Last month I gave a keynote at RVAsec in Richmond, VA on the topic of “The Future of Government Info Sharing”. The slides for my talk are available online. UPDATE: Video of keynote now available. The inspiration for my talk was the confluence of the DHS announcing their Enhanced Cybersecurity Services and the lack of information available about the root causes of major data breaches. To me these signaled that information sharing is headed in the wrong direction. This is how DHS describes the ECS program: “ECS is a voluntary information sharing program that assists critical infrastructure owners and operators as they improve the protection of their systems from unauthorized access, exploitation, or data exfiltration. DHS works with cybersecurity organizations from across the federal government to gain access to a broad range of sensitive and classified cyber threat information. DHS develops indicators based on this information and shares them with qualified Commercial Service Providers (CSPs), thus enabling them to better protect their customers who are critical infrastructure entities.” Sharing information in this manner makes the recipient dependant on the government both for access to the information and to be able to make use of the information as it is embedded in a “black box” upstream from their organization. This is like sharing the information of how to tie a shoe with a child by asking them to cover their eyes and tying it for them. Then we have the lack of transparency when it comes to major breaches that affect millions of users or even breaches at government entities. SC Magazine recently published a list of what they call “Top five data breaches in 2013...so far” . Guess how many have revealed the root cause of the breach or details of how it happened? Zero. These are the top five:
- Living Social
- Washington state Administrative Office of the Courts
- Federal Reserve Bank
The overall trend for information sharing seems to be to hide attack data in black boxes or simply notify that there was a breach and who was affected. This is no way to improve security globally. I looked for a better approach for information sharing that was designed to learn from failures and improve over time, where detailed information is made public to all. There are several right under our noses that are performed by US government today. Do any of these organizations look familiar to anyone? They all collect and share information publicly. They get this information through mandatory reporting.
- CDC - Mandatory Reporting of Infectious Diseases by Clinicians
- Under the OSHA Recordkeeping regulation (29 CFR 1904), covered employers are required to prepare and maintain records of serious occupational injuries and illnesses, using the OSHA 300 Log. This information is important for employers, workers and OSHA in evaluating the safety of a workplace, understanding industry hazards, and implementing worker protections to reduce and eliminate hazards.
- CPSC - Dangerous Products (Section 15) - Manufacturers, importers, distributors, and retailers are required to report to CPSC under Section 15 (b) of the Consumer Product Safety Act (CPSA) within 24 hours of obtaining information which reasonably supports the conclusion that a product does not comply with a safety rule issued under the CPSA, or contains a defect which could create a substantial risk of injury to the public or presents an unreasonable risk of serious injury or death, 15 U.S.C. § 2064(b).
- NTSB Federal regulations require operators to notify the NTSB immediately of aviation accidents and certain incidents. An accident is defined as an occurrence associated with the operation of an aircraft that takes place between the time any person boards the aircraft with the intention of flight and all such persons have disembarked, and in which any person suffers death or serious injury, or in which the aircraft receives substantial damage. An incident is an occurrence other than an accident that affects or could affect the safety of operations.
In my talk I focused on the NTSB (National Transportation Safety Board) as the failures they track are both process and technological. I think this models most closely what is needed for information security failures. What we need is a National Cyber Safety Board which requires mandatory reporting of all material information security breaches. This database is then shared publicly so we can all learn from security failures. Pilots must reports accidents so equipment manufacturers, regulators, pilots, airport operators, and even the general public can learn what happened and improve. We often get tied up in information security with metrics given the old maxim, “if you can’t measure it you can’t improve”. In many respects we aren’t even there yet as we have no shared knowledge of what is even going on with most security incidents. We don’t know what software and hardware was used, how it was configured, or maintained, or what processes were performed to secure and monitor. With an airplane accident we have all of these factors. The NTSB doesn’t rely on self reporting of major accidents. They perform their own investigations. Airplane accidents were growing year over year at an alarming rate as traffic increased due to the start of commercial air traffic around 1920. 1920 saw 100 accidents a year, 1930 saw 200 accidents a year, and 1940 saw 500 accidents a year. This caused congress to take action and form the pre-cursor to NTSB in 1938. By 1950 accidents had dropped back to 200 a year even with a dramatic rise in air traffic. It is clear that the NTSB had a major effect on air safety. Is there a strong parallel here to the cyber realm? We are entering our 3rd decade of the commercialization of the internet and data breaches continue to rise. Thank goodness for DataLossDB.org. You can’t get a chart like this from any US government organization. Vulnerabilities are tracked but not incidents. The DataLossDB chart looks a lot like the first 30 years of commercial air travel. The questions we should ask is “When will the number of breaches per year start to come down and what will be the change that causes that?” Time will tell if the current experimental approach to cyber security information sharing will make a difference. But we don’t have to experiment; we know a model that works - the NTSB. We should get going on a national breach reporting law that has information sharing for the good of the community. The fact that we’re not thinking about data breach investigation and notification like the NTSB shows how immature the IT security industry really is. View my full keynote presentation, "Future of Government Info Sharing".