses, as we forgive them that trespass  against us, and lead us not into temptation, but deliver us from evil.”

Online trespass is at least as murky as, and often murkier than that in the real world. The lack of defined boundaries, consensus on the acceptable or “authorized” access to or use of data (particularly semi-public data) confound and confuse the question.

There Ain’t No Such Thing as Computer Crime

Which brings us to the final problem. In the early 1980’s, as we were examining the problem of computer crime and attempting to craft a statute to deal with the problem, the legal construct spoke of distinct offenses of “computer crime” and “computer related crime.” Computer crimes were crimes where the computer was the subject or target of the criminal offense — viruses, worms, denial of service and the like. Computer related (or computer assisted) crimes were those that existed in real life, but were facilitated through computers. A pump and dump securities fraud could exist in real life, but could be amplified by email or message boards.

Over time, these distinctions — and indeed the entire concept of “computer crime” — have proved illusory. What we think of as “computer crimes” are in reality “information crimes.” Crimes targeting the confidentiality, availability and integrity of information. They may be things like revenge porn (confidentiality), extortionware (confidentiality), or ransomware (availability). They may be “theft” of personal information. They may be phishing or malware. They may be denial of service or botnets. They also include things like child pornography (and sexual abuse online), cyberbullying, threats, harassment, intimidation, drug trafficking, extortion, and any kind of human enedavor. What is criminal in the real world can be facilitated and/or amplified by the virtual one. NFT’s and cryptocurrency can be stolen. Intellectual property infringed. Secrets exposed. Information exported.

But in the end, crime is crime. It’s old wine in new bottles — bottles that sometimes don’t make a perfect fit. What the Court was attempting to do is to understand how the new bottle affects the wine inside. In the area of “unauthorized access” or “exceeding authorized access” the Court was concerned that defining the crime too broadly would make criminals out of everyone. And that’s probably not what Congress intended in 1984.

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.

The post Why the Supreme Court’s Van Buren Case Really Matters appeared first on Security Current.