The Problem Of Attribution Of Cyber Attacks

In some sense, cyber attacks are no different that physical world attacks;  in other ways, they are completely different.

Let’s assume that you did not physically catch some bad guys that broke into a building.  Do you know who broke in?  On rare occasions they leave something behind – there have been instances so rare that they make the news –  where a perpetrator drops a wallet or ID card behind.  Even then, how do you know the wallet that was dropped wasn’t stolen and then dropped.   Sometimes the police get a lead, find that person and they still have the stolen stuff – that’s pretty conclusive.  What if what was stolen was money?  You can’t say “that $20 bill over there looks like mine”.  Most of the time, you can rule out people who don’t live nearby.  It is reasonable to assume – and it is an assumption  – that someone is not going to travel from India to break into your house and steal your TV – the economics don’t work.

Cyber attacks are different.  It could be anyone with access to an Internet connection.  That narrows it down to say 2-3 billion people.  Easy job.  Since it is no harder to launch an attack on your company from 5,000 miles away than it is to launch it from 5 feet away, you can’t rule out anyone.

There are stupid cyber attacks just like there are stupid burglars, but in both cases they are likely to get caught, so I will dismiss those attacks.

The reason attribution is so important is that we want to catch the attackers.  If we cannot attribute the attack, it is hard to go after them.

The case in point is the Sony attack.  The FBI, based on forensic evidence, says it came from North Korea and it was sponsored by the North Korean government.  North Korea denies it.  Other people say it was Russia.  Still others say is was some former disgruntled Sony employees.  Others say it was a combination.  The U.S. decided to retaliate against North Korea because we don’t like them anyway, but in reality, the evidence is circumstantial.

Could some Russian hackers have reused  Korean code and servers?  Could the Russian government have paid North Korean hackers?  Were they even in North Korea?  Some people say the attackers were in Japan.

Since we don’t like North Korea anyway, it really is no big deal to us if we mis-attribute the attack to them, but what if the attack originated someplace else?  The FBI gets to claim credit, sort of (no one gets charged with a crime, gets convicted or spends time in jail). From what has been released to the media, we really don’t know who the actual attackers are.  If the attackers were in a country that we have a better relationship with, we are unlikely to issue sanctions against, say, Germany.  And, issuing sanctions doesn’t hurt the hackers – they go on their merry way.

The bottom line is that just like some murders are not solved, some cyber crimes are not solved either.  The difference is the percentage.  Especially for smaller cyber attacks, the police don’t have the resources to follow up on the attacks (they are not likely to fly to Ukraine to check up on a lead and the Ukrainian police have other things to do that are more important to them).  The reality is that many, if not most, cyber attacks are not solved.

If you have the right kind of cyber insurance it will help lessen the financial impact, but don’t count on the attackers being caught.  It just doesn’t happen very often.  Even for high profile attacks.  Have the Target attackers been caught?  What about the Home Depot attackers?  What about the J.P. Morgan Chase hackers?  Given that, how likely is it that the hacker that broke into some small or medium size business will be caught?  And, even if they are, then what?  Likely, they don’t have the money to pay for your damages.  And, that won’t repair your reputation.

In this sense, cyber attacks are quite different from physical attacks.  If someone steals your car and you have the right kind of insurance, you get a replacement car.  Yes, there is some hassle and time, but overall, it is pretty clean.  And, other than the few people you tell about it, no one knows about it.  And unless you left your key in the car, your reputation isn’t tarnished.

If someone takes down your website or defaces it or steals your customer data, it is much harder to hide the fact.  In most states, you are required by law to tell your customers, who tell the media, who tell the world.  And much harder to be made whole again.  Damage to your reputation is very difficult to repair.

You can hope that the hackers pass over you or you can spend some time and effort making it harder for them.  That time and effort could improve the odds that the hackers will looker for an easier target.

Remember, while the attack on Target was annoying, an attack on your home or business gets personal really quickly.

 

Mitch

 

 

Facebooktwitterredditlinkedinmailby feather

FBI gets creative on when they need a search warrant

The media has been talking about the feds running Stingrays and Dirtboxes to gather cell phone data on potentially thousands of Americans.  The government’s take on this has been that a warrant is not required.

The FBI made their position known in a private briefing to the Senate Judiciary Committee last week.  The result was a letter made public by Sens Grassley (R-IA) and Leahy (D-VT) that said:

For example, we understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.

So, basically, the FBI is saying that if you are in public, you are fair game, no matter what or where.  For example –

The feds tried to convince the courts that they should be able to secretly and without a warrant, attach a GPS tracking device to a suspect’s car.  The feds got a conviction for dealing cocaine, apparently, partially, as a result of the GPS data.  The case went up to the Supremes and they ruled that a warrant was required.

The administration also attached a webcam to a light pole a hundred yards away from a suspect’s house with remote pan, tilt and zoom capability.  From hundreds of miles away, they could watch this suspect, look in the trunk of his car, look in his front window, etc.  He lived in a rural area, so he had the expectation of not having neighbors watching his every move.  The feds saw him shooting target practice in his yard, which is illegal in his county,  and based on that, got a warrant and found 4 guns and a few grams of meth.  A federal judge threw out the evidence.  The judge said that probable cause and a warrant was needed to conduct 24×7 surveillance of an individual, even in public.  Interestingly, when the police raided his house, the camera was pointed not at his front door, but rather at some sagebrush nearby.  Apparently, the judge noticed that fact as well..

The authorities want to keep information on Stingrays quiet.  Harris Corporation even requires cops to sign a non-disclosure agreement before they sell them one and recently the Baltimore cops dropped their charges against someone rather than let that information see the light of day.  My guess is that they don’t want the bad guys to understand how effective these devices are, but likely, you only catch stupid bad guys this way.  The smarter ones understand that cell phones, at least ones that are not burners, are like a homing beacon tied directly to you.

The Senate Judiciary committee is becoming more interested in these boxes, so I suspect it is a matter of time before we get more information.

What is clear is that law enforcement will push the boundaries as they try to do their jobs.  Recently, when the Sarasota police were going to be forced to turn over records on Stingray use under Florida public records laws, magically, the detective who was using them became a special deputy for the U.S. Marshal Service and the records were moved to a different location hundreds of miles away.  Legal experts think this technique will not hold up.

While there certainly is a balancing act between catching bad guys and suspect’s rights, it appears that vigilance is required to keep the good guys honest.  This is not the last act in this play.

Before you say that we should do whatever we can to put away bad guys, absent some form of independent review there is nothing to stop the operator of a Stingray from pointing it at you – just because he can.

Mitch

Facebooktwitterredditlinkedinmailby feather

New California Data Privacy Laws for 2015

As has been the case for more than 10 years, California leads the way, for better or worse, for the rest of the country in protecting resident’s privacy.  Their original breach law, SB 1386, is the model for laws for the rest of the country.

So, what is new in 2015 – read on.  If SB 1386 is any indication, expect to see this in a legislature near you soon.

REMEMBER, one of the big challenges for businesses is that many laws cover people based on WHERE THEY LIVE, not where you live.  So, if you have a business in Dallas, Texas and a California resident uses your web site, you are required to follow California law and if you don’t the California Attorney General can (and has in the past) come after you.  AND, you have to defend yourself in Sacramento, not Dallas. Small breach and they are not likely to visit you.  Bigger breach and they might.

  • SB 568 extends the federal law for protecting minors online (COPPA).  COPPA defines kids as anyone under the age of 13;  SB 568 defines it as anyone under the age of 18.  So, if you have a web site that may attract Cali residents under the age of 18, this law affects you.
  • AB 1710 removes the wiggle room in the old law.  The old law talked about owning or licensing information.  The new law says if you MAINTAIN information on a California resident you must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”  Of course, reasonable is not defined, but there likely will be some discussion about what is reasonable if you are breached.
  • There are several new laws that govern information collected by third parties and schools about pupils and how that information may be used.

For more details, see this article.

Facebooktwitterredditlinkedinmailby feather

First Party vs. Third Party Cyber Liability Insurance

For those of us who are not insurance experts, the distinction may not be obvious.  As explained in more detail here, the difference is in who experiences the loss.

First party coverage covers damage to your business such as costs of notifying customers, purchasing credit monitoring services, repairing reputational damage or paying a cyber extortionist.

Third party coverage covers things like costs related to the theft, misuse or disclosure of other people’s information (customers, for example) that is stored on your network or infringement of the right to privacy, among others.  Third party coverage is more common.

This article discusses some of the myths surrounding first party coverage.

Another article, “Sizing Up Cyber Risks After The Sony Breach” says that DHS reported, after a late 2012 cyber security insurance workshop, that first party coverage is “expensive, rare and largely unattractive”.

Some people thought that their general commercial liability coverage (GCL) included cyber risks.  Some used to years ago, but very few do today as many breach victims have discovered after the fact.

The important point here is that cyber liability policies do not have standard state mandated language, so it is important, as part of your business risk analysis process to document what risks you want to be covered for and then validate that the coverage you currently have or are planning to buy provides you with the coverage you need.  To do this effectively you need to estimate your costs from a cyber breach in each and every category so that you can figure out what you can and are willing to absorb internally vs. getting help from your insurance carrier to cover.  Unfortunately, this is neither a simple nor exact process.

Parting thought — you cannot do this review after you are the victim of a cyber breach.  Even though everyone hopes it is going to happen to the other guy, that is not always the case.  Although Target, Home Depot and Sony get the press coverage, the breach that hit the Jimmy Johns sandwich chain this year, for example, also hit hundreds of mom and pop pizza and sub shops.

Mitch

Facebooktwitterredditlinkedinmailby feather

Board Of Directors Role In Cyber Security

The National Law Review has a great article on board member’s responsibility in the area of cyber security.

One quote from the article:

2012 Carnegie Mellon poll of how U.S. boards are managing cyber risks found that 71% rarely or never review privacy and security budgets, 80% rarely or never review roles and responsibilities, and nearly two-thirds rarely or never review top-level policies. Additionally, more than half of directors surveyed rarely review security program assessments. Every director should make cybersecurity a topic on the board’s agenda and ask questions if there is any confusion or doubt.

The National Law Review does not have anything to gain from their position, so I think it is wonderful that they are highlighting the board’s role in cybersecurity.

It seems like, with the exception of the JP Morgan Chase case, in the other major breaches of 2014 (Target, Home Depot and Sony), lax company policy and oversight in the area of cybersecurity was at least a contributing factor in each of these breaches.

Ultimately, the buck stops at the board of directors and given how ugly 2014 was from a cybersecurity standpoint and the fact that 2015 will probably be at least as bad, boards should be asking a lot of questions.

Mitch

Facebooktwitterredditlinkedinmailby feather

Cybersecurity – will the cure kill the patient

Tech Crunch has an interesting article on cyber security.  The first part is tongue-in-cheek.  All you need to do is disconnect from the internet, get rid of all your laptops and smartphones, use no cloud services and no mobile apps.  You get the idea.

All of the things that we know and love – and which make our lives and jobs easier – contribute to the security problem.

Bottom line, it is a balancing act and where the fulcrum lives is different for each person and for each company.

You have to conduct a risk analysis to figure out what risks you want to accept and what risks are unacceptable.  Then you get to take the actions to deal with that.

And assume, not everyone will be happy with your choices.

 

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed