Tuesday, September 11, 2012

It's the data, Stupid!

One of the things that I try to bring to the table is historical perspective.    I argue for the importance of history, that if we do not know where we cane from, we cannot appreciate where we are, much less where we are going. I have been here longer than the average bear.  I can see things across time that are difficult to appreciate at a point in time.  

When I was selling computers for IBM and for almost a generation, we matched the scale of the computer to that of the enterprise.  Each enterprise had one computer, the most powerful that it could afford.  Chief executive officers did not have the discretion to buy a computer.  It was an economic decision for the enterprise comparable to that of building a new plant or committing to a new product.  It was a board level decision. While the CEO could say "no," he could not unilaterally say "yes."

As the scale of the technology has changed, as its price has fallen and its efficiency has exploded, the decision making has moved.  

By the time that the "minicomputer" came on the market, the decision had fallen to the level of the department.  We did not consciously make a decision to do that.  It was simply a reflection of the scale, price, and efficiency.  However, until very recently, most computers used in the enterprise were still purchased, owned, and managed, not to say controlled,  by the enterprise.

Recently we passed a tipping point;  most computers are now purchased, owned, and to the extent that they are. managed, by individuals, by consumers.  We buy them at Wal-Mart and Costco, next to groceries, diapers, paper towels, and bottled water.  Because they are so cheap and so powerful, they are used for things that we could not have imagined as recently as a decade ago.  

As I sit here, there are seven computers within 5 feet of me and nine screens within 9 feet.  They are all connected and interoperable. Moreover, to a first order approximation, they are connected to, and will inter-operate with, any and every computer in the world.  These do not count the application-only computers like my cable box, Sling-box, and "Smart-TV;"  they all "boot" so I assume that they are "computers."  

As I sit here, I am waiting for one great niece to decide between a Kindle Fire and an iPad and am replacing an iPhone for another who dropped her's in the toilet at the mall.  The discretion, the decision making power, has now fallen to the children.  Remember?  The decision is made one level below the guy who signs the order, the check or the credit card?  I only pay, the kids decide.  Their decisions impact the enterprise and the infrastructure, those things that you and I are expected to control and protect. 

Infants use computers.  I choose the term "use" advisedly.  They use them for their "work," at their age indistinguishable from "play," learning to master their environment.  They project the capability of one computer as requirements on another.  They "swipe" across TV screens and even magazine pages.  Seven year-olds write critical reviews of applications, and teen-agers know more about computers than the information technology elites of a generation ago.  Different things perhaps, but more.  

There are some things that are beneath their level of notice.  For the most part they are agnostic as to where an application runs and its data is stored.  They are oblivious as to what we used to call "speeds and feeds."  

It is almost impossible to remember that the first iPhone came out only five years ago and that about all it could do was phone calls, do e-mail, and browse.  Oops, I forgot; play music.  Apple and Google now have a couple of major announcements and ship dates a year.  Just to keep up! Teens track the features in new versions of iOS the way my generation tracked new car models.  By the time that YOU have figured out the security implications of one new product, another has shipped.  

I remember when I had to keep a list of e-mail gateways and use embedded addresses to get from one domain to another.  No longer; the address space has flattened.  Now I keep a list, shorter, but still a list, of application proxies to get me around fire-walls and other security restrictions.  When the Naval Postgraduate School blocked my access to AOL Instant Messenger, two students quietly gave me the addresses of two different proxies.  Proxies now come plug-n-play-in-a-box or simply run as servers in the Internet.

One niece and nephew go to a very traditional school, elite, but so traditional that they are still expected to carry fifty pounds of paper in and out of school everyday.  They can take their iPhones, but cannot use them, and iPads and MacBooks must still be left at home.  So, they use Dropbox, Evernote, and thumb-drives.  No matter what controls or road-blocks we throw in their way, they will get around them.     

The good news is that there are only two popular operating systems for the most popular consumer products, right?  iOS and Android?  All you have to know about, right?  The bad news is that there are dozens of versions of Android, all different, most open.   There is more bad news.

RIM has not gone away.  Windows Mobile has hardly gotten here.   Playstations and X-Boxes are becoming richer and more open.  Even Play Station Portables and DS Lites are being opened some.  Proxies and servers are popping up everywhere to expand their capabilities even further.  

As I write this on Evernote, I am using the Window's Evernote Client on my  Dell, but I am using the screen and key-board on my MacBook Air.  In order to find the Windows system across the room, the MacBook goes to an addressability server in the Internet where the Dell has published its IP address and port, perhaps thousands of miles away, and then comes back to a computer five feet away.  
The devices at the the edge are becoming smaller, cheaper, more diverse, more powerful, at an exponential rate. Now it is not news that one can buy gigabytes on a chip the size of one's pinky nail for $1/gig or that one can buy a terra-byte to fit in one's shirt pocket for under $100-.  

All of this is by way of saying that you cannot prevent contamination and leakage at the edge.  You no longer own or control the edge.  You cannot even see it.  It has been a battle since the edge began to include PCs but it is now clearly a lost cause.  It has probably been the wrong strategy all along.  

Focus on the data.  You do not control the edge but you do control the center.  

Know which data you want to protect.  The books of account, intellectual property, personally identifiable data.  You cannot protect all your data to the level that is required by these.

Prefer closed systems for this sensitive data.  Think AS/400 and Lotus Notes but you can close any system.  

Prefer object-oriented formats and databases to flat files for all sensitive data.  This should include document management systems.  The common practice of storing documents as file system objects is not appropriate for sensitive documents.  

Control access as close to the data source as possible.  

Prefer application-only access.  Prefer purpose-built application clients; think "apps." 
Prefer end-to-end encryption,that is edge device to application, not to the network, not to an operating system.  Remember that what appears to you to be the edge device may be a proxy for the real edge device.  

Prefer strong authentication for sensitive data; consider the edge device identity, for example, EIN or MAC address, as one form of evidence. Consider out-of-band to the user to resist replay.  

Meter the data rate at the source, not the edge; prefer one record or page at a time.  

Provide a high level of service.  You can make any control or restriction at least tolerable provided that you couch it in a sufficiently high level of service.  Remember that most leakage is of gratuitous copies.  These trade off cheap local storage against expensive bandwidth and high network latency.  The faster you can deliver data from the source, the fewer copies will be made at the edge.  

Now I am not in the business of recommending products here.  However, if you want to make the above easy, get Lotus Notes.  I can mention it because it has no competition.  

These measures are probably too expensive for the least sensitive data in the enterprise.  However, they are mandatory for the most sensitive data. It is for drawing the line that we are called professionals and paid the big bucks.

Tuesday, July 24, 2012

Austin to Aurora

Austin 1966
San Ysidro CA 1984
Edmond OK, 1986     
Ridgewood NJ 1991
Royal Oak MI 1991     
Dearborn MI 1993
Dana Point CA 1993
Oklahoma City 1995
Dunblane Scotland  1996
Columbine 1999
Goleta CA 2006
Virginia Tech 2007
Fort Hood TX 2009
Tucson AZ 2011
Utoya Norway 2011

A tragic litany.  More tragic because we have already forgotten some of the worst of them.  More tragic because they have become routine.  More tragic because it does not include the hundreds that die in gun violence every day.  Yet more tragic because we stand immobile as the rate and the scale escalate.  

Aurora CO 2012.  The citizens of Aurora can take great pride in their own courage and in how their First Responders reacted in the face of this insanity.  Of course,  New York City grants nothing in courage to any other city.  We have the most courageous and disciplined citizens.  We are confident that we have the best trained, best led, most professional, and most heroic fire and police men and women in the world.  We were not surprised to learn that the leader of Aurora's finest is one of ours.

Have you ever heard a more professional press briefing than was given by Aurora's Chief of Police, Dan Oates?  It was complete, accurate, and measured.  He said exactly what he intended to say.  He knew with precision what he did not want to say and deflected questions on those things in a professional manner.  Those of us who have been there understand that such a degree of professionalsim is the result of a lifetime of training, discipline and  experience.  We all got a little teary when he realized what a great job his team had done, that all the training had paid off.  

Another professional briefing came from Lt. Andra Brown of the San Diego Police Department.  She was called out of bed at dawn to run interference for the accused perpetrator's family.  That briefing is not yet on YouTube but perhaps it will still show up.  However, another of her interview is and it demonstrates that she is a pro.

Even the media has been restrained and professional.  They have not hounded the families of the victims, or even of the perpetrator, with "How does it feel to …..?"  While some of the questions put to the authorities were not going to get an answer, they were respectful and legitimate.  They gave the professionals the opportunity to explain to an anxious public why they cannot be answered.

I hope that our response as a nation continues to be measured and proportionate.  That is not to say "business as usual."  Business as usual is not proportionate.  

We need to take another look at gun control.  We are law enforcement and security professionals; ours is the art of the possible.  We do not allow the perfect to become the enemy of the good. Some place between where we stand and giving up any pretense at the Second Amendment, there has to be better place.  

That place includes an assault weapon ban, a ban on large capacity magazines, and a tax and controls on the purchase of ammunition.  Guns did not cause these events and no change in the law, which will no be more than marginally effective, is going to prevent them.  Dunblane and Utoya tell us that.  However, these are changes that stand on their own merit.  They are measured and consistent with both the Rule of Law and civil liberties.   

Our presidential candidates tell us that we should not act out of the anger and grief of the moment, that it is not timely.  I agree that we should not act out of anger and grief.  However, it is a year and a half since Tucson and two generations since Austin.  I stand with Mayor Bloomberg who asks "If not now, when?"

Over the weekend a journalist pointed out  that  the Metropolis of Batman is what our cities will look like if we surrender the state's monopoly on the use of armed force.  Batman is not a real hero.  Real heroes do not wear masks; they wear little shields that say "Serve and Protect."  Real heroes do not wear capes; they wear turn-out coats.  

No, Batman is a thug, a vigilante.  He has given up on the Rule of Law, on the idea of civil society.  We pretend that he is on the side of the good guys,  but we cannot allow individuals to administer their own brand of justice.  At least one, probably most, of the perpetrators of events in that litany, were, at least part of the time, at least in their own sick heads,  administering their own brand of justice.  

From Robin Hood to Batman, fantasy is populated by vigilantes.  It is part of our culture. It is motivated by our innate sense of justice and our frustration when an imperfect system fails to deliver it.  It is motivated by our historic fear of tyranny.  But we are grown-ups.  Grown-ups do not act out their juvenile fantasies.  We do not lionize those that do.  Vigilanteism is the problem, not the solution,

As citizens we have to be worthy of our First Responders.  We have to commit to the Rule of Law.  We have to perfect government, not abandon it.  Without surrendering our Liberties, we have to give up any claim to vigilante justice.. 

As law enforcement and security professionals we too have to commit to the Rule of Law.  If we are to maintain the state's monopoly on the use of force, then as the agents of the state, we must use it conservatively and professionally.  We must be civil.  We have to emulate the best of our peers and follow the best of our leaders.  We have to forswear arrogance, swagger, and intimidation.  Only then will we be seen as professionals and be paid the big bucks.

Tuesday, July 17, 2012

The Rule of Law

We use the code words, the rubric, the concept,  Rule of Law, often without thinking about what the concept  embraces. Indeed our application of the Rule is still evolving.  Every now and then it is useful to enumerate the components and measure ourselves against them.  

One definition of the Rule of Law is that every citizen is subject to the law.  "Not even the King" is exempt.  Thus, the concept of the Rule of Law is antithetical to the idea of the "Divine Right of Kings."

Under the Rule of Law, all use of deadly force is reserved to the king and his agents, to the state and the police.  While a citizen may use force in the defense of his home, in public places he has a "duty to retreat."  While we recognize certain exceptional circumstances in which an "un-sworn" citizen may exercise police powers, "exceptional" is the key word and the guiding principle.  

Recently, in an expressed intent to "reduce crime," some states have adopted laws which expand the circumstances under which the citizen may resort to armed force, but the results have been mixed at best.

Included in the idea of "not even the King" is that of a limited state and government. While most orderly and stable governments have generally accepted limits, in our constitutional system, at least in theory, ours is a government of enumerated powers.  The government may do only those things that it is explicitly authorized to do.  Everything else is reserved to the citizen and implicitly forbidden to the state. Our officials, officers, magistrates, and agents swear "to preserve and protect the Constitution." This is in stark contrast to the British who swear allegiance and loyalty to the sovereign, even though their Magna Carta may be the earliest example of express limits on the king.

Included in our understanding of the Rule of law is the presumption of innocence.   Some of us may think of this in terms of the responsibility of the state to bear the burden of proof in criminal trials.  However, this right follows us into the street.  We do not have to demonstrate our innocence in order to be able to travel.  "Driving while Hispanic" is not a crime and cannot be made one, not even in Arizona or Louisiana.  

An Independent judiciary is essential to the rule of law. Whether appointed or elected, the judiciary must, be able to operate without interference from or fear of other branches of government.  Military courts and tribunals are an exception to this rule so they must be used with care and restraint.  

Part of the idea of the rule of law is that of sanctity of contract, i.e., parties must do what they promise to do.   Indeed, a special form of contract, called treaty, is the basis of international law.  While most contracts are routinely carried out, and while they are rarely called upon to do so, under the Rule of Law, the courts may be called upon to adjudicate and enforce contracts.

The rule says the citizen may not be deprived of life or property without due process of law, that is without "following the exact course of the law."  Of course, killing a citizen without charge, indictment, arraignment, bail, timely trial by jury, and right of appeal would violate this principal.  "Nice people do not do that."  States that even pretend to the Rule of Law would not do that.  

While it may not be obvious until stated, the idea of equality before the law is implicit in the idea of the Rule of Law, that is, all are subject to the law.  Not only must the state treat all citizens equally, it must protect one from another.  This idea is troubling in a democracy because it is an exception to the Democratic Rule, the one that says "the majority rules."  Under the Rule of Law, the majority may not use the coercive power of the state to tyrannize and terrorize any minority.  The majority may not use the coercive power of the state to enforce majoritarian orthodoxy.  No thought police.  No censorship. No state religion or prayer.  The state may not compel an oath, any oath, not even one, particularly not one, of allegiance to the state.  

A fundamental test of the Rule of Law is that the citizen should not live in fear.  He should not fear his neighbors; he should not fear the King and his officers.  The citizen surrenders his right to the use of force to the state in return for protection from the thugs.  That is no bargain if he must fear the king more than the thugs.  Many of our minorities live in perpetual fear of the king. Do I have to name them?  We should all keep in mind that if the state can oppress anyone with impunity, it can oppress everyone with immunity.  

Like Liberty, the Rule of Law is indivisible.  The whole depends on each of the parts. One cannot pick and choose among them.  Pull out a brick and the structure falls. Courts, legislatures, law enforcement professionals, even information assurance professionals, and individual citizens must play their role in checking the inherently coercive power of the king and his minions. "The price of liberty is eternal vigilance."

The alternative to the Rule of Law is rule by men, fallible, corruptible, zealous, and ambitious men.  We call it tyranny.  As law enforcement and security professionals, we are often in the role of officers of the state; that is why this is an appropriate forum for this discussion.  We must periodically remind ourselves that we take our oath to the law, not to the majority, not to the state.  To carry out our duties in a professional manner and earn the big bucks, we must  strive for accuracy, honor, restraint, and courtesy.   We must wear the Rule of Law as our uniform, as our only authority.       

Wednesday, July 11, 2012

Decision on Appeal of Patco v. Ocean Bank

On July 3, 2012 the United States Court of Appeals, First Circuit, returned a decision in the appeal of PATCO CONSTRUCTION COMPANY, INC., Plaintiff, Appellant (the customer) v. PEOPLE'S UNITED BANK, d/b/a Ocean Bank, Defendant, Appellee (the bank).  This decision reversed material findings of the lower court and remanded the case to the lower court for processing.  

Specifically, the appeals court reversed the summary judgment granted to Ocean Bank.  It found that this order relied upon a finding that the security offered by Ocean Bank was "commercially reasonable." a finding which the appeals court rejected.  

This is an important decision.  It brings this case into agreement with the decision in Experi-Metals v. Comerica, a case based upon similar facts and law, in which the court held for the plaintiff.  It reduces the probability that The Supreme Court would grant certiari for a further appeal.  It upholds the provisions of Article 4A of the Uniform Commercial Code (UCC) which govern the rights, duties, and liabilities of banks in commercial wire transfer.  The default under this provision is that if the transaction is "not authorized," the bank stands the loss.   This is also consistent with the bank's common law responsibility to ensure that transactions are authorized.  

When I read that this verdict had been reversed, I went back to my blog,
http://whmurray.blogspot.com/search?q=PATCO to review what I had written on the case.  Most of what I wrote stands up pretty well after a year and in light of the verdict on appeal  The exception was my expressed hope that the case would NOT be appealed. I was concerned that it might accept as fact the finding of the lower court that the security procedures were "commercially reasonable" and thereby establish a bad precedent.   Mark Patterson, co-owner of PATCO thought better of it, did appeal, and was vindicated.  Fortunately for all, the appeals court revisited that question as a matter of law.  

Patterson struck a powerful blow for small and mid-size businesses in their asymmetric relationship with their banks.  He says, "It is great news for victims out there who are going after banks that have not been keeping their customers' money secure, (It's) a wake up call."  Kudos to Patterson.

I continue to be impressed with the ability of the courts to sort out these very complicated issues.  This decision is informative, instructive, and easy to read.  Even if one were to dispute it, the decision sets forth a clear record of both facts and law for our consideration, discussion, and enlightenment.  I commend it to all bankers, small to medium businesses and municipalities, information assurance professionals, and those engaged in computer forensics.  One need not be a lawyer or a security professional to appreciate it.  

The facts, documented in and relied upon by the decision, describe the security options available to Ocean Bank in NetTeller, the e-banking application software from Jack Henry & Associates.   These include:
  • UserID and Password
  • One-time-password (OTP) Tokens*
  • Out-of-band Authentication*
  • User selected image for recognizing the bank*
  • Customer Device Recognition by IP address and cookie*
  • Transaction Risk Profiling
  • Challenge-Response based upon shared secrets
  • Dollar Amount threshold for invoking Challenge-Response**
  • Access to intelligence from the eFraud Network including IP addresses of known hostile systems
  • Risk Scoring Reports
Some of these features and implementations are licensed from the security firm, RSA/Cyota. 

Ocean Bank implemented more than half of these features but there was a problem with those they chose not to implement.  First, they did not implement the user selected image, a shared secret, intended to help the customer distinguish between the bank's system and a spoof of it before exposing his credentials.  This feature is sufficiently widely used that false bank sites are not a preferred attack.  

However, they also failed to implement the measures most effective against the favored attack, credential re-play, i.e., out-of-band or one-time-password authentication, and transaction risk scoring and monitoring.  

One of these features they mis-used.  The court agreed with testimony of an expert witness that, by lowering the transaction threshold for invoking challenge-response from only those transactions above $1000- to all transactions above $1-, the bank increased the probability that the responses would be compromised and thereby weakened the system.

After Patco became a customer, Ocean Bank offered out-of-band (e-mail) alerts of all activity on an opt-in basis (Preferences, alerts).  Patco claims that it was unaware of the offer and did not opt-in.  I would argue that out-of-band alerts and confirmations are so efficient that they should be on by default.

Other  facts not in dispute include that Patco hired an "IT Consultant" who ran a "malware scan" against the machine in question.  The scanner, which was intended for remedial rather than forensic use, contaminated the machine and destroyed some evidence.  I hope that none of my audience would have made such gross errors as hiring someone unqualified to do forensic work or failing to conserve evidence.  

The court accepted expert testimony that "at the time in question keylogger malware was a persistent problem throughout the financial industry."  Therefore, the risk that the userID, password, and challenge responses would all be simultaneously captured was foreseeable.  

As a result of this decision, we now know some things with confidence approaching certainty that were in question after the original decision.  These include:

In electronic wire transfer, risk for unauthorized transactions lies primarily with the bank, not the customer.  the burden of proof is on the bank, not the customer.  

The requirement of the UCC that security be "commercially reasonable," trumps the Federal Financial Institution Examination Council, the FFIEC, Authentication Guidance.  Literal compliance with the Guidance may not be 'commercially reasonable."  

"Commercially reasonable" is a higher threshold than previously thought; higher than the banks have pretended.  

The court heard testimony on the pervasiveness of key-loggers and concluded that the risk of credential replay is "foreseeable."  Therefore, by default, "strong authentication" to resist such re-play is indicated.

However, such authentication is not enough.  In determining whether or not a transaction is "authorized," and again by default, banks must look beyond the credentials accompanying it to whether the transaction is reasonable for the customer in question. 

Some things are still in doubt, and some questions still open.  For example, 

We think we know that there was a key-logger on the Patco machine.  However, because Patco's agent corrupted the machine, we will never know to a certainty. 

The record is not clear as to whether "alerts" were offered or accepted.

Finally and most importantly, we still do not know what obligations, if any, Patco had if the security offered by the bank is "commercially unreasonable."  Under Article 4A there is an alternate to "commercially reasonable" security as a means for the bank to shift some or all of the liability to the customer.  Only the first was actually litigated in Patco v. Ocean Bank.  The second, authorization by means of an agreed upon security procedure, was not reached or considered by the lower court.  Under the remand, this question may arise.  There is a difference between the Patco and the bank as to whether there was such an agreement, what it called for, and whether or not Patco met its responsibility under such an agreement. 

The advice that we as information assurance and forensic professionals give our principals must reflect this decision.  

This is not "rocket science."  NetTeller and other commercial-off-the-shelf (COTS) software offer both strong authentication options and software for scoring the risk of a transaction.  

We should make it clear to our business clients that, while the bank must take the risk for an unauthorized transaction, the bank is not responsible for consequential damages.  Moreover, the bank will try to transfer this fundamental responsibility to them by contract.   They should choose their banks carefully, ensure that the bank offers "commercially reasonable" security, and understand and comply with their agreement with the bank.  Specifically, they should  reconcile their accounts in a timely manner, and reconcile variances promptly.  By default, "timely" equates to daily.  Finally, they must resist compromise of their systems and credentials.  I use my iPad for e-banking and recommend to my clients that they use a dedicated and locked down system for e-banking.  

It should be clear from the facts and findings in this case that both the bank and the customer, both acting in good faith, did counter-productive, not to say "stupid," things.  Neither our bank or our small business clients are experts in security.  Left only to their own resources, they are vulnerable to costly, not to say fatal, errors.  They are dependent upon us.  We owe them diligence and competence if we are to be called professionals and be paid the big bucks.

Monday, July 2, 2012

Robin Hood was a Thug

When I was a boy, I thought that the English were the most noble of all people.  I was Irish Catholic and of Scottish decent; I still thought they were heroes.  They had great propaganda.  They won every movie that I ever saw.  Generations later comes Mel Gibson and they started to lose their luster.

One of the great Saxon heroes was Robert of Locksley, AKA "Robin Hood."  Talk about good PR.  He was played by every popular leading man from Errol Flynn to Kevin Costner, Russell Crowe, and Sir Sean Connery.  His legend was that "he stole from the rich and gave to the poor."  Who does that sound like?  In any case, he did it by force.  He was a thug, a hoodlum, a terrorist, a vigilante, and a bully.  

Today we have a competition as to who is going to be the biggest bully on the block called the Internet.  We have lots of candidates from criminals to nation states.

First we have the publishing industry personified by the RIAA and the MPAA. They missed the message from Steve Jobs about how to become rich in a world of diminishing reproduction cost; "Lower your prices and make it up on volume." a message as old as the Gutenberg press.  Instead they are attempting to use their money to co-opt the coercive power of government to force everyone else, particularly all Internet service providers and users, to bear the cost of a losing battle to enforce their obsolete business model.

One of their attempts to do this is CISPA, the so-called Cyber Intelligence Sharing and Protection Act, but there is no shortage of bills in congress that favor them at the expense of the ordinary law-abiding Internet user.  This obnoxious law all but eviscerates the Fourth Amendment, by granting immunity from both criminal and civil liability to both government and industry for sharing and using personal data for any intelligence gathering, investigation or prosecution purpose.  About all it requires is that a perpetrator assert that they had a "good faith" belief that they were on the side of the angels.  One effect is to shift the burden of proof from the perpetrator to the victim.  Lots of luck with that. 

Then there is our avenging vigilante, Anonymous.  Admittedly, Anonymous tends to "afflict the powerful" but otherwise seems to be arbitrary in its selection of targets.  While one may sometimes be sympathetic with their choice, one is often outraged.  Moreover, almost any two people will disagree over their choices.

Microsoft has recently embarked upon a program to disable bot-nets by taking down their command and control nodes.  While Microsoft is transparent, accountable, and subjects their action to prior approval of a court, this is still an exercise of power.  Not just anyone could do this.  Google and FaceBook are similarly powerful.  They have information about us that dwarfs the imagination.  It  is the power that we fear.  We fear Google, who assures us that they would 'do no evil.' no less than FaceBook, that admits to, not to say brags about, being amoral.  

In a recent report to Congress, the DoD asserted that the People's Republic of China is engaged in a massive electronic espionage program targeting our industry.  Troubling if true, but suspect because government lies and is amoral.  On the other hand, the PRC is clearly a target of the world's largest and most capable intelligence apparatus, the National Security Agency.  

Our government would have us believe that China's efforts are different from ours at least to the extent that they target our industry and share the product with their businesses.  I doubt that the Chinese appreciate this sophistry.  Again there is the problem of trust in government, in general, and NSA in particular.   By turning NSA on its citizens, in patent violation of the law, the government has destroyed a generation of trust and the trust of a generation.  

Perhaps the biggest bully on our block is the United States Department of Defense.  They used computer software and the Internet to conduct sabotage against another sovereign nation in peacetime.  At the same time, they published rules of engagement that said that they could retaliate with armed force against any other nation that did the same to them.  Sounds like school yard ethics to me.  Of course, the best behavior that we can expect of government is political, never ethical; we cannot even agree on the politics.

We have two defenses against these bullies.  First, we can demand transparency and accountability.  Second, we can insist upon the requirement for warrants.

Of course, the thugs, particularly the government, resist accountability and transparency.   "Anonymous" tells you in their name that they do not intend to be transparent.   In the case of Operation Fast and Furious, illegal on its face, the Department of Justice, has resisted all attempts to hold anyone accountable.  Indeed, the refusal of the Obama administration to produce evidence is now seen as more important than the original egregious offense.  

The government has all kinds of excuses for resisting any investigation of its crimes.  These range all the way from protecting ongoing investigations, sources and methods, to executive privilege.  Indeed in the case of Fast and Furious, the government appears to have initiated an investigation of itself in order to create a shield against congressional oversight.  We are told that our need to hold government accountable must yield to the needs of the government rather than the other way around.  

The government resists the use of warrants even when there is probable cause and issuance would be all but automatic.  For example, instead of getting a warrant to install a tracking device on the vehicle of a citizen suspected of trafficking  in  scheduled drugs, the administration installed the device and asserted that a warrant was not required.  Could it be that they spent all of that time, money, and effort defending the absence of a warrant just so the citizen would fear "unreasonable searches and seizures,"  the Fourth Amendment notwithstanding. 

CISPA is another case where the government seeks to overcome the Constitutional requirement for a warrant.  CISPA simply creates a legislative exception to the Constitutional requirement.  One would hope that the courts will hold such a law unconstitutional.  Indeed, one would hope that a courageous Congress would never pass such a law.  

The Rule of Law stands in perpetual peril, here and around the world. While the bullies do, and should, provoke fear, they are also justified and protected by fear. Our fear of retaliation, the judgment of our peers, firing, civil suits, rejection by primary electorates, criminal indictments, terrorists, competition from China, misuse and abuse of personal data, financial fraud, denial of service, and leakage or loss of data are being used by the bullies to justify their power.  Little wonder that we feel like mice in a world of giants.  While some of the fear is natural and perhaps even justified, the consequences of yielding to it, and acting from it, are to be feared far more.

In my school yard there was a hero who stood up to the bullies.  His name was Sammy Ina and I wanted to be just like him, a hero.  I stand in awe of the three hundred fireman who died on 9/11 because "it was their job."  

As law enforcement and information assurance professionals it is our job to resist the bullies, to insist upon transparency and accountability for ourselves and all others, to act only with warrants based upon probable cause, to protect the citizen, and to go into harms way.  It is our job to be, not just professionals and earn the big bucks, but to be heroes.