GEEKONOMICS

Eric Ogren is spot on regarding prescriptive data breach legislation going into effect for Massachusetts and Nevada.

Mass., Nev. data protection laws wrong, ineffective

To quote:

These state regulations represent exactly the wrong kind of laws to be passing, but legislators compelled to take on identity theft seem intent on establishing legal requirements for technical solutions.

While Nevada Revised Statutes Title 597, Section 970 (NRS 597.970) calls for personal information to be encrypted when transferred over public networks, Massachusetts 201 CMR 17 Standards for The Protection of Personal Information of Residents of the Commonwealth is even more encompassing. When MA 201 CMR 17 goes into effect in January of 2010, all non-government entities that handle personal information must document and follow a set of security procedures that appears to have been heavily inspired by the PCI DSS.  

The security industry can't agree if servers, networks or laptops are the most vulnerable to attack. It is hard to imagine any government regulation dictating how to secure data being enforceable and effective. Government should be looking towards legislating behavior, perhaps extending existing frameworks for fraud, trespassing and trafficking across state and national borders...

Small and midsized organizations have the greatest problems complying with prescriptive "how to" regulations as investments in a complex technical infrastructure can drive the overhead costs per business transaction through the roof. They simply seldom have the skills necessary to fulfill the requirements of the statutes.

I agree. In short, bad regulation begets bad regulation. Worse, legislators appear to be enamored with prescriptive mandates as the path of least resistance; that is, it is tempting just to tell everyone what to do regarding data protection and then audit against the rule.

Prescriptive regulation may indeed be the path of least resistance - the allure is compelling, no doubt - but it is also historically the path of least effectiveness and the progenitor of unintended consequences, unacceptable cost, and perverse incentives.

Massachusetts and Nevada legislators should know better. It is a shame they do not.

60 mintues recently ran the following segment about the Conficker worm:

"The Interent is Infected." Video segment below.

Watch CBS Videos Online

The basic message, "Even if you do everything right, deploy firewalls, use anti-virus, refrain from visitng questionable websites...you will still probably get hacked."

Why?

For one, perfect security isn't possible, this much is true. But the reality is that insecure software gives attackers an overwhelming advantage over defenders. We simply cannot get ahead in cyber defense when attackers are supplied with new vulnerabilities by software manufacturers on an on-going and regular basis. It's a shame that 60 minutes, for all its rigorous reporting, failed to emphasize this critical aspect.

Cyber defenders are in a race they simply cannot win.

In the previous post, "Bad Treatment," I argued the current regulatory approach to cyber security is unfairly balanced and ineffective. 

• Imbalanced, because computer system owners are the target of prescriptive regulations meant, in part, to combat the deleterious effects of software vulnerabilities, while software manufacturers remain highly insulated from the costs of emitting vulnerabilities.

• Ineffective, because computer system owners are “at the end of the pipe” of the software manufacturing process and are therefore least suited to combat vulnerability emissions no matter how hard they might try (or how much money they might be forced to spend).

Unfortunately, like World War I generals, some in the cyber security profession insist that all that is needed is more of the same…more end-user education, broader technical training, stricter configuration requirements, wider network monitoring, increased information sharing, and greater enforcement. This approach results in mandates that sacrifice in effect exactly what is gained in detail. In fact, the U.S. approach to cyber security has been a disaster, increasing the entropy of our information systems to such a degree that defenders are unlikely to ever protect them sufficiently. The situation exhibits almost a farcical quality: Compliance mandates tax software buyers (by way of additional costs) for using insecure software when the only software available is insecure.

In reality, some degree of regulation is and will be required for computer system owners – hopefully not as much as is in place now – but regulation of computer system owners without a concomitant delegation to, and accountability for, secure software from software manufacturers is dangerously incomplete both from a public policy and national security perspective.

In this installment of the “Cyber Security At the Crossroads” series I continue with the third item on our topic list (see "Introduction" for complete list) and discuss what “good” regulation for the software market might look like.

The Bare Minimum

Stuart Hart observes in his book Capitalism at the Crossroads:

The Great Trade-Off Illusion trained a generation of corporate, business, and facility-level managers to assume that societal concerns could only be drags on their business. As a consequence, [manufacturers] attitude tended to be reactive—they would do only the bare minimum necessary to avoid legal sanction.

The Great Trade-off Illusion Mr. Hart speaks of relates to the assumption by industrial manufacturers at the time that societal concerns (such as health and environment) could only impinge on business and profit performance. To be and remain competitive as an industrial manufacturer meant societal concerns were to be minimized, if not completely ignored.

As such, the first wave of environmental regulations in the 1970s certainly changed some behaviors for the better, but did little to change the prevailing mindset. Threat of sanctions became the incentive, which was itself treated as yet another business risk to be avoided where possible and paid only when forced.

Mr. Hart argues this need not have been the case; business performance and societal concerns are not mutually exclusive. The crossroads for capitalism then, was the realization and subsequent choice by business leaders that addressing societal concerns could lead to greater profits and increased market valuations as a whole. The realization and choice, unfortunately, were not entirely self-directed by philanthropic aspirations of business leaders. Government intervention, no matter how imperfect, was necessary at first to avert environmental disasters.

As bad as early environmental regulations might have been, some might argue it was better than the worst scenario: no regulation. Which is the current situation regarding software manufacturers and vulnerability emissions into cyber space. Because software manufacturer currently have no threat of legal sanctions (or any form of sanctions really) software manufacturers may opt to do anything regarding cyber security, up to and including nothing. Apple is one such example.

For years Apple happily boasted its products were more secure than products of its rival Microsoft. However, as Apple’s market share steadily increased so too have hackers’ exploitation of the company’s products (and customers). Some might mumble weakly in Apple’s defense that perfect software is not possible, but a company that touts itself as more secure than its rival should deliver on such a statement. But this has not been the case.

As Apple’s vulnerability counts steadily rise (in some years surpassing Microsoft’s), the company’s response has been less than comforting. Apple publicly waffled on recommending anti-virus for its customers (which is not entirely relevant for this discussion but was ham-handed nonetheless) and has shown a distinct lack of innovation regarding improved security for its products and thus protection for its customers. This is a shame given the company’s world famous innovative capabilities. The reality is that Apple is free not to innovate on reducing vulnerability emissions if it finds such practices too inconvenient or too expensive (this despite Apple’s gargantuan cash reserves).

But therein lays the issue. The Great Trade-off Illusion for Apple (or any software manufacturer) is that societal concerns such as cyber crime or cyber pollution (via vulnerability emissions) are perceived to impinge on business and profit performance. At this point in time, to be and remain competitive as a software manufacturer means societal concerns can be conveniently minimized, if not completely ignored. Apple is happy to advertise greener, more environmentally friendly laptops, but its software emits vulnerabilities in cyber space equivalent to that of a coal-fired power plant.

Aspire Beyond Minimum

Mr. Hart points out however that avoidance of legal sanction occurred because of prescriptive command-and-control regulations that failed to address the prevailing mindset. This is why the initial regulatory approach for industrial manufacturers and the current approach to cyber security for computer system owners is exactly the wrong approach to take with software manufacturers.

Prescriptive, command-and-control regulation, specifically cyber security compliance, should teach us one thing: compliance does not breed competitiveness; it breeds complacency and aversion. There at least two reasons for this. First, compliance is not an aspirational model. Second, compliance has no spectrum.

Compliance regulations as currently formulated for cyber security fails as an aspirational model because prescriptive mandates create a blanket of rules that stifle innovation, promotes aversion, and distorts our notion of trust.  Firewalls are a lousy way to protect a network, but what incentives might appear to employ better protective technologies if audit checklists require firewalls from stem to stern? If we “trust” a computer system owner with our data simply because sanctions apply for failing to be compliant, we do not, in fact, trust them at all. Such an implicit message of distrust kills aspirations to improved security.

Second, compliance mandates provide no competitive spectrum; no granularity. Either an organization is compliant or it is not. Either the organization passes an audit, or it does not. For something as ridiculously complex as cyber security (or software security), a binary measure of compliance is outlandish. Worse, lack of granularity creates an artificial ceiling which regulated entities have little incentive to venture beyond ensuring that the “bare minimum” is the best we can ever hope for. And worst of all, the more detail that is added to security baselines, the less likely baselines will deliver the intended effect. In essence, we are “regulating down”, when we should be “regulating up.”

For these reasons, and many more, reluctance, aversion, and ineffectiveness will remain key characteristics of cyber security compliance programs until something changes (more on that on another blog post). So we have an idea of what not to do with software manufacturers. First, we should not strive for binary compliance according to some highly articulated set of coding standards. Second, we should promote competitiveness among software manufacturers. For heaven’s sake, let’s not bludgeon software manufacturers like we did industrial manufacturers or do now to computer system owners. What then might “good” regulation for software manufactures look like?

Regulate Up

First, a few words on regulation. To some, regulation is a despicable, four letter word ne’er to be mentioned by or around devout capitalists; it is the Leach of Invention, the Crusher of Profits, the Destroyer of Will. To others, regulation almost attains messianic status promising to right all that is wrong with the world (particularly capitalists; bankers more specifically).

In fact, regulation is none of these. Regulation is simply a tool. As a tool used to maximum positive effect, “good” regulation introduces important competitive variables into the market place that would be highly unlikely to appear by themselves (and no, compliance is not a competitive variable). Fuel efficiency is one such example. Without regulation, the competitive variable of “fuel efficiency” did not magically appear in the 1930s, 40s, 50s, or 60s automobile market and thus there was no competition among manufacturers to supply it. This made everyone worse off, even people that did not drive. Now that fuel efficiency is a standard competitive variable (married to increased fuel costs let’s be honest), manufacturers scramble over each other to advertise new wonderfully fuel efficient cars.

That “good” regulation can create important competitive variables is, on balance, positive. Further distinction regarding “good” regulation is still required, however. “Good” regulation is not such much a result of a debate between sense and non-sense, but a compromise between different kinds of irrationality; irrationality regarding the best and worst that can possibly happen. The inconvenient truth regarding regulation is that a majority of the costs and benefits of regulation are hidden in the future. As a consequence, imprecise, speculative measurement of costs and benefits in some fuzzy, imaginary future is the best possible analysis. This gives irrationality, no matter how balanced by analytics, wide latitude. Even at its best then, “good” regulation will incite vociferous debate and caterwauling of biblical proportions.

That said, good regulation in the software market has a number of desired characteristics:

• Does not constrain profits: Regulated companies should make more money, not less. Say what you will about profits, but capitalism is based on making profits otherwise we wouldn’t use the word “capital.” A regulatory model should promote profits rather than sanctions. Sanctions certainly have a place in a regulatory model, but it should not be the primary focus. For software manufacturers, this means that creating more secure software results in improved profits in the process of reducing vulnerability emissions.

• Promotes innovation, investment, and competition: Because profits can be realized (and stakeholders can be rewarded), regulated companies have an incentive to drive innovation, thus intensifying competition, improving security, and likely driving down production costs. The reason why security is so darn expensive is because the industry really isn’t innovating, just solution-finding. For software manufacturers, this means discovering new and more efficient ways of producing secure software and beating competitors at doing so.

• Focuses on customers (or Promotes visibility): Because profits are derived from hungry customers, regulated companies have a vested interest in reducing the transactional costs to buyers at point of sale. For software manufacturers this means reducing the burden of educating buyers on “security” by contributing to and driving an objective signaling mechanism to buyers. Buyers actually do understand “fuel efficiency” without being energy experts, they do get “auto safety” without being safety engineers, and they do get “sustainability” without being biologists all because of customer-oriented signaling mechanisms. Buyers can and should get secure software without becoming geeks.

• Promotes diversity:  Because competition is intensified, some companies will undoubtedly be forced out of the market. This is efficient, allowing capital and labor to be re-allocated to more productive pursuits creating greater diversity (and relevance) of products for customers. For software manufacturers this means a greater number of addressable markets rather than less.

• Lowers prices: Instead of paying a premium for secure software, customers pay less overall. Not only are regulated companies incentivized to innovate on reducing production costs (to make more profit), customers spend less on adjusting for inadequacies. For software buyers this means spending less on protecting software (and data) as well as spending less on software overall.

• Optimizes oversight: Because regulatory models are dealing with a fuzzy future, a competitive model promotes more responsiveness from government regulators. Don’t get me wrong, the regulatory process will still be painful and slow, but not nearly as painful and slow as under a stodgy command-and-control regime. A competitive regulatory model requires that agencies must provide some analysis of potential costs and benefits with milestones for review (NHTSA is an example).

There are many more desirable characteristics to be certain, these are just some, and my explanations are certainly far from complete, but certainly an aspirational model that makes everyone better off is promising (and does not repeat the mistakes of the past). So we’ve covered a lot of ground in this blog post, I know, but there is one overriding message the reader should take away:

Regulate up and help dissolve the great trade-off illusion for software manufacturers.

There are still an enormous number of obstacles to regulating the software market which I will discuss in part in the next and final blog post in this series.

Till next time…


 

In my normal course of consulting, I help a wide range of clients across disparate industries build coherent and comprehensive strategies for cyber security. It is challenging but rewarding work dealing with the effective allocation of talent and millions in capital.

As much as I may harp on the imbalance of culpability between computer system owners and software manufacturers, the reality is that users of software (i.e., computer system owners) will always need to invest and act wisely when it comes to cyber security. To create effective strategy – and what I mean by this is not just long-term resource allocation, but a pathway to substantially higher performance – is  not nearly as easy or “clean and neat” as some compliance-focused, check-box-happy auditors  seem to crave. To me, strategy has an inherent aspirational quality that audit rules simply cannot support.

In simple terms, strategy is messy work…and it always will be. There are no appliances or security products that deliver strategy. But in the effort to control this messiness, we, like other consulting firms, employ frameworks by which to approach strategy development. Frameworks are beautiful things because they allow creativity and innovation to thrive within a structure that itself evolves based on how one approaches particular challenges.

As messy as corporate cyber security strategy might be, the messiness of software development is far greater. Developing software is both an act of engineering and a work of art (as the madness that comes from coding three days straight attests). This means frameworks for software development are all the more important. This, and other reasons that I will state shortly, is why the recent work released by Cigital and Fortify is so wonderful. The work is the Building Security In Maturity Model (BSI-MM) and represents a distillation by the authors (Gary McGraw, Brian Chess, and Sammy Migues) of nine “world class” software security programs. In short, the BSI-MM promotes better software based on practical experience. This is welcome.

The BSI-MM (http://bsi-mm.com) introduces the Software Security Framework (SSF) organized around 4 domains and 12 practices. Most importantly, the SSF provides the needed yardsticks necessary to diagnose and analyze Current State. This is challenging enough for any organization, particularly involving software development for which the BSI-MM is targeted, but the real challenge is Future State…the pathway to better software development …of which the SSF again provides a rational and coherent approach (think metrics and traceable practices among other things).

For software development groups that constantly struggle with delivery pressures, an aspirational pathway to deliver better, more secure software is critical. It also benefits us all.

The crux of the issue then, as it is with all things human, is adoption. Frameworks are beautiful and useful things in the right hands, but incentives must exist for those hands to pick up and use the frameworks. The desire to reduce the frustrations and expenses related to cyber security compliance is what opens to the door to many of our strategy engagements. In contrast, there is no similar compelling entry point (it doesn't have to be frustration or expense by the way) in the software market except for good will and good intentions of forward looking software manufacturers. Good intentions are fine, but not enough. New purchasing requirements are changing this to a small extent, but until better software can easily and reliably be distinguished from other software (and good intentions lead to substantially higher profits and improved competitiveness for software manufacturers), we face the rather frustrating situation of great models like BSI-MM in not enough hands.

What we do have in the BSI-MM is another step in the right direction for better software. And that is something we should celebrate.

In my previous post, I discussed the first of five discussion points related to Stuart Hart’s book Capitalism at the Crossroads. The first discussion point was:

Pollution was assumed to be part of the industrialization process

To summarize, Mr. Hart argues that, until the 1970s, American society as a whole tolerated pollution as an inevitable part of industrial progress and that the stink and grime created by industry was interpreted by many as “the smell of money,” rather than understand it for what it actually was: the smell of waste and poor management.

I argued the current state of cyber space is in the same predicament. The tribulations created by poorly written, insecure software are tolerated by hundreds of millions of computer users and are largely understood to be “just the way it is” with technology. Bugs, even serious vulnerabilities, are considered inevitable just as industrial pollution was thought to be inevitable. Jokes about bad software are legion (see Barry Schuler and The Colbert Report), but the consequences of bad software are quite dire. The "stink” in cyber space created by bug-riddled software is not the smell of progress or technological evolution, but, to borrow from Hart, is the smell of waste and poor management on the part of software manufacturers.

Which brings the discussion to the second point on our list:

Too often, command-and-control regulations prescribed specific treatment technologies without regard to their efficiency or cost-effectiveness.

In our panic to forestall the blood letting of U.S. computer systems, command-and-control style requirements have been placed on computer system owners that prescribe specific treatment technologies (such as requiring firewalls, anti-virus, intrusion detection systems, desktop configurations, etc) while omitting requirements for software manufacturers to reduce vulnerability emissions. Worse, there seems to be no serious thought regarding the efficiency or cost-effectiveness of these specific treatments.

• Anti-virus by itself may be inexpensive, but 80% of new threats go undetected by current anti-virus technologies. There is a reason why anti-virus is cheap (and some say "dead").

• Line-speed firewalls can be had for less the $5,000 USD, but firewalls are now all but transparent to attacker traffic. Firewalls merely represent a pallid boundary separating the people we can catch (the employee “insider”) from everyone else we most likely will never catch (any remote attacker).

• Desktop configurations are relatively inexpensive to produce organically compared to other security technologies, but are difficult to maintain for any extended period of time and can be considered uncomfortably brittle in real-world environments. Configuration mandates also create a perverse incentive for software manufactures. The more configurable a product is made, the more potential liabiltiy is shifted away from manufacturers onto customers. As configurability increases, the likelihood that configuration will be and remain consistent dramactically decreases.

• Penetration testing is a popular and recommended practice that gives a snap shot of network and system vulnerabilities. It is also arguably the least effective of all security practices because a constant stream of new vulnerabilities are supplied by software manufacturers on a daily basis. The relevance of a penetration test goes to zero within hours of completion.

In aggregate, the expense and effort of deploying robust security architecture is overwhelming for many, if not all, organizations. Given the cyber security trend information (which shows quite clearly we have a disaster on our hands), one could strongly argue the current approach to cyber security as a whole is sorely misguided and deals mainly with pollution “at the end of the pipe” of the software manufacturing process.

As Mr. Hart observes:

By the late 1980s, it had become clear that preventing pollution and other negative impacts was usually a much cheaper and more effective approach than trying to clean up the mess after it had already been made.

It appears the current US approach in cyber space has not applied this lesson. Instead of preventing the pollution of bad software at the source, the U.S. is trying to clean up the mess after it has already been made…at tremendous expense and questionable effectiveness. Such a reactive posture on the part of the U.S. dooms computer system owners (i.e., every organization not stuck in the Stone Age) to potentially decades of onerous regulations that treat the symptoms of bad software rather than bad software itself.

Unfortunately, pollution-control solutions like firewalls, anti-virus, etc., can never improve efficiency or produce revenue for organizations; they can only add cost. This added cost acts as a disincentive for computer system owners to deploy as many security products as cyber security experts would like (or regulations require). Compliance mandates (whether PCI, HIPAA or all the other flavors) are often perceived by organizations to be risks in and of themselves to be managed separately from concerns about “security.” Most obvious however, is that mandating these pollution-control devices does little to actually remove bad software from the environment; only obscure its prevalence. Adding to the mess is that software manufacturers do not pay the costs of their behavior (releasing vulnerabilities into the environment), thus there is very little reduction in total vulnerability emissions.

The situation then, is bleak:

• Computer system owners are faced with unsustainable costs of widely deploying pollution control devices as well as burdened with unrealistic expectations about their likely successfulness in doing so.

• Software manufacturers as a whole are not confronted with incentives to reduce vulnerability emissions.

• The "stink" gets worse.

An adjustment is clearly needed.  Preventing vulnerability emissions at the source is critical to changing the game, not mandating upon the general populace wider, deeper, and more articulated deployments of pollution control devices and/or practices. Preventing vulnerability emissions at the source is a promising path simply because we haven’t tried it. But it is more than that. The prevention approach has worked in almost every field where it has been engaged. In contrast, dealing with issues “at the end of the pipe” has repeatedly led to failure as Mr. Hart's book chronicles. It is difficult to imagine how this approach might somehow magically work for cyber security.

It is also difficult to imagine why so many sneer at the concept of regulating the software market directly when regulation is so readily and, some might say, gleefully applied to computer system owners. New audit checklists, and the potential to enforce them, are celebrated with wild exuberance by the cyber security community...but to what end? Is the core issue that we really just need to re-work our security checklists and how strictly and on whom they are enforced? Worse, the type of regulation applied to computer system owners is exactly the kind of regulation everyone says they prefer not to have: prescriptive, command-and-control regulation.

The dissonance is almost deafening.

In the next post, I will discuss in more detail what “good” regulation might look like for the software market and address our third discussion point:

[Manufacturers] attitude tended to be reactive – they would do only the bare minimum necessary to avoid legal sanction.

Till next time…