Category Archives: Legal

Feds Talk About Using Software Bugs Against You

Under President Obama, the feds created this non binding policy document called the Vulnerability Equities Process.  This came after Snowden disclosed a long assumed fact that the spy organizations were hoarding bugs to use against whomever they wanted to rather than telling the developers about them so that they could be fixed.  Of course, we are hardly alone in doing that.  Every country likely does that.

The policy was kind of loose and since it wasn’t a law, people sometimes followed the directive and sometimes didn’t – but of course, we never knew anything about it.  It was one of those “We’re from the government, we’re here to help you – trust us”.

Even the government admitted that the policy wasn’t super effective, but nothing changed.  This week they rolled out – with not much fanfare (it was released by a mid level White House bureaucrat) – Vulnerability Equities Process 2, the sequel.

One thing this new document did was explain at least some of the process, who is involved and what the guidelines are.  It also says that the government needs to report on an annual basis some statistics – how many bugs were hoarded and how many shared with the vendors.

Of course this is still just a policy document, so it really carries very little weight and no penalty at all.

This new document comes on the heels of a Freedom of Information Act LAWSUIT.  Maybe just a coincidence, but more likely, the government probably felt more dirty laundry would come out during discovery and trial and if they dribbled out a little bit of information, maybe the lawsuit will go away.  Stay tuned on that count.

The board that decides these things consists of representatives from 10 agencies including the CIA, Defense, Justice, Treasury and other agencies.

The board is supposed to consider how broadly the product affected is being used, how easy it might be for someone else like the Chinese to discover the same bug and what the consequences might be if the Chinese, for example, did discover some bug that the government is hoarding.

The new policy says that the executive branch has to generate both a classified and unclassified report to Congress.  We will see when the first report happens and what it looks like.

One hole in this policy the size of an 18 wheeler is that if a bug is disclosed to the government by a white or black hat hacker under an NDA (which is pretty common), then they don’t have to go through the process.  I guess it would be nice to have a stat on how many bugs slipped through that loophole and whether the government is suggesting to people who want to share a bug with them “hey, I think you should do this under an NSA.  Oh, oops, I meant NDA.”

 

Information for this post came from Dark Reading.

Facebooktwitterredditlinkedinmailby feather

Between Snowden and Shadow Broker, NSA has a Problem

The NSA hasn’t had a great few years.  And it isn’t getting any better.

First it was Snowden and dumping documents on seemingly a weekly basis.  There were two schools of thought regarding Snowden.  Some said he was a hero for disclosing illegal government actions  Others said that he was a traitor for disclosing national security secrets.  The leaks seem to have stopped at this point.  For now!

There are a couple of important distinctions about Snowden.  First, we know who he is and where he is.  Second, he disclosed documentation.  Directions.  Information.

The second major breach is the Shadow Brokers.  Where Snowden leaked documents, Shadow Brokers leaked tools.  Going back to those distinctions, we do not know WHO the Shadow Brokers are or WHERE they are.  These tools are now available on the open market and while some of the flaws these tools exploited have been patched, it doesn’t mean that people have applied those patches.  Remember the WannaCry infection that cost Fedex $300 million and Merck $600 million – so far?  Yup.  One of those tools that was released.  And for which there were patches issued but not applied.  And that was only ONE of the tools.

The New York Times ran a great article on the issue yesterday (see link below) that talks about how these breaches have affected the NSA (and the CIA with its own leaks).

The problem is that with so many employees and contractors, and the ease with which someone can sneak out a gigabyte of data on a device the size of your finger tip, it is a hard problem.

So they have been conducting witch hunts.  Given that they don’t know who or how many bad guys there are, they really don’t have much of a choice, but that certainly doesn’t improve morale.

One of the guys the Times interviewed for the article was a former TAO operative.  TAO is the NSA’s most elite group of hackers.  He said that Shadow Broker had details that even most of his fellow NSA employees didn’t have, so exactly how big is this leak anyway?  And is the leaker still there?  Is the leaker an insider?  Or have the Ruskies totally penetrated the NSA?

And, of course, the NSA has to start over finding new bugs in systems since the vendors have, in many cases, patched the bugs that the NSA tools used.  Then we have that NSA developer in Vietnam who took homework and ultimately fed it to the Ruskies – not on purpose, but the effect is the same.

It just hasn’t been a good couple of years for the NSA or the intelligence community.  On the other hand, as we hear more about the hacking of the elections last year, the Russians seem to be doing pretty well.

One last thought before I wrap this up.

The government, many years ago, decided that OFFENSIVE security was much more important than DEFENSIVE security.  This is why the NSA hordes security vulnerabilities instead of telling the vendors to fix them.  Maybe that is an idea that needs to change.  It certainly does not seem to be working out very well for the American citizens and businesses.

Until that happens, you are pretty much on your own.  Just sayin’.

Information for this post came from a great article in the New York Times.

Facebooktwitterredditlinkedinmailby feather

NY Introduces Tough New Cyber Security Bill

New York already has one of the toughest cyber security regulations in the country, but it only applies to financial services firms like banks, mortgage companies and investment advisors.

After the Equifax breach, New York Governor Andrew Cuomo proposed that they add credit reporting agencies to the list of companies covered by the New York regulation called DFS 500.

This week New York Attorney General Eric Schneiderman proposed tough new legislation that would increase the coverage of New York law to all companies who handle non-public information of New York residents.  Schneiderman says that the update is needed.

The Stop Hacks and Improve Electronic Data SecuritY or SHIELD Act was introduced in both legislative houses.

Schneiderman said that his office received notice of 1,300 breaches in 2016, a SIXTY PERCENT INCREASE over the previous year.

Some business officials wondered how it would be enforced on out of state companies, but a similar requirement currently exists in a number of other states.

The law has modest penalties – up to $5,000 per violations or $20 per failed notification, up to $250,000.  Compare this to the new data privacy law in Europe which allows for fines of 20 MILLION Euros or more.

For small businesses of less than 50  employees and some other requirements would only have to implement security appropriate for the size of the company and the risk.

The law also says that companies that obtain independent certification of their security practices and achieve high marks would be immune from enforcement actions.  This is a great incentive to conduct annual cyber risk assessments.

The Business Council of New York State, a trade group of over 2,000 businesses said that businesses are not bad actors and are interested in protecting their customer’s data.   If that is true, they should be conducting an annual independent third party risk assessment anyway and if their program comes away with high marks, they have immunity.  So, if the do protect their customer’s data effectively, they have nothing to worry about from this bill, even if they do get breached.

Schneiderman has a reputation of being tough on companies that get breached and hackers who breach companies, so this new bill is not unexpected.

Information for this post came from Law.com.

The text of the bill can be found here.

Facebooktwitterredditlinkedinmailby feather

Another International Law Firm Hacked

You might think that after the Panama Papers breach in which the law firm of Mossack Fonseca was hacked and 11 million documents exposed – including ones that forced the prime minister of Iceland to resign and the prime minister of Pakistan to be removed from office – that law firms around the world would have stepped up their cyber security efforts.

I am sure that some have improved their security while others have made minor efforts to improve it, but it is not working.  Until clients of these same law firms start conducting frequent cyber security audits of those firms, it is unlikely that significant changes will be made in the industry.

Remember that security and convenience oppose each other and security costs money.  If their clients are not demanding that they spend money on security, they likely will spend that money elsewhere.

So what is this week’s news?

The Bermuda based law firm Appleby, with 10 offices around the world and around 470 staffers admitted this week that they had been hacked.   The hack, they said, occurred last year.  That hack was not disclosed at the time and legally they were probably not required to do so. The only reason they are talking about it now is that the international investigative journalist group ICIJ was given at least some of the documents and has been pouring through them and asking embarrassing questions.

Apparently, clients of the firm include the rich and the famous, especially in Britain, possibly including some Royals.  While the firm says that try to do things lawfully, “no one is perfect”.  Whether what the two prime ministers who were exposed in the Panama Papers breach were doing things legally or not, the court of public opinion didn’t think what they were doing was appropriate.

When members of the rich and the famous get exposed doing things that may be legal or may be shady or may be perceived as illegal by the masses, that is not good for their public image.

The apparent threat that these documents are now going to be published probably scared the poop out some of the firm’s clients, which forced them to admit the breach.

This brings us to an important point.  In the United States (and the firm has no offices in the U.S.; their offices are mostly in tax havens), companies that are hacked are required to disclose that fact ONLY UNDER SOME, LIMITED, CIRCUMSTANCES.  If personally identifiable health care information is breached, if payment card information is breached and if non-public personal information as defined in the various state’s laws is breached, for example – then, assuming the data wasn’t encrypted, etc. etc. – the companies have to fess up to the breach.

If, however, if the breach did not expose that kind of information  – say it exposed your company’s not yet filed patent applications or information regarding a merger or information regarding an off-shore business transaction – then maybe that information does not have to be disclosed – either publicly or even to the client.

For U.S. based law firms, the American Bar Association has created model ethics clauses for states to adopt – some have been adopted and  others not – that says that attorneys should try to protect client information, but the wording is a bit loose.

As a client of a law firm, your CONTRACT with that firm can certainly be a tight as the two parties agree for it to be (assuming the terms are legal, of course).  You, as a client of a law firm, for example, can say that if you want me as a customer then if you suffer a breach and my information is exposed, then you must notify me within, say 72 hours.  That would put the onus on the law firm.  For small clients that is a difficult issue to force.  For larger clients, it is less difficult.  That doesn’t mean that lawyers, as good negotiators, won’t try to make the terms more favorable to them and you can’t blame them for wanting to do that.  Still, you have a say in the matter and you can always choose to find another firm.  There are lots of law firms in the country.

While there are probably thousands of clients of the Appleby law firm that are currently holding their breath, this, along with the multiple other law firms that have been hacked, should act as a wake-up call to clients to push their law firms to improve security.

I would think that most reputable law firms REALLY don’t want to have their client’s information compromised, independent of ethics rules or client contracts, but security is both inconvenient and expensive.

However, so is being hacked,  as is having your name dragged through the mud and losing clients.

Since many of the largest breaches in the U.S. are the result of vendors being hacked (think Target or Office of Personnel Management, for example), we work with clients to create a vendor cyber risk management program to tighten up the parameters of their vendor contracts and cyber security programs.

Stay tuned; there is likely to be more fallout from this breach.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Is Treasury Breaking the Law – The Jury Is Still Out

According to reports – and denied by the government – The US Department of the Treasury is either creatively stretching the definition of certain laws or outright breaking them.  It is likely that we will hear more about this over time.

The story goes like this.  There is a part of Treasury called FINCEN or Financial Crimes Enforcement Network, which, under law, receives reports of suspicious activity from banks and other financial institutions.  The purpose of these reports is to detect money laundering and other financial crimes.  This is all well within the law and FINCEN has been doing this for years.

There is another part of Treasury called the Office of Intelligence and Analysis or OIA.  This is a foreign intelligence group tasked with gathering intelligence on foreigners.

But, under certain circumstances and with certain privacy protections, OIA can access FINCEN’s data.

But what happens if Treasury placed OIA employees inside FINCEN and those employees searched for information on U.S. citizens, possibly in violation of the law.

Treasury first issued a one sentence denial and later Treasury issued a longer two sentence denial while at the same time said that OIA and FINCEN do share important information and operate within the bounds of the law.

The Treasury Inspector General has launched a review and said that they had no further content.

On the other side of the argument, a number of Treasury employees have said, off the record, that “this is domestic spying”.

Sources said that the spying had been going on under President Obama, but has continued under President Trump.

And sources also say that officials from CIA and Defense Intelligence Agency have come to work at OIA for as little as a week, at which time they got access to information on U.S. citizens that they could not get legally without this arrangement.

To turn this completely into a soap opera, apparently last year Treasury’s Office of Terrorism and Financial Intelligence proposed transferring much of FINCEN’s work to OIA, along with the budget and staff.  That certainly could upset FINCEN “whistle blowers”.  They said that OIA, part of the intelligence community, could not collect information on U.S. citizens unless it complied with Executive Order 12333 issued by President Reagan and reissued by President Bush, which sets rules on collecting intel on U.S. citizens, among other rules.  The EO requires certain privacy rules, approved by the Attorney General, and those rules did not exist at the time.   When FINCEN asked to review those guidelines, they were, they said, removed from the conversation.  These guidelines, apparently, have still not been approved by AG Sessions.

Some FINCEN employees have complained to Congress, but Congress doesn’t seem to have done much about it.  Possibly in light of some publicity, they may decide it should have a higher priority.

At this point it appears to be the stuff that prime time soap operas are made of and it is completely unclear what the truth is.

Information for this post came from Buzzfeed.

Facebooktwitterredditlinkedinmailby feather

What Will it Take To End Cyber Breaches

As I write this, a couple of very large and very significant breaches have recently either taken place or been revealed – specifically Yahoo’s breach impacting 3 billion users and Equifax’s breach affecting at least 145 million.

But there are countless other breaches every day – in fact so many that most don’t even make it to the news, even if they are disclosed.

And, there are many more that are not disclosed because the owner of the system  isn’t aware of it.

Both Deloitte and Accenture left data exposed and the only reason they were shut down was that someone outside the organization told them about it.

so how do we fix this problem?  Unfortunately, there is no easy answer, but here are some thoughts to mull over.

  • Consumers don’t really care about credit card and bank account breaches because they have limited to no liability and doing something about it requires work.  In the situation where there is really no upside for the consumer, they are not motivated to expend effort.  If consumers were liable (which is not likely to happen), they would be much more motivated to improve their security – like by not making the password to their account password or 123456 – the two most popular passwords, year after year.  So how do we get consumers more motivated?  I don’t know, but it is a great question.
  • Two factor authentication (2FA) – 2FA is a way to log in that requires you to provide something you know (like a password) and something you have (like a one time PIN on your phone).  But this makes it harder for the user to use the site and that is the last thing that a business wants and there is no law that requires it, so, in the interest of not driving away customers, businesses don’t require it – not even most banks.  In fact, numbers that I have heard say that 1-2 percent of the users have turned on two factor authentication.  Possibility – may two factor authentication mandatory.
  • Cyber insurance – even in the face of all these breaches, many businesses – maybe over half – do not have cyber insurance.  Information from the insurance carriers say that about 12 percent of drivers involved in accidents don’t have insurance, even though insurance is mandatory.  Should cyber insurance be mandatory?  Currently, insurance carriers do ask businesses to fill out a form in order to get cyber insurance, but I have never heard of anyone being turned down.  Maybe it happens, but not very often.
  • CEO personal liability – in rare cases the CEO gets fired after a breach.  The CEO of Equifax “retired” after the breach, but the company will pay him $90 million over the next couple of years to go away.  That doesn’t seem like much of a punishment.  Should CEOs be personally liable?  Sarbanes Oxley has such a personal liability clause and it isn’t very popular.  I also cannot remember when any CEO was fined or jailed over that liability, so it doesn’t seem like it either works or is used much.
  • Lawsuits – after every breach there are lawsuits.  Lawsuits against everyone – executives, Boards, companies – you name it.  Most of these lawsuits are dismissed for “lack of standing”.  Even in the rare cases where they are settled, the amounts are small – $25 million in the case of one of the Target lawsuits.  For a multi-billion dollar company like Target, they consider that less expensive than fixing the problem.
  • Europe – now this one is dicey.  Starting next May, for companies that do business in the European Union, the government can fine companies that have a PRIVACY breach up to 20 million Euros or 4 percent of their GLOBAL REVENUE, whichever is more.  For a company like yahoo with revenue of a little more than a billion dollars, a 4 percent fine could amount to as much as $50 million dollars.  While that won’t make Yahoo go broke, it will hurt.  A 20 million Euro fine will definitely make smaller companies wince.  Should the U.S. do something like this.

I don’t have the answers, but I am interested in what you think.  Let me know and I will publish your comments in a future post.

Facebooktwitterredditlinkedinmailby feather