Tuesday, May 25, 2021

Should Paying Ransom be Illegal?

 Today Bank Info Security raised this question at:  https://tinyurl.com/on-paying-ransom

It seems clear that, at least collectively, we are highly vulnerable to breaches and extortion.  In order to take part of the profit out of such extortion we need to raise the cost of attack against our systems ten fold.  Not only will that take time but it may also require additional motivation; too many enterprises are electing to accept, rather than mitigate, the risk.  We know how to increase security; we lack sufficient motivation.  

It seems equally clear that paying ransom may be good for the enterprise and the perpetrators while putting the infrastructure, society, and national security at ever higher risk.  We need to discourage such payments.  This includes not being able to assign the risk to underwriters, as AXA has already said.  Such insurance creates a "moral hazard."  

Historically, I have opposed "punishing the victim" as a means of encouraging better security.  We managed to discourage the old "protection" rackets without resorting to that.   However, something must be done; society cannot leave the acceptance of existential risk to any of thousands of enterprises.  

Consider sanctions for paying extortion that escalate over time on a steep, but announced, schedule.  This could increase the motive to improve security while allowing the time necessary to do it.  

Finally, as with the protection rackets, there must be a law enforcement component to our response.  We cannot put all of the responsibility for protecting society from this risk on the potential victims.  Part of this response might include funding law enforcement out of fines imposed.  Another part might include so regulating digital currency as to make it easier to "follow the money."  We may decide that we cannot tolerate anonymous receipt of funds.

Friday, May 14, 2021

The Biden Executive Order

There is nothing like long lines at the gas pumps to get the attention of government.  This is an initiative that is long overdue.  There is a great deal to do.  Cyber is the infrastructure that we use to operate all the others, particularly to include energy and finance, and it is all too fragile and porous for the reliance that we have upon it.  

It is good to see that "zero trust" made the list.  The concept goes back to the mainframe and many of us have been actively promoting it for the internet for years.  It is important to use it both horizontally, that is system to system and service to service, and vertically, through the layers of the application.  

Zero Trust requires strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) both user to system and process to process.  One cannot trust a process whose identity is not reliable.  If strong authentication is not the single most effective and efficient measure at our disposal, it is certainly among the top three.  It deserves its own mention.  

Zero trust also implies resistance to lateral compromise within the enterprise.  It should not be possible to compromise an entire enterprise simply by getting one user to click on a bait message in an e-mail or on a web-site.  In addition to resistance to fraudulent credential replay, we need structured networks.  I would like to see end-to-end application-layer encryption but, at least in the short run, I would settle for network segmentation and layering.  

I am glad that it addresses software quality.  However, the practice here is so shoddy and the contributors so many that simply saying we will address it through government purchasing power will not be enough.  Nor can we rely on training alone.  We need systems and development processes that make it much easier to do it right than to do it wrong.  

I would like to have seen the order address accountability and transparency for privileged users.  Edward Snowden should not have been able to run rampant through a network that one would have expected to be "secure."  It is ironic that the place that we are most likely to see shared credentials is among privileged users.  Wherever there are two or more privileged users per shift, we need privileged access policy and management systems.  

We cannot continue to allow just any amateur to connect anything they like to the public networks.  While it may require legislation, we must require that only mechanisms built by professionals to infrastructure standards (e.g., built for the ages, fails in an orderly and safe manner, resistant to easily anticipated misuse and abuse) can attach directly to the public networks.  As we need structure networks within the enterprise, we need structure within the Internet.  

We also need to have accountability for suppliers who distribute (malicious) code that they did not write.  This too may require legislation but a class action suit against SolarWinds would be a start.  

The Biden Executive Order is a start but only a start.  There is much to do.  Let us get on with it.