Back in the day, I used to work on a DoD (joint service) project, and as a result I can tell you that the DoD is a documentation-focused culture. The mantra was: “if there’s no document, it didn’t happen.”  There are documents telling you what documents to write and documents that tell you how to write other documents.

Which is why I was so surprised when I came across this article this morning outlining how the DoD is being sued because of a data breach; from the ThreatPost coverage:

The suit alleges that TRICARE, the military’s health care system, didn’t encrypt the data on the tapes and didn’t take proper precautions in their handling. The data on the tapes reportedly includes information on patients who were seen at facilities in San Antonio between 1992 and September of this year.

The data in question?  PHI and PII.  Why was I surprised, you ask?  Because at a minimum the DoD would be governed by HIPAA security, right?  And HIPAA security requires documentation – documentation that I’m skeptical the DoD actually did.  Why do I say that?  Check it out:

Lack of encryption is a mandate to document

HIPAA Security requires, as an addressable implementation specification for “Access Control” [45 CFR §164.312(a)(2)(iv))] that covered entities, ”Implement a mechanism  to encrypt and decrypt electronic  protected health information.”  By their own admission, they were not encrypting.

How do we know this?  Because they said they weren’t in their statement…  so it logically follows that they’ve decided to go down the “addressable” path for that control.  Per the HHS FAQ, an addressable implementation specification requires some specific supporting documentation:

In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative. The covered entity’s choice must be documented… The decisions that a covered entity makes regarding addressable specifications must be documented in writing.  The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.

Now, you could go and read the HHS guidance about risk or go and check out the NIST document about the same topic to see how they’re supposed to arrive at the documentation specifically required under the law… and those requirements are pretty strict.  But assuming that the DoD was following the law, resolving this law suit seems like a pretty easy matter, don’t you think?  Just put the cards on the table and show the documentation:

• Show us your data collection documentation; you know, like when HHS says “An organization must identify where the e-PHI is stored, received, maintained or transmitted. An organization could gather relevant data by: reviewing past and/or existing projects; performing interviews; reviewing documentation; or using other data gathering techniques. The data on e-PHI gathered using these methods must be documented. (page 5)“
• Show us your threat inventory.  Like when HHS says: “Organizations must identify and document reasonably anticipated threats to e-PHI… Organizations must also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI.” (page 5)
• Etc.  I won’t go through the other 7 areas of specific documentation required by HHS in supporting a valid risk analysis.

But here’s my point is this: it’s unlikely that DoD was complying with the law, in which case they can’t show the documentation because it doesn’t exist.  The fact that they didn’t know right away what data was impacted by the breach  supports the conclusion that they weren’t doing the data collection piece for example.  Why?  Because if they had a documented list of the e-PHI, you’d think they could just look at it and see whether it was or was not there, right?

I won’t belabor the point here.  But suffice it to say that it’s yet another example of a healthcare provider not following the appropriate steps to account for addressable implementation specifications.  Only this time there’s a chance that they could feel the pinch because of it.  Seems like there’s a lesson in there somewhere.

On another note this morning in the security press, we also have notification that the DHS’ “loaned executive” program is looking to poach an advisor from private industry.   The point is to “help secure the homeland” by vectoring in someone from private industry to serve in an advisory capacity to assist with decisions made about homeland security.

The duties of this person?  From the description on the DHS website, it seems a little vague:

Provide independent and critical assessment of the strategic, mission and operational plans by examining the key messages, inputs, needs and impacts to our information and communication technology partners.

Which to me means, “we’re not exactly sure what you’re going to sleep yet, but sign the lease anyway.”  So at first I thought all this was mildly interesting, but about midway through it, I started to get a little concerned.  Here’s what concerns me about it… and why I say it’s a “bad idea”:

• The position is unpaid, with the expectation that the executive’s firm would continue paying their salary during the period of time they’re on hiatus with the DHS
• The position requires clearance.  Specifically, “The candidate must hold the necessary security clearance prior to the commencement of this assignment. All clearance issues need to be resolved in advance of the actual assignment to ensure immediate operational engagement.”

So… while I think there are quite a few things that the DHS could learn from folks in the private sector that practice security (for example: banks, pharma, payments, even healthcare), this program won’t be filled by any of those people.  Why not?  Because – especially at the executive level – they’ll tend not to have clearance, their firms will tend not to want to give them up.

Let’s ask ourselves then – hypothetically – who might be likely to meet all of these criteria already?  For example that already has Top Secret clearance… that work for companies that won’t mind “losing” a highly-remunerated executive in exchange for unprecedented levels of access to security decision makers within the DHS.  I wonder who that could possibly be?

Sarcasm aside for a minute… who are they realistically expecting to get here?  Someone who is actually going to help them change the culture to make better and more economical security decisions?  That would be nice… and I’d be behind that fully.  But if you think that’s going to happen, I’ve got a timeshare you might be interested in.  To do that, you’d need to do two things: remove the clearance requirement (since who other than a beltway bandit working in “private industry” is going to already have clearance in order to be considered in the first place) and you’d need to remunerate the firm you are co-opting this person from (thereby eliminating the conflict of interest – an actual for-profit firm not trying to sell something might be interested in participating under those circumstances).

Maybe I’m overly cynical… but it seems to me that there’s no free lunch.  I could be totally wrong on this, but I’m thinking they’re going fishing hoping to reel in someone who can actually help them improve, but they’ve structured the selection in a way that the only thing they can catch with the bait they’ve picked is a salesman in disguise.

Image Source: zazzle.com

Ahh… it’s nice to be back from the holidays.  A little turkey, a little stuffing, and a steaming extra helping of information security news.

There’s quite a bit out there to choose from today to talk about, but the item that most caught my eye is the discussion of the Homeland Security Cyber and Physical Infrastructure Protection Act of 2010 over on cnet.

So you’ve probably heard about this, right?  I knew it was coming, but to be honest I didn’t realize that it would give the DHS the power to regulate private industry.  From the article:

Section 224 of HSCPIPA hands DHS explicit legal “authorities for securing private sector” computers. A cybersecurity chief to be appointed by Napolitano would be given the power to “establish and enforce” cybersecurity requirements.

HSCPIPA’s process works like this: DHS draws up a list of regulated “critical” companies… Once the list is complete, DHS has the authority to require those regulated tech companies to “comply with the requirements” that it has levied. Those requirements include presenting “cybersecurity plans” to the agency, which has the power to “approve or disapprove” each of them. DHS “may conduct announced or unannounced audits and inspections” to ensure “compliance.”

Interesting.  This is actually a pretty good summation of what the proposed legislation says:

The Director shall promulgate risk-based, performance-based cybersecurity requirements for covered critical infrastructures, that are designed to prevent, deter, prepare for, detect, report, attribute, mitigate, respond to and recover from cyber incidents…

The Director shall–`(A) determine, in consultation with the heads of sector-specific agencies and the heads of first-party regulatory agencies, which systems or assets of critical infrastructure shall be subject to the requirements of this section and designate them as covered critical infrastructures for purposes of this section

The Director shall require entities determined under subsection (e) to be covered critical infrastructures to comply with the requirements under subsection (c) and to submit to the first-party regulatory agency or sector-specific agency, a proposed cybersecurity plan to satisfy the security performance requirements described in subsection (c) on a timeline determined by the Director.

Meh.

I don’t object to this on general principle like some people have, but I do have a few practical questions that I think need to get ironed out.  First of all, why the DHS?  Let’s face it, the DHS doesn’t have the best track record when when it comes to cybersecurity.  Will they somehow become more competent now that they’re holding the security candle for both their own agency as well as the private sector?  I doubt it.

Second question: I think we could probably do with out the requirement to submit “security plans” to DHS for review.  I get it why this would seem like a good idea – since every company is going to be different, someone might want to make sure that the risk/control balance is appropriate and look at how that determination is made.

But keep in mind how long a thorough cybersecurity plan is likely to be.  Are we really expecting the DHS to read through each and every one for potentially hundreds or thousands of private companies?  Are we expecting them to read it to actually understand it or just to rubber stamp? If it’s the latter, I’d suggest we do without the review/approval and if it’s the former, I’d say that the time is better spent defining objectives and auditing to them vs. reviewing some nebulous “plan” that’s like to not accurately reflect the implementation anyway.

Of course, private industry hasn’t done the best job on it’s own… to say the least.  So I’m kind of at sixes and sevens on this.  Clearly something needs to be done to protect critical infrastructure held in private hands (since the invisible hand of the market doesn’t always favor better security), but I’m not sure that making DHS the security enforcer is necessarily a good idea either.

So have you heard of Perfect Citizen?  It’s a relatively creepy sounding program whereby the NSA (and apparently the DoD?) would use federal resources to monitor and track private-sector threats and (also using federal resources) respond if need bo.  I’m assuming they’re only looking at critical infrastructure (Utilities, FS, Healthcare, Telecom).

The name is pretty scary – it’s a phrase that makes me think of something that the Ministry of Thought Control would have in their mission statement.  So no props to the marketing people over there for scaring the hell out of people.  However, the idea is probably a decent one – namely, for critical infrastructure managed and governed in the private sector, where the private sector operators of that critical infrastructure have shown a general obstinacy and unwillingness to secure their data and infrastructure, have a voluntary program  that will let us, the taxpayers, invest in helping pick up the slack.

One suggestion though: provide a tax incentive to those folks who don’t participate in the program but yet can demonstrate that they are keeping their security at a reasonable bar.

Man, check out that album cover. That really takes me back. I never really loved the Warrant, I have to say – with the possible exception of “Cherry Pie” – although that probably has something to do with the fact that it featured guest C.C. Deville () on guitar. Good times, good times.

Anyway, misty water-colored eighties power metal moment over; on the purpose at hand.  The DHS, in yet another brilliant move (not) has been shot down in  federal court because they failed to obtain a proper warrant before searching a laptop seized at a US border.  Here’s the quick backstory:

• Samuel Hanson was crossing the US border with his laptop
• US customs officials become suspicious because ole’ Sammy appeared nervous during questioning
• They investigate the camera and laptop he is carrying and discover an image of a nude adolescent on the beach
• Customs agents search his laptop 3 separate times, each time finding nothing
• They impound the laptop for six months whereupon they search it again and find a stockpile of thousands of child pornography images

The federal court contends that, since they didn’t have a warrant for the post six-month search, they can’t use the mountain of evidence stored on the hard drive for the purposes of prosecution.  Sigh.  Maybe I’m Monday-morning quarterbacking here, but there are a few points about this that are frustrating to me about this.  They are:

1. Why is it that customs didn’t do a more thorough search during each of the three times they examined the device?  That search was permissible since the judge said the customs folks didn’t need a warrant for the immediate search.  Is there a lack of expertise on the part of customs?  Were they limited in what they could search?  Why the inability to get it done?
2. Why did it take six months to conduct the search that actually found the data?  Is law enforcement really that backed up with forensic examinations?  If we need more resources, let’s get them.  Because in the case of prosecuting the guilty, the lack of forensic “getting-it-done-itude” is apparently a factor in getting evidence thrown out. And for the innocent who have their computers seized for evidentiary purposes, keeping someone’s computer for 6 months while they wait for DHS to get it done seems unfair – 6 months can be 1/4 of the time to obsolescence with computer technology.
3. Why not just get a warrant the first time through?  Isn’t it easier to just err on the side of caution and get the warrant from the get-go?

Meh.  This kind of thing irritates me.  Not only are we unable to prosecute this guy (obviously a creep of the first order – allegedly), but because the evidence is fruit of the poisonous tree,  now we’re also paying for the (inadmissible) forensic examination and further backing up the forensic queue with evidence that can’t be used?  Lame.

So, the other day I was going from Seattle to Manchester. And believe me, it was one hell of a trip… The day was kicked off by finding out that SeaTac had no power in Terminal A, and ended 20 hours later (finally) in New Hampshire where I found out that the TSA had searched my luggage. Now, I don’t know about you, but in past when people have searched my belongings, they didn’t wind up breaking stuff. This time, however, the gloves were off. Those guys did it all – wrinkled my suits, made little “snowballs” out of my shirts, pulled matched socks apart, and finished it off by breaking stuff; specifically, by breaking the zipper on my suitcase and by breaking my belt. Now I got the suitcase for free from LL Bean, but it retails for a hundred and change; the belt I bought at Banana Republic for 80 dollars (don’t ask – I was at a conference and needed a belt.) So, almost 200 dollars worth of damage. They did, however, leave a little courtesy form-letter telling me they had “inspected” (read: gone apesh*t on) my luggage.

Now, I’m usually pretty calm about stuff like this. They’re just doing their job, right? And all of this stuff has a security benefit, so it’s worth it, right? Um… Well, maybe not. Now, you all have had to hear me gripe about why this stuff doesn’t do anything for security – like why it’s “good marketing” for TSA to put on a show of checking for stuff when the security benefit it provides is basically nil. I’ve had countless conversations with security folks, the majority of whom believe that the TSA security measures are useless. And now yet another respected news outlet is saying it too. And you know what? He’s totally right. The security measures are a show… And underneath the show? Continued incompetence.

Incompetence like the fact that they have yet to fix the problems with the Watch List. Now, you might say that inconveniencing a few thousand people is worth the price of increased security; and maybe you’d be right – if this watch list did anything. But it doesn’t – in fact it does the opposite. It wastes money that could be spent efficiently on terrorism prevention, it wastes cycles that could be spent on doing something productive, *and* it makes travel more painful all around thereby accomplishing the terrorists’ original goal of disrupting our way of life. Wanna get pissed off? Take a look at the TSA fact sheet for 2006 where the DHS lists their “highlighted” accomplishments for 2006. Accomplishment number one is this BS about the liquids… They “trained over 40000 people” and “conducted extensive explosive testing” (all at taxpayer expense) for a threat that we all know isn’t feasible. And when TSA finally clued in to the fact that it’s bogus? They “proved their flexibility” by “modifying the ban”. And what did that cost us, the taxpaying public? Hundreds of millions that could have been spent on developing automated approaches to baggage screening that won’t leave innocent travelers with wrinkled clothes and no belt.

Now that’s progress.

OK, so remember when we were talking about behavioral screeners at airports? Well, apparently they’ve decided to expand that program; check it out:

But security officials here are so impressed with behavior pattern recognition techniques – which they say can distinguish a nervous traveler from a dangerous one – that they say they plan to expand their use more widely in Miami than at any other U.S. airport. If officials have their way, all 35,000 of the airport’s workers – including janitors, skycaps, even Starbucks coffee servers – will be trained to watch travelers for suspicious movements.

Awesome, so in addition to serving up vanilla latte’s, your local barrista also has law-enforcement in their scope of responsibility. Remember that when you get tempted not to tip them. So what are the suspicious activities? Apparently, they include:

…someone rifling through a trash can, an unattended bag, a young man sitting on the floor alone, or a seemingly unhappy face.

An unhappy face? Sitting on the floor alone? These are behavioral traits I exhibit on almost every business-trip I make: I’m unhappy because traveling sux and I sit on the floor alone quite a bit: usually with a laptop next to one of the jealously-guarded and carefully hidden power outlets.

This, like most of the other anti-terror measures at airports is likely to be less than effective. But will it go away? I doubt it; people just feel too good about these measures – it gives them that warm and fuzzy illusion of safety. Check out the statistics:

Among the findings of the poll of U.S. adults, taken Aug. 18-20: