BreachExchange mailing list archives
Re: Suggestion for changing status quo on data losses
From: "DAIL, WILLARD A" <ADAIL () sunocoinc com>
Date: Mon, 4 Aug 2008 11:09:01 -0400
I have found legislators to be far more receptive to communications from their constituents than they are about general unsolicited information from organizations. With the exception a PAC or lobbyist (with interesting resources), legislators seem far more interested in an issue if the people who vote for them are interested in or concerned about the issue, and are vocal about their angst. A slightly more effective approach might be to provide access to local chapters of privacy groups or Bar associations and have those groups write their representatives. Otherwise, I personally would focus the information on chairs and members of sub-committees with a subject matter interest in consumer privacy. -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Arshad Noor Sent: Saturday, August 02, 2008 3:47 PM To: dataloss () attrition org Subject: Re: [Dataloss] Suggestion for changing status quo on data losses security curmudgeon wrote:
In my opinion, to do this correctly would involve someone drafting a well-written form letter that list subscribers could use to send to
their
own representative. One page, cite the issue, quote some statistics,
say
it affects them (faster way to make them care) and then to 'fix it'.
Of
course, 'fixing it' is generally a myth as there isn't a simple to implement solution to stop dataloss.
Jericho/All, Thank you for reminding me of advice I used to give out many years ago, but stopped bothering seeing how ineffective our representatives are in so many other areas. Nonetheless, if I do not let them know, I cannot expect them to address the problem. That said, I have sent my CA representatives the attached letter. I have also sent it to both Presidential candidates, and am disclosing this letter for discussion and in case others may want to adopt it to send to their own representatives (permission is freely granted to one and all). While the suggestion cannot guarantee a solution to the problem, it is my strong belief that it is the first step towards a long-term solution. Let the tomato/egg throwing begin.... Arshad Noor StrongAuth, Inc. ---------------------------------------- I am writing to inform you of my concerns about America's current Information Security policies and to propose a plan for addressing its shortcomings. Since California's seminal Breach Disclosure law (CA Senate Bill 1386) and similar laws in 40+ states, this country has witnessed the public disclosure of some of the largest breaches to private data in our brief history with information technology (estimated to be well over 200M identities in the last 5 years - http://etiolated.org/ and http://www.privacyrights.org/). While there are Federal laws stipulating data-protection (GLBA, HIPAA, SOX, FISMA, etc.), we continue to see unrelenting breaches of data, indicating the laws are ineffective in this regard. It is my belief there are fundamental flaws in America's technology security policy that need to be corrected before we see any change. Every sector of US industry that can cause harm to humans is not only regulated, but is required to disclose adverse events that either cause harm, or have the potential to cause harm, to a regulatory body. Automobiles, airlines, food, drugs, medical, chemical, banking, environment, power, construction - they are all required to report adverse events. Except the IT sector! Just as the Center for Disease Control (CDC) would be hopelessly ineffective if mandatory reporting of adverse health events were not required, the IT sector is currently hampered because there is neither a Federal agency with the mandate to collect such information, nor a law requiring companies to report adverse security events to such a central authority. The history of science shows that improvements come only with research. However, research requires comprehensive data. Without data that supports root-cause analysis and statistical analysis, it is impossible for scientists and engineers to solve the problem we face, and consequently, for our nation to build a stronger IT infrastructure. I propose that the US Congress enact a law stipulating the following: - The creation of a "National Technology and Security Administration (NTSA)" modeled along the lines of the National Highway Transportation and Safety Administration (NHTSA) with the following mandate: a) Collect information on computer-related breaches in the USA. b) Create statistical reports from breach data and disseminate such reports (including raw data) to the internet. c) Establish a Security Baseline that all technology products must deliver. d) Establish a Security Profile for different classes of systems that businesses, government agencies and individuals must achieve. e) Mandate the recall of products that do not meet the Security Baseline. - Requiring ALL businesses that store private data of US citizens on computerized devices - regardless of geography - to report adverse security events to the NTSA; - Allocating the NTSA appropriate resources and giving it the operational latitude to carry out its mandate; - Eliminating the liability exclusion for defective IT products (no other manufacturing industry is excluded from the liability of producing defective products; why does the IT industry enjoy this exclusion more than 25 years after the PC was created, and nearly 50 years of the existence of the computing industry?) With such a law the US will establish the foundation of a process to make the internet and information technology products secure. This will not happen overnight. But within 24 months of the creation of such an agency, we can expect to start seeing some benefits, and within five years, we can expect a dramatic reduction of breaches to private data. While we can never eradicate all vulnerabilities or breaches, the NTSA can make significant contributions towards protecting the private data of US citizens. Given that the US economy is critically dependent on computers, we cannot wait for a catastrophic IT event to take decisive action. I have had some discussions with people on security forums in this regard, and am attaching some observations for your benefit. I look forward to seeing some action from US Congress on this issue. If there is anything I can do to help, please don't hesitate to have your staffers contact me. Regards, 1) What constitutes a security event? A loss of resources (data, time, money, capacity) for the owner of the computer asset due to any factor that can neither be deemed negligence nor accident on the part of the owner. An assumption is that the owner has defined a security policy and is in conformance to it. For individual users, the security policy will be either the default security policy of the manufacturer or a stronger policy if they have implemented it. 2) How would the information provided to this new agency be protected? All user/company information that can identify them is anonymized. The detail must have a section that is legible to business-people and a section that is gory for technical people. Names & versions of operating systems, software, sufficient configuration detail to describe protections in place (but without any identification information again). Security specialists and researchers must have this detail so they can learn from the experience, build models for future protection, etc. FOIA rules would apply, but the information should be available as soon as it is reported in an online database on the internet. Mechanisms to verify the authenticity and integrity of the report should be in place (once again, without identifying the reporter). 3) What are the penalties for not reporting security events? Loss of insurance coverage for damages. Penalties for companies if they are found out later. 4) And how are they enforced? I would like to say that it should be on an honor-based systems because the more data we have, the more benefit we derive from it. So, that should be an incentive to report. However, audits of randomly selected companies could be implemented to see if the reporting is statistically in correspondence to the security events visible on the internet. Non-compliant companies will be fined and subject to mandatory annual audits for three years. 5) Do the rules apply just to corporations; or to individuals? It has to apply to all - especially to individuals. However, since the vast majority of individual users cannot be expected to know what to report, manufacturers of computer systems must include diagnostic tools that can be used to pick up reporting information after scrubbing identification information. This can then be submitted separately by the "victim". ---------------------------------------- _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- RD on USG laptop insecurity Richard Forno (Aug 01)
- Suggestion for changing status quo on data losses Arshad Noor (Aug 01)
- Re: Suggestion for changing status quo on data losses security curmudgeon (Aug 01)
- Re: Suggestion for changing status quo on data losses Adam Shostack (Aug 01)
- Re: Suggestion for changing status quo on data losses lyger (Aug 01)
- Re: Suggestion for changing status quo on data losses Arshad Noor (Aug 02)
- Re: Suggestion for changing status quo on data losses Arshad Noor (Aug 02)
- Re: Suggestion for changing status quo on data losses DAIL, WILLARD A (Aug 04)
- Re: Suggestion for changing status quo on data losses security curmudgeon (Aug 01)
- Re: Suggestion for changing status quo on data losses Sean Steele (Aug 01)
- Suggestion for changing status quo on data losses Arshad Noor (Aug 01)
- Re: RD on USG laptop insecurity Chris Walsh (Aug 01)
- Re: RD on USG laptop insecurity macwheel99 (Aug 01)