Legislation was introduced on December 17, 2015 that, if passed, improves security transparency on corporate boards for publicly traded companies.  Many companies recognize the need for a security executive and appoint a Chief Security Officer(CSO) or a Chief Information Security Officer(CISO) to lead corporate programs.  While some consensus exists around the security executive role and title there’s little agreement around leveling security with other business functions.  A result is that security executives are often not on equal footing with other business functions which negatively impacts corporate security posture.  The Cyber Security Disclosure Act of 2015 (SB.2410) brings increased transparency and accountability to security by requiring security expertise on corporate boards.

“(1) to disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; and

(2) if no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee.”
Corporate boards are directed to identify board level information security expertise along with qualifications or alternatively to describe their actions to identify an expert.  Some subtle implications of this bill are the following, 1) final accountability for information security rests with the board, 2) all publicly traded companies will have an appointed cyber security leader/expert or keep looking until they find one, 3) The security executive will have board level visibility/accountability.  CSO/CISO’s will be leveled like other C-level execs since they will have direct board level accountability.  This is a shift from today where CEO are increasingly held accountable for security and must balance business execution with security concerns.  Balance the wrong priority and may be fired.  Competition for resources between CEO’s and CISO’s could be fierce in the future under SB.2410 but some CEO’s may consider the loss of overall accountability for security as a benefit.

EU-Flag.jpgYou may be hearing about EU-US Safe Harbor discussion in the news.  At risk is the multinational companies ability to store and process EU data in the US.  Companies like Apple, Facebook, and Google provide EU services through computers located in the US.  Data is sent from EU to the US under the auspices of the EU-US Safe Harbor agreement.

October 6, 2015 the Court of Justice for the European Union (ECJ) ruled the Safe Harbor agreement invalid which places all EU data sent to the US in jeopardy.

“…the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country” [4] Court of Justice of the European Union

The ECJ recommended where protections cannot be guaranteed, “suspending the contested transfer of data”[4].  The only way US businesses can guarantee adequate protections for EU data is for the US government to develop laws protecting EU data from US government warrantless surveillance programs.  Without such transparency measures the only choices for Internet bellwethers are, develop new data centers within the EU for EU data, or pull the plug on the EU.  Either option is not very tenable for US multinationals or citizens of the EU.

Even if Internet bellwethers underwrote efforts to build EU data centers it’s not clear EU data will be safe from US government overreach.  In a developing case between Microsoft and the US government,  the government contends it has the right to demand the email of anyone in the world so long as the provider is headquartered within the US [6].  Presumably, the legal precedent established for email would apply more broadly to all data.  I have been covering developments in this area over the last couple of years [1][2] for interested readers.

[1] Securitycurmudgeon.com, Balkanization of US Products and Service Technology Accellerates
[2] Securitycurmudgeon.com, A Crisis of Confidence Costs Real Money
[3] The Register, US tries one last time to sway EU court on data-slurping deal
[4] Politico.eu, Court of Justice of the European Union, PRESS RELEASE No 117/15, Luxembourg, 6 October 2015 [pdf]
[5] Reuters, Europe-U.S. data transfer deal used by thousands of firms is ruled invalid
[6] Guardian, Microsoft case: DoJ says it can demand every email from any US-based provider

Image: Wikipedia, EU Flag

Abby Martin (RT) interviews Oliver Stone (Academy Award Winning Director) and Peter Zuznick on US foreign policy and the Obama Administration’s disregard for the rule of law.

“We[United States] are going into a second Administration that is living outside the law…does not respect the law as a foundation for our system.” (Stone)

“We[United States] spend more on military security intelligence than entire world combined.” (Kuznick)

“The United States is an open air Interment Camp.” (Martin) 

In the interview Kuznick makes a point that the United States, through all of it’s surveillance and aggression, fears something but that it is not addressing root causes of the concern.  Further that the predilection of the government for a culture is lawlessness is based upon an ideal of “American Exceptionalism”, which is, if Americans do it then it must be right.  Perhaps more tangible to American’s is the governments willingness to sacrifice the U.S. economy to achieve it’s objectives.  For more information around the the economic impacts of security policy see my previous posts, A Crisis of Confidence Costs Real Money and a more recent update, Balkanization of US Products and Services Technology Accelerates.

Updated October 5, 2015

It’s been more than a year since I wrote a story about the erosion of trust in US products and services and its impact on corporate revenues, A Crisis of Confidence Costs Real Money.  Recently China announced top US companies like Apple Computer Inc, Cisco Systems Inc., and Intel Corp have been dropped the state’s approved vendors list [1].  Trust may be old school but it’s clearly still important when comes to sale of products and services.

Other countries have already began curtailing purchases but perhaps without the bold public proclamations.  According to the Wall Street Journal [2] Cisco has been particularly harmed, “first-quarter orders in China declined 18%,…Mexico and India off by the same percentage. Orders were off 30% in Russia and 25% in Brazil”.  Last year it was revealed the NSA tampered with Cisco products sent to China.  One of the saving graces of these highly diversified companies is that they do business in many other countries.  While many American’s and businesses where harmed in 2008 with the economic crash, American bellwether companies did better than ever.  Partially due to their global diversification, these companies no longer depend upon American’s to purchase their products.  Also a sharp rise in commodity prices due in no small way to an uncertain economy, is fueling the purchase of company stock across the board further bolstering cash reserves, stock buy backs, and expansions.

Generally globalization and diversification are great for business but apparently American bellwethers are now feeling growing pains as stories continue to break about overreaching US security policies.  The problem with an “end justifies the means” to security policy is the stain it leaves on corporate integrity of these global corporations.  At issue, trust, nothing US companies say or do will convince foreign nations US products or services are not compromised.  Many companies like YahooGoogle, and Apple reacted to the new policies by encrypting data at rest and in transit as a default.  Encrypting user data by default does away with the free feast on personal information and ensures at least an electronic trail by authorities for personal information requests.  The FBI contends, search warrants are not enough, new “security backdoors” are required in US products services.  The news set off a firestorm with unexpected results, now other nations like China are also requesting security backdoors in US products.  Experts contend backdoors weaken products and services for everyone.

Beyond interception of data sent over telecommunications networks, US authorities have other shadowy tools at their disposal like National Security Letters(NSL) and secret FISA court hearings.  These tools provide secrecy or gag measures accompanying government requests for information and eliminate critical public oversight.  In fact, in 2014 it finally became public knowledge that in 2008 Yahoo argued against warrantless surveillance.  Other businesses have shut their doors entirely rather than participate in what history may one day consider the most egregious incursion into American’s 4th Amendment privacy rights ever.  In stark opposition, authorities are convinced American privacy is small sacrifice for the security of a nation.

Most experts agree, authorities need access to sensitive information to support their investigations and keep America safe.  At issue is the method of collection, a complete dragnet on all Americans.  Until the US government begins observing the rule of law and transparency in the area personal data collection, bellwethers will continue to bleed revenue as products and services become increasing balkanized along geopolitical boarders.  Even if government policies improved overnight, a shaken world confidence is not so easily restored and it will likely be many years before trust in US products and services are restored.

[1] Exclusive: China drops leading technology brands for state purchases (removed by Reuters prior to post).  See also, China removes top U.S. tech firms from government purchasing list
[2] Cisco CEO: ‘Never Seen’ Such a Falloff in Orders

Image: American flag image, Wikipedia.

FBI Director James Comey goes on the record with Scott Pelley of CBS 60 Minutes show in a  video interview.  I gathered a few of Comey’s remarks and provide some of my own commentary.  Security is like religion or politics, everyone has an opinion and if you would like to share yours leave a comment at the bottom of the article.

“Cyber crime is becoming everything in crime”
Strongly agree, why?  Severity and tempo of security incidents continues to build momentum, Target 40 million credit cards stolen, Home Depot 56 million cards, and finally JP Morgan Chase ringing the bell at 76 million customers.  Cyber crime is where the money is, is the saying.  Large as these heists are the largest to my knowledge is Heartland at around 100 million cards in 2009.

“Chinese hackers are like drunk burglars”
The point made is that Chinese hackers are not necessarily the best hackers but they are pervasive and invading businesses with significant intellectual property to loose.  Considering security from the attacker perspective, why spend $100 million dollars to develop a product, technology, or service when you can steal it for $1 million or maybe even far less?  The goals and funding for businesses and nation states are far different.  Corporate budgeting is a profit and loss game and there are constraints around what a security program can achieve.  Whereas funding for nation state security programs almost certainly exceeds most software engineering budgets for an entire company.  Few corporate cyber defenses can withstand a direct assault by even moderately funded state programs.

“Cost of cyber crime in the billions”
I’m sure this is true but since the cost is spread over an entire economy it’s difficult to justify funding the war on data by individual businesses or organizations.  Governments must protect our cyber boarders as well as our physical borders since businesses are poorly equipped to do so.  We don’t expect businesses to defend their properties with armed guards against invasion by other nations.  We should not expect business to defend their cyber boarders from foreign invaders.  It’s simply too much to expect from companies trying to make a profit and it’s not their job anyway.  National defense is a government responsibility, it always has been.

(security is in a) “much better place than 13 years ago”
I don’t believe popular news reports support this conclusion.  In Comey’s own words, cyber crime is now the only crime and  I doubt 13 years ago he would have made this same claim.  I agree, everyone has learned much more about security in the last 13 years but so too have our adversaries.  Comey mentioned we are not perfect and we have more work to do which I can not agree more.  There is a need to be encouraging but declaring the past 13 years a security victory is redonkulous.  Attackers are more emboldened and motivated then ever before.

“Apple’s iPhone may be a threat to national security”
Don’t believe it.  Washington is quick to sacrifice individual privacy rights in the name of business revenues or national security but they are unwilling to demonstrate the tiniest shred of transparency in the name of their own credibility.  Complete secrecy around information security programs is so important to the government they are willing to sacrifice revenues of American businesses.  For instance, post Snowden era revelations it’s now well-known that the NSA tampered with Cisco Internet hardware to achieve their electronic surveillance objectives.  Further, government surveillance activities impacts confidence in American businesses in other countries and ultimately harmed revenues according to Cisco.  Other company’s have reported similar impacts but precise industry impact figures are elusive.  It’s also known that the NSA pressured Yahoo with a $250,000 per day fine for it’s refusal to release user data in 2007.  Now Yahoo and other tech giants are taking proactive measures like securing data between data centers to discourage warrantless searches and improve confidence abroad.  Most large companies complete in a global market place so confidence and integrity of American products in other nations is very important to revenues.  Now Apple continues a similar trend to lock down warrantless iPhone searches in a bold move that accompanies some scrutiny by Washington.  Most US companies would rather not take sides on personal privacy issues but they do so since lack of public confidence in product and service offerings impacts revenues.  American companies learned a valuable lesson, acquiescing to government demands may or may not be in the best interest of the people but it’s certainly not good for businesses competing in a global marketplace.