First Annual Cybersecurity Legal Institute at Georgetown Law

I attended the first annual Cybersecurity Legal Institute at Georgetown Law this week in Washington DC.

The Deputy Attorney General James M. Cole, (Eric Holder’s #2) was the closing keynote. Essentially, he encouraged attendees to assist the federal government in securing cyberspace and critical infrastructure, and every network within reach by doing a variety of things. What is remarkable isn’t what he said, rather it is who was saying it. This wasn’t a SANS or an RSA conference. I know we are used to the directors of the CIA and FBI saying things like cyber threats are the #1 threat to national security. But now, even the government’s lawyers are saying it. What is more remarkable, is that he was essentially preaching elements of the SANS 20 critical controls.

Additionally, he referenced President Obama’s Executive Order on cybersecurity and the governmental instrumentalities it is creating and the goals with regard to critical infrastructure.

Another interesting appearance was made by Tony Sager, a 25 year NSA veteran, now retired, (all 25 years with the IA directorate and predecessor organizations) to champion the SANS 20. He is the man who will be driving the SANS 20 going forward. They are dropping the name “SANS” from the critical controls, and will drive the 20 critical controls in a new organization outside of SANS.

The audience was about 80% attorneys and 20% CISO/CPO types, and a smattering of entrepreneurs and vendors, including many general counsel and Big Law partners who run privacy/security practices. The conversation about security will continue to penetrate the Boards of Directors of many large enterprises in ways that were unthinkable even two years ago.

Here is a link to the Deputy AG’s full remarks.

http://www.justice.gov/iso/opa/dag/speeches/2013/dag-speech-130523.html

People, Process, and Technology: Transitioning from the Firm to the Corporation

There are three primary ingredients that are necessary to produce business results: people, process, and technology, setting aside raw materials, capital.  These three resources offer a useful model for analyzing and solving business problems, and whether we realize it or not, most people generally use them in business problem solving.

Law firms tend to view these three categories differently than their corporate clients. These different views are a result of the unique history and role in society of the legal profession, and the economic model long used by the legal industry. Understanding these differences can greatly assist an attorney who transitions from a career in a law firm to an inside counsel, or compliance role. Success certainly requires in-house counsel to deploy people, process, and technology to produce desired legal outcomes. However, in order reduce the overall cost of legal expenses while maintaining quality, and even achieving more for less, many in-house attorneys are required to view people, process, and technology more like a seasoned business manager than a seasoned law firm partner. The challenge for compliance officers is even more drastic because they are using people, processes and technology, in ways they are unaccustomed to at the law firm, to create and execute non-legal functions that enable compliance.

People

The day that an attorney leaves a firm to join a corporation as counsel or compliance officer, he or she has moved from one side of the billable hour equation to the other. Less becomes more. Many law firms still array human capital one hour at a time. Corporations array human capital on a task and functional basis as opposed to one that is largely time-dimensioned.

More importantly, attorneys newly hired by corporations have left the law firm caste system behind. Corporate counsel are wise to view IT as fellow artisans working in a different medium, rather than technicians who run on invisible treadmills somewhere in the basement of the firm. Corporate IT and those who run it generally wield more power, and demand more respect within a typical corporation than the litigation administration and e-discovery specialists at law firms. Compliance officers will fail without key partners in IT. Often the arrogance and hubris of the legal profession, whether perceived or real, precedes the new compliance officer, giving her an additional obstacle to overcome.

Process

Successful companies scrutinize core processes, especially processes that directly generate revenue or expense, for efficiency, accuracy, and optimization. There are no monetary rewards in allowing a contract-generation process to continue to take six hours when it can be reduced to four. Processes should be documented using conventional process documentation notation, scrutinized for inefficiency, and reviewed for key inputs, outputs, and dependencies. Gains in efficiency are often made when identifying cross-functional dependencies and optimizing processes to better satisfy internal partners. It also may make sense to outsource your processes to internal service providers. For example, an internal legal function might leverage vendor management, accounts payable and human resources services instead of operating unique versions of these fundamental business activities. Likewise, external service providers can replace expensive internal processes with cheaper outsourced ones. For example, corporate counsel may engage a legal services provider who employs a modern, innovative billing model based on value, not hours. Such work is well suited for low-risk, high-volume transactional legal work.

Technology

A golden rule for buying or building technology is never let the technology tail wag the process dog. This means that in order to be successful in deploying technology you must understand what problem you are trying to solve, and more specifically, what business process are you trying to automate? Technology for all its impressiveness is still just a dumb beast that speaks in zeros and ones. It can only automate what you have already defined and optimized. If you automate an inefficient process, you simply get more inefficiency faster.  If you don’t have a clear process in mind to automate, with specific goals, you risk allowing your technology to create problems for which you need to create new processes to solve, and you introduce chaos. Your goal in procuring technology should be to execute repeatable, automated steps faster so you can free up human resources to deploy to work on what is generally not automatable.

The transition from outside to inside counsel or compliance officer can be difficult. Adjusting to a corporate culture requires reliance on internal partners and being able to accomplish objectives in new, unfamiliar ways. Approach problem solving by decomposing goals into the three constituent parts: people, process, and technology. Success depends on understanding how these three elements work together, and how to efficiently deploy them to achieve desired results.

Corporate Counsel Role in Governing Privacy and Security Risk

Corporate Counsel Role in Governing Privacy and Security Risk

The advent of the Chief Privacy Officer role has occurred largely within the regulated sectors of health care and financial services, but has spread to many industries and companies of all sizes. The spread has no doubt been quickened by the FTC’s enforcement of Section 5 of the FTC Act (15 USC 45), prohibiting “unfair or deceptive acts or practices in or affecting commerce.” The most common enforcement actions undertaken by the FTC have been against companies whose use of their customer’s personal information is in violation of their own stated privacy policies. These types of mishaps reveal an underlying lack of coordination between the privacy and security functions. Therefore, the quality of the relationship between an organization’s privacy and security functions may be a key predictor of compliance success.

The introduction of a privacy program within an organization can sometimes cause tension with the information security function. These tensions arise out of the common goals and purposes shared between the two groups. Further, shared interest in common technologies that provide for confidentiality of information, the primary objective of both groups, can confuse program scope or worse, foster unhealthy competition. In house counsel can work to ensure the relationship between privacy and security functions is conducive to reducing risk, not introducing it.

In-house counsel can provide leadership to executives and prove instrumental in harmonizing the privacy and security programs within their organizations. Counsel should consider the privacy and security functions in context with each other, understanding the relationships and dependencies between the two groups. The key is for counsel to remain informed and abreast of the goals and strategies of the privacy and security functions, and recognize points of reliance and points of divergence between the two. With advance planning and guidance, tensions that commonly arise between the two functions can be defused, and both programs can thrive in part due to the success of the other.

Counsel should consider the following. First, privacy is usually not attainable without security. Arguably, the primary objective of an information security program is to protect the confidentiality of sensitive information from unauthorized disclosure. The privacy program is focused on the same objective for a subset of the organizations sensitive data: personally identifiable information, or PII.  The privacy team can and should rely on the vast arsenal of technologies deployed by corporate information security departments to preserve confidentiality. Since the privacy function doesn’t need to replicate these technologies, it can focus on privacy process and policy.

Second, the policies produced by each group have important differences. Privacy policies often embody requirements found in unique state, federal and international laws and regulations that apply to individual consumers, whom these laws are designed to protect. What information about the person is collected and why? How will it be used?  How will the corporation’s technology interact with that person and her data? For example, how will cookies be used to capture and track a customer’s online behavior?

By contrast, information security policies are rooted in best-practice, industry consensus frameworks, as much as they are based on legislative frameworks. While such frameworks for privacy are strengthening, such as the generally-accepted privacy principles (GAPP) there are many more and robust frameworks available for information security.  Care should be taken to correlate privacy policies with security policies so that one doesn’t step on the other. A common misfire of privacy programs is to produce privacy policies that create redundancies or inconsistencies with security policies.

Third, as corporate governance mechanisms continue to evolve and mature, they are capable of contemplating and overseeing the management of security and privacy risk. Legal officers might be more likely than CISOs or CPOs to participate in the governance committees of an organization.  If a risk, operations, or information officer has not already sounded the call to information governance, the general counsel may bring to light the management of these unique and ever-growing risks.

In summary, in house counsel can do the following with regards to guiding the privacy and security functions in achieving overall risk management objectives:

• understand the common and diverging goals of each program
• recognize the dependencies between privacy and security programs
• understand that security and privacy policies should be complementary, can co-exist within the corporate policy framework, but have unique differences.
• engage corporate governance functions as appropriate to oversee privacy and information security risk management

Improving Critical Infrastructure Cybersecurity

Improving Critical Infrastructure Cybersecurity

Ongoing attempts by both houses of Congress to introduce legislation improving cyber security in the private sector, and facilitating information sharing between private and public sectors are renewed each legislative session.  After several failed bills in recent legislative sessions, most recently in late 2012, the Obama administration is taking the initiative.  On February 12, 2013 President Obama issued an executive order entitled “Improving Critical Infrastructure Cybersecurity (the order), accompanied by a Presidential Policy Directive (PPD-21).  The order defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, [and] national public health or safety[.]”  The PPD specifically calls out 16 industries and sectors, including health care, financial services, food and agriculture, information technology.

The executive order calls for a partnership with owners and operators of critical infrastructure by instructing the Departments of Justice and Homeland Security, and the Director of National Intelligence to provide “unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.”  The order also expands a voluntary information sharing program known as Enhanced Cybersecurity Services to include all critical infrastructure. This program provides classified cyber threat and technical information to participants.

Cybersecurity Framework

The order calls on the National Institute of Standards and Technology (NIST) to create a framework to reduce cyber risk to critical infrastructure.  Such frameworks are not new, and many outstanding frameworks currently exist to aid practitioners in the evaluation and selection of controls to mitigate cybersecurity risk.  The federal government is required to consume such frameworks, particularly those produced by NIST, in securing the government’s technical infrastructure. Examples of popular frameworks include the COSO ERM framework for managing enterprise risk, the COBIT framework for managing IT risk, and two frameworks for guiding the design and implementation of information security controls, the ISO 27002 framework and NIST’s own 800-53, are quite popular. It is curious why NIST is being called upon to deliver a new framework, in light of the current NIST standards already published that deal with many aspects of cybersecurity.

More To Come

The PPD instructs the Dept. of Homeland Security to “[c]onduct comprehensive assessments of the vulnerabilities of the Nation’s critical infrastructure in coordination with the [sector-specific regulatory agencies] . . . and critical infrastructure owners and operators. In past many regulatory agencies have incorporated risk assessments into their regulatory examination process. Now, perhaps vulnerability assessments will soon be added to their examination scope.

 

Despite the recent legislative death of multiple cybersecurity bills, there will be many more. In recent days the Rogers-Ruppersburger Cybersecurity Bill was introduced in the House.  Only time will tell if Congress will be able to pass legislation to curb, support, or enhance the elements of these recent administrative actions. 

Role of Counsel in Addressing Critical Infrastructure Cybersecurity Risk

Legal counsel representing these entities may work to ensure coordination internally with information security and compliance functions to gauge the regulatory and financial impact of enhanced regulations.  The order calls for the regulatory agencies that oversee critical infrastructure industries to determine wither existing regulation is sufficient in light of the perceived current and projected risks. Compliance officers may be faced with heightened regulatory requirements in the coming years.

Supply chains are also likely to be impacted. While the order does not specifically mention new obligations to conduct vendor risk assessments, such as those promulgated by financial industry regulators in response to the Gramm Leach Bliley Act, critical infrastructure providers face a variety of risks. Reports of foreign-produced hardware and equipment laced with malicious computer code surfaced years ago, and continue to surface.  Voluntary public-private programs exist to help mitigate some of these risks. The Information Assurance Directorate of the National Security Agency offers certification programs for vendors and hardware who supply the United Stated government.

Counsel should coordinate with information security officers to formalize how cybersecurity information sharing will be carried out within the organization. Such information should be coordinated across multiple functions with the organization, with appropriate executive oversight.  Privacy officers may also have a vested interest in ensuring that data sharing does not impact the confidentiality of personally identifiable information of citizens and customers.

Counsel may also play a role in sector and company-specific involvement in the legislative and regulatory process through comment periods. This activity may prove critical, and counsel may take a unique role in collecting and representing to officials the practical and unintended impacts of various proposals.

Recent Attacks Show Focus Should Be On FFIEC MFA’s “Layered Security”

For regulated financial institutions, it is becoming clear that the FFIEC Interagency Guidance on Multi-Factor Authentication is not current with the present threat landscape.  Multi-Factor Authentication has long been understood to be an ineffective control against Man-In-The-Middle Attacks.  The Guidance leads one to believe that true Multi-Factor Authentication is preferable over what the Guidance calls “Layered Security.” The latter includes such technologies as transaction monitoring for anomalous activity, IP address geolocation and other indicators of malicious activity.   For details on the actual Interagency Guidance, see this page.  See also, a sample MFA risk assessment.

Small business banking customers usually maintain large account balances to support and operate their businesses, including payroll and accounts payable.  Small business banking customers are a current favorite of online theives because of these large accounts. Further compounding the problem is the reality that small businesses are most likely to lack critical information security precautions and controls. As such, small-businesses are much more likely to suffer malware infections on company PCs.

Security blogger Brian Krebs has this to say about the Zeus trojan:

“In every case I have investigated, the crooks had installed malicious software — usually the ZeuS Trojan — on the victim’s PC. This allows the criminals to control what the victim sees in his or her browser.  ZeuS will re-write the bank’s HTML on the fly, and inject HTML elements into the bank’s page. Mind you, they are not altering the bank’s real site — just what the victim/customer sees.”

Zeus infects an information security company.

In conducting Multi-Factor Authentication risk assessments, pursuant to the FFIEC Guidance, and as expected and enforced by  financial regulators, we need to consider the current wave of successful attacks against small business customers.  Where the assets at stake are particularly lucrative, the “Layered Security” components of the MFA Guidance will likely be more effective than the use of true Multi-factor authentication.  The key will be implementing a near real-time response to transaction monitoring triggers to stop any anomalous transactions before the money leaves the financial institution.

Multi-Factor Authentication Is Not Enough

Krebs on Security: Crooks Crank Up Volume of E-Banking Attacks

Protected: ABA Information Security Committee Pre-RSA 2010 Meetings

This content is password protected. To view it please enter your password below:

Password:

Fighting On Two Battlefronts

Just a quick note about the latest press coverage over the discovery of a large botnet that includes zombies within Fortune 500 companies.  The disturbing realization I draw from reports like this is that modern legislation for information security and privacy of personal data does very little to protect against these types of major threats. In fact, one might argue the regulatory regime over information protection actually detract from the ultimate goal of protecting against such threats.  After analyzing the threat vectors in these types of cases, the most basic security controls are the primary lines of defense against such attacks against a business entity: end-user training, awareness and vigilance, personal email service blocking and anti-virus.

All to often within a modern corporation, information security is divided between two battles: 1- the battle against legislation, regulation and compliance, and 2- the battle against the real enemy.

We need to take proactive steps to converge these two battle fronts into a focus against the common enemy. Part of the solution is smarter legislation, which will involve information security leaders and risk management professionals taking a more prominent role in both lobbying and the notice/comment rule making process. The later is particularly important as most laws are still written with a broad stroke, using vague terms like “risk assessment” and “administrative, technical and administrative safeguards.”  The devil and the details come via the administrative agency rule making process.

Responses to threats faced by modern organizations should be proportional to the threats they face, not proportional to the size and type of the regulatory agency overseeing the organization’s activities, nor the breadth and depth of the primary regulator’s experience in such matters.  After all, in our modern information-driven economy, the art and science of regulating information risk in a large corporation can be almost as complex and intricate as the art and science of intrusion detection and incident response.  Only when we achieve a seamless integration of the two pockets of self-defense will we make much headway against the common adversary sitting behind botnets like Kneber.

Press Coverage of Kneber Botnet:

http://www.foxnews.com/scitech/2010/02/18/massive-hack-attack-shows-major-flaws-todays-cybersecurity/

http://online.wsj.com/article/SB10001424052748704398804575071103834150536.html

The Netwitness report on the Kneber Botnet, established on the back of the Zeus Trojan, can be downloaded from the Netwitness website.

One Federal Data Protection Statute

See my recent work on why there should be a unified federal data protection statute.

http://wp.me/PtYiw-3e

Federal Data Breach Bills Pass the Senate Judicary Committee

Click here to read article on SC Magazine website.