Last month I gave a keynote at RVAsec in Richmond, VA on the topic of “The Future of Government Info Sharing”. The slides for my talk are available online. UPDATE: Video of keynote now available. The inspiration for my talk was the confluence of the DHS announcing their Enhanced Cybersecurity Services and the lack of information available about the root causes of major data breaches. To me these signaled that information sharing is headed in the wrong direction. This is how DHS describes the ECS program: “ECS is a voluntary information sharing program that assists critical infrastructure owners and operators as they improve the protection of their systems from unauthorized access, exploitation, or data exfiltration. DHS works with cybersecurity organizations from across the federal government to gain access to a broad range of sensitive and classified cyber threat information. DHS develops indicators based on this information and shares them with qualified Commercial Service Providers (CSPs), thus enabling them to better protect their customers who are critical infrastructure entities.” Sharing information in this manner makes the recipient dependant on the government both for access to the information and to be able to make use of the information as it is embedded in a “black box” upstream from their organization. This is like sharing the information of how to tie a shoe with a child by asking them to cover their eyes and tying it for them. Then we have the lack of transparency when it comes to major breaches that affect millions of users or even breaches at government entities. SC Magazine recently published a list of what they call “Top five data breaches in far” . Guess how many have revealed the root cause of the breach or details of how it happened? Zero. These are the top five:

  1. Living Social
  2. Washington state Administrative Office of the Courts
  3. Evernote
  5. Federal Reserve Bank

The overall trend for information sharing seems to be to hide attack data in black boxes or simply notify that there was a breach and who was affected. This is no way to improve security globally. I looked for a better approach for information sharing that was designed to learn from failures and improve over time, where detailed information is made public to all. There are several right under our noses that are performed by US government today. Do any of these organizations look familiar to anyone? Logos of Government organizations that collect and share information publicly. They all collect and share information publicly. They get this information through mandatory reporting.

  • CDC - Mandatory Reporting of Infectious Diseases by Clinicians
  • Under the OSHA Recordkeeping regulation (29 CFR 1904), covered employers are required to prepare and maintain records of serious occupational injuries and illnesses, using the OSHA 300 Log. This information is important for employers, workers and OSHA in evaluating the safety of a workplace, understanding industry hazards, and implementing worker protections to reduce and eliminate hazards.
  • CPSC - Dangerous Products (Section 15) - Manufacturers, importers, distributors, and retailers are required to report to CPSC under Section 15 (b) of the Consumer Product Safety Act (CPSA) within 24 hours of obtaining information which reasonably supports the conclusion that a product does not comply with a safety rule issued under the CPSA, or contains a defect which could create a substantial risk of injury to the public or presents an unreasonable risk of serious injury or death, 15 U.S.C. § 2064(b).
  • NTSB Federal regulations require operators to notify the NTSB immediately of aviation accidents and certain incidents. An accident is defined as an occurrence associated with the operation of an aircraft that takes place between the time any person boards the aircraft with the intention of flight and all such persons have disembarked, and in which any person suffers death or serious injury, or in which the aircraft receives substantial damage. An incident is an occurrence other than an accident that affects or could affect the safety of operations.

In my talk I focused on the NTSB (National Transportation Safety Board) as the failures they track are both process and technological. I think this models most closely what is needed for information security failures. What we need is a National Cyber Safety Board which requires mandatory reporting of all material information security breaches. This database is then shared publicly so we can all learn from security failures. Pilots must reports accidents so equipment manufacturers, regulators, pilots, airport operators, and even the general public can learn what happened and improve. We often get tied up in information security with metrics given the old maxim, “if you can’t measure it you can’t improve”. In many respects we aren’t even there yet as we have no shared knowledge of what is even going on with most security incidents. We don’t know what software and hardware was used, how it was configured, or maintained, or what processes were performed to secure and monitor. With an airplane accident we have all of these factors. The NTSB doesn’t rely on self reporting of major accidents. They perform their own investigations. acro-air-incidents Airplane accidents were growing year over year at an alarming rate as traffic increased due to the start of commercial air traffic around 1920. 1920 saw 100 accidents a year, 1930 saw 200 accidents a year, and 1940 saw 500 accidents a year. This caused congress to take action and form the pre-cursor to NTSB in 1938. By 1950 accidents had dropped back to 200 a year even with a dramatic rise in air traffic. It is clear that the NTSB had a major effect on air safety. Is there a strong parallel here to the cyber realm? We are entering our 3rd decade of the commercialization of the internet and data breaches continue to rise. datalossdb-incidents Thank goodness for You can’t get a chart like this from any US government organization. Vulnerabilities are tracked but not incidents. The DataLossDB chart looks a lot like the first 30 years of commercial air travel. The questions we should ask is “When will the number of breaches per year start to come down and what will be the change that causes that?” Time will tell if the current experimental approach to cyber security information sharing will make a difference. But we don’t have to experiment; we know a model that works - the NTSB. We should get going on a national breach reporting law that has information sharing for the good of the community. The fact that we’re not thinking about data breach investigation and notification like the NTSB shows how immature the IT security industry really is. View my full keynote presentation, "Future of Government Info Sharing".

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (4)

Jack Contantian | June 29, 2013 8:48 am

I agree, but wouldn't the public knowledge open us up to more cyber terrorist attacks? Right now, with it not being published no one can tell which path and weakness was exploited, but if a piece of hardware or software has an issue and that becomes public we run the risk of everyone with that technology being open to attacks till the problem can be addressed, if at all.

cwysopal | July 2, 2013 9:59 am

Hi Jack, This is the same argument that was made that we shouldn't publish vulnerability data. Some argued that we should inform vendors and they should make a silent patch. The problem with this is no one knows to test for to see if systems are still vulnerable and IDS vendors can't make signatures for the attacks. Then once you realize that the bad guys have networks for exchanging vulnerability and incident data you realize that keeping secrets from defenders only helps attackers. I am all for keeping zero days secret until patches are made unless they are in widespread use by attackers but the rest of security failures should be detailed and known to all.


Bill Jackson | July 11, 2013 9:33 am

You make good arguments for disclosure and fuller investigation, but there is a significant difference between the NTSB model you propose and the challenge of cyber security. NTSB investigates accidents and failures, while IT breaches by definition involve malicious activity. In many ways it is easier to address and correct failures and mistakes than to defend against intentional attacks. If the air accidents chart included planes taken down by attacks, the numbers would have continued to spike through 1945, and would have remained higher than shown after that. This is not to say investigation and disclosure are not warranted, but there are other issues to consider as well.

cwysopal | July 12, 2013 10:55 am

Hi Bill,

Thanks for your comment. Agreed that the malicious nature makes things different. But like vulnerability disclosure we determined even though this information could have bad uses it was better to create CVE and NVD than to exchange vulnerability information in secret with vendors. I believe the pros outweigh the cons for breach disclosure also and if done the right way could improve security globally much like what has been done for transportation security.


Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.