'Treat infosec fails like plane crashes' – but hopefully with less death and twisted metal The world has never been so dependent on computers, networks and software so ensuring the security and availability of those systems is critical. Despite this, major security events resulting in loss of data, services, or financial loss are becoming increasingly commonplace. Brian Honan, founder and head of Ireland's first …
I'm guessing people are more motivated in fixing plane accidents since these usually result in hundreds of people dying in spectacular fashion... Once an internet connected oven burns a house down with family included I'm sure we'll start seeing some results. Until then we'll just shrug our shoulders and go back to watching Netflix.
Unfortunately, economics plays into dealing with certain types of problems, including lethal ones(e.g. Ford Pinto).
It boils down to: is it cheaper to roll out a change to the fleet, or just accept the occasional hull loss and bad PR? Presently, the latter seems to be the choice of many (I believe that's the issue we're trying to rectify).
The question is then: how do we disincentivize all the coverups and hush-hush? I get the feeling that the consumer is going to be left holding the bag, one way or another, even if the culprits are penalized.
Anonymous Coward: “Unfortunately, economics plays into dealing with certain types of problems, including lethal ones(e.g. Ford Pinto)."
Until the providers of the software are held to account, they have no incentive to making it relatively secure.
'The software is licensed "as-is." You bear the risk of using it'
'To the extent not prohibited by law, Oracle hereby disclaims all express or implied representations, warranties, guarantees, and conditions of any kind, arising by law or otherwise, with regard to the program'
'There is no warranty for the program, to the extent permitted by applicable law'
That depends on where you live. In Trumpistan/Turnipistan(?, as he's that smart), any contract like that is, or will be, solidly enforced in favour of the Corp. that wrote it...and the cheque to the political party.
The rest of us have to try and keep our countries from becoming as Oligarchic/Fascist as that. Not an easy task when the left has moved so far to the right. In NA, the left is now more right-wing than the right was in the 1970s.
> "To the extent not prohibited by law". i.e those words are a waste of space as they have no legal standing at all but are just intended to persuade someone not to attempt to exercise their rights.
Disclaimer: IANAL
Whilst that may be a convenient side effect, I believe that this phrase is legally significant in its own right.
Where that clause or equivalent is missing and the wording of the disclaimer is illegal (ie. Denies protected rights, very common with warranty and fitness for purpose disclaimers), the whole clause can be struck out by a court if challenged. That can leave the company horribly exposed. This clause gives them an out in many cases because their defense is that because they explicitly exclude your lawful protections from the restriction* they cannot be accused of trying to usurp them.
*Which Jo Average often does not realise even exist.
Pro tip: when trying to claim under warrant and the retailer and/or manufacturer are not playing ball and a reasonable impartial person** would agree that you have a case, using the right key phrases as expressed in your consumer protection laws goes a long way to getting your issue resolved.
** That requires some humble pie and not your BFF on twitface.
Not that I consider Oracle exemplary, but a significant reason why software doesn't have warranties is because there is an enormous amount of user (lack of) skill that can be involved.
Should a software maker be liable when users reuse the same login as email ID and password on dozens of different sites?
What about patch management - at what point does the failure to install a patch (as opposed to not installing before testing) become the user's fault?
I was extremely proud of my organization after a well publicized incident there was a major review and audit using multiple internal and external sources. Causes were identified and plans were put in place to not make the same mistakes again. The problem is exactly as you describe, security is expensive. We are many times better secured and better prepared because of the work already done but still too far from perfect because of the big 3 - politics, religion and money.
There have already been fatal failures of computers and digital devices. Every day people lose work because an application crashes and and affected negatively by software bugs. Society reacts with the urgency it responds to spellling errors in newspapers. Only the millennium problem prompted society to address the problem.
Once an internet connected oven burns a house down with family included I'm sure we'll start seeing some results.
Don't bet on it. I would keep that Internet connected oven in a shed at the bottom of the garden, with an internet connected webcam to watch it if I were you. Then go and live Somewhere else, and watch something else on Netflix.
"victim blaming – commonplace in infosec – isn't helpful"
When the hack occurred because the victim wilfully ignored standard procedures, allowed known holes to exist in their infrastructure and acts like Experian, Uber or Talk Talk then they deserve to be shamed and there are no lessons to learn.
The victim ignored standard procedures.
In the aviation world, this would be followed by "Why didn't they follow procedures?", "what would have happened if they had followed the procedures? " are the standard procedures right?" and "how do we get them to follow standard procedures?"
And in the InfoSec world, it's just point and laugh? Not the way to progress.
See my Space X example below on how increased reliability is not necessarily increased cost (In SpaceX case they recoup cost through re-use and standardised fabrication or multipurpose parts). Though I admit I have not seen the numbers/costs when it comes to IT, I have experience with "small business" vs "large national" with ISPs as a consumer. The small business runs 99.5% of the time due to good management, and the big one around 75% due to greed, while both use the same hardware!
Excellent. I'd like to add that in the aircraft world, there's structure with costs involved and time to find and fix. IT doesn't have a central authority to do this and if they did it would be a huge effort to track and fix all The other big difference is that with aircraft, the finding and solutions are pretty much mandatory. IT... not at all since "profit"....
There's this comment in the article: "In addition, cybercrime ought to be reported to the police." Seriously, what good does that do without a central, world-wide organization/authority? Local cops blow it off. National cops are swamped with other crimes. There isn't anyway to bring a miscreant in say, Russia, to any other country for trial.
Yes.
It's called "Root cause" analysis.
The closest equivalent would be the original "Capability Maturation Model" developed by Carnegie Mellon after studying the IBM Federal Systems operation, who did the software for Apollo and the Shuttle.
Something still deeply lacking in most development shops.
Something still deeply lacking in most development shops.
"the Primary Avionics System Software cost NASA slightly over $1,000 per line"
and this was $1000/line of almost assembler - not per line of Rails
(https://history.nasa.gov/sts1/pages/computer.html)
Well, licenses to operate an airline can be revoked, following which the company ceases being able to make money while still having bills to pay (like wages, office spaces, plane parking fees and such). Companies that find themselves in such a position tend to want to cease being in that position one way or another before money runs out.
Private pilots that do not follow standard procedures will probably find their license being suspended or revoked, or will find themselves as a fatality statistic after which not following standard procedures will cease to be an issue.
Against IT companies that reject standard procedures there is no such recourse.
"known holes to exist in their infrastructure and acts like Experian, Uber or Talk Talk then they deserve to be shamed and there are no lessons to learn"
What a strange thing to say.
In Experian's case there are lessons around verifying your contractors.
In Uber's the lessons are around access rules and audit thereof.
Plenty of lessons to be learnt from Talk Talk, like "how do we identify, patch, test and deploy thousands of apps" and the need for intrusion detection.
I'm not aware of any standard procedures that would have prevented any of these breaches. Maybe Talk Talk. Loads of people with 20-20 hindsight, but very few positive contributions.
That would surely require a body with powers to investigate and demand evidence like an Air Acident Board. Then someone would also need the power to impose remedial measure likes CAA, FAA etc.
However this is a bad analogy, not only is aerosapce part of engineering, it's misison critical engineering. The mentality is make it safe, and secure above all else. In no way can the software industry be compared to engineering. Software is the only discipline I can think of where it's accepted that nearly all products go out the door with issues. Until the cost and consequenses of fixing software issues match those with physical products, the mentality will always be "get it working, fix it later"
In the UK that'd be the ICO wouldn't it...?
Within the guise of GDPR the EU will be calling them Supervisory Authorities.
They're empowered to request evidence, audit data and if dissatisfied impose fines:
Tier 1 - 20 Million Euro or 4% of global turnover
Tier 2 : 10 Million Euro fine or 2% of global turnover.
The upcoming GDPR and eprivacy laws should shake things up sufficiently to allow the ambulance chasers to ratchet up the pressure and turn this into an HSE circus...
I'm not sure the powers available to the ICO come close to those available to the AAIB. Obviously these powers are very different, but the principal seems to be, they get access to whatever they need without requesting permission. If The ICO had similar powers, and dedicated invistigators of similar quality, then we may see some changes.
"AAIB Inspectors have powers to investigate all civil aviation accidents and incidents within the UK. They are appointed under section 8(1) of the Regulations and have the powers under section 9 to have free access to the accident site; the aircraft, its contents or its wreckage; witnesses; the contents of flight recorders; the results of examination of bodies; the results of examinations or tests made on samples from persons involved in the aircraft's operation and relevant information or records. They also have the power to control the removal of debris or components; examine all persons as they think fit; take statements; enter any place, building or aircraft; remove and test components as necessary and take measures for the preservation of evidence."
After reading that, I have to agree with you - as a single body with consolidated powers, the AAIB will be better equipped to manage incidents as they see fit.
I'll elaborate where I was coming from.
The whole point behind the current legislation/fines is focused on proportional administrative fines sufficiently large enough to hurt - failing that a judicial remedy (if the affected subject is not satisfied).
Referenced respectively in the following items:
Judicial remedies: https://gdpr-info.eu/art-79-gdpr
Fines: https://gdpr-info.eu/art-83-gdpr
If they get dragged through the courts, you'd think that this extension might give them a few more powers.
Took the words clean out of my mouth. The whole thing.
For InfoSec, there is no central authority at a federal /nation level that oversees how businesses are connected to the internet- it's all a massive pile of little duchies, and none of them talk to each other (or refuse to talk to each other fearing business secrets might be spilled, or advantages might be taken, or any number of other paranoia related thing) The only thing that exists are 'best practices', which are not requirements and half the time are usually ignored by the business in the interests of making money.
I'm not saying that a central authority is a bad idea, but be careful what you wish for. The big players could, I suspect, very easily find a way to put the smaller Linux distros and the BSDs outside of the that potential authority's "safe use regulations". This could have the knock on effect of making them unusable for shopping/banking on the Internet, maybe even blocked by SPs from getting on the 'net depending on what's required of the SPs, for our safety. Nothing seems to be off the table as we careen further down the political extremist path.
Even if the dictionary definition makes it appear that way. Infosec = Information Security, and malicious acts are only a part of that. I'd even go as far as to say only 50% of that.
Never put down data loss as hostile action when there's so much scope for non-hostile FAIL.
And I'm commenting on this because reading the "Lessons learned" investigation into a major UK based, non-hostile, data loss incident that happened a little over a year ago made it look like an utter car crash of a gloss-over job for one like myself who is more used to reading incident investigation reports from the transport industry. They actually do a much better job of it than the IT sector, and lessons can definitely be learned there!
"incident investigation reports from the transport industry. They actually do a much better job...."
Air and rail, yes. I'm less convinced by maritime ones.
Let's not even go there with road safety. Although the police do a damn fine job looking at the immediate cause, that is more for blame attribution rather than learning lessons.
I dont think the briefer has any feel for the cost and time involved in an air accident investigation. Would anyone be content with 18 months to 2 years btw an infosec problem and a report? Sure, emergency airworthiness directivea and whatnot can be issued mid-cycle but these are done sparingly for both economic and engineering reasons (make damn sure you dont introduce new failure modes... take some time to test) AAI is not cheap, either.
Software and IT systems (hes talking infosec, so people are within the system boundary here) are far more complex than aero machines, so you have a much higher failure rate. But you also have a much faster timeline to make a system whole after failure.
Its apples and oranges. And oranges dont grow in my climate.
The point is that aviation wants to know how to systematically eliminate the problem that caused the crash and prevent a reoccurrence. And done by being open and honest with the facts and conclusions. You don't get that impression with IT which seems to be worried about glossing over or handwaving away incidents should they reach the light of day.
ITs fast timeline is possibly the cause of their code-release-oops!-fix-release-oops!-fix... cycle. IT seems to be quite quick at deciphering what wrong as well. (By comparison the long times for the aviation investigators are because they are trying to figure things out by examination of little bits of barely recognizable metal spread across a field.)
@AC, excellent points. I don't see the IT world as open an honest. CYA seems to be the primary SOP, and it seems that no amount of public humiliation is pulling bug chunks of the industry out of the gutter. Where are the shareholders in all this?
My day job is hardware engineering for aerospace widgets. I love this because I can pursue quality relentlessly. But I cannot imagine most industry could survive with our cost structure. We produce some hardware, vast amounts of test reports and documentation, and as little software as humanly possible. Very little innovation for sake of new stuff. Nothing is very "sexy" or "advanced" - not much for thr marketing weenies to get all excited about. But we don't fail. Ever.
Near retirement now. I'm concerned with what I see coming up through the ranks - especially the management ranks. The new IT / IA / HW kids are good but the people who aren't packing what it takes to succeed in the hard science side suck. And these are your future leaders. Chasing buzzwords and "shiny" for shiny's sake. Constantly chasing buzzwords they read rather than doing any analysis to understand what is really needed. Rather than aerospace grade discipline spreading to the world of IT what I see is the crap-of-the-week club taking over aerospace.
"Constantly chasing buzzwords they read rather than doing any analysis to understand what is really needed. Rather than aerospace grade discipline spreading to the world of IT what I see is the crap-of-the-week club taking over aerospace."
You do at least have the possibility of the existing regulators forcing that discipline onto the buzzword chasers.
Then entire reason the company may have success is how they were doing the numbers of cost/success/failure and trying to be above the competition (again in a less tragic example than aircraft accidents).
While not yet proven as a business, they have proven themselves in the engineering side and succeeded in doing things first and best in many areas. So to follow suit in IT must be a win, no?
Less downtime = less cost in the long run. Quicker turn arounds = more profit. etc. But I guess this needs a long commitment, and sadly I see (as a consumer) most companies outsource/slash and burn their resources (IT, call centres, engineering/service staff) and forget about consequences. :(
Less downtime = less cost in the long run
However, if the profit is not there in the end of quarter report, the share price will crash, and that is the end of the corporation. Blame the lack of heavy trading costs for short termism. If you want a decent quality of life and don't want a world of Ponzi, what you need is hefty stamp duties.
Bleed the speculator community to death. It is a sacrifice worth making (and probably even kosher).
I'm not sure that's a great analogy.
If typical software contained bugs which were so serious that they caused the server hardware to be destroyed after each request (roughly the non-reusable rocket equivalent) then yes, there would be huge economic gains to be had from working on reliability, but that's not the situation.
That doesn't mean that we shouldn't look to improve reliability, just that unfortunately we have to accept that there is a trade off, it won't pay for itself.
It'll be a cold day in hell when a statutory body is established with the power to shut down organisations, mandate strict training standards or ground a particular OS or application -- right up until the day a cybercybercyber incident leads to a pile of corpses.
As I happened to mention in a comment a few hours ago, compare regulation in industries that can kill people when they screw up (civil engineering, aviation, mining, medicine,..) with,
say, banks and financial services. (Full disc, I work in fin servs).
@Tom Paine, aren't a lot of you guys in financial services under professional licensure as well?
My P.E. is my license to be sued. I am personally responsible if a design under my stamp fails. Not that the degrees and license guarantee quality, mind, but at least you know that I/we cleared at least some minimal bar and have some degree of committment to continuing education.
The first time I saw the term "Microsoft Certified Engineer" on a resume I wanted to puke...
"It'll be a cold day in hell when a statutory body is established with the power to shut down organisations"
I don't know if it's still there, and even if it is I doubt it's ever been used, but the DPA Mk I gave the regulator the power to order a business to stop processing data. It's a bit chilly today.
“Brian Honan, founder and head of Ireland's first CSIRT and special adviser on internet security to Europol"
How many computers has Brian broken into else his expertise isn't worth the bits it's written in.
“We need to learn from incidents rather than making the same mistakes"
We need to make 'computers' that can't be compromised by opening an email attachment or clicking on a malicious web-link in yer 'browser'.
"We need to make 'computers' that can't be compromised by opening an email attachment or clicking on a malicious web-link in yer 'browser'."
That's like saying you need a front door that can't be kicked in. The basic problem behind the problem is that it requires fixing Stupid. Got any ideas that don't involve culls?
As far as the OS goes, that has probably been achieved per thousand running hours.
Linux servers routinely have uptimes of "Until I want to update the kernel or replace the CPU"
Android and iOS tend to run until system update (six monthly), or the owner needs to enforce password protection.
MacOS only seems to freeze or crash during updates.
Even Windows rarely crashes. I don't remember the last time I had an OS crash that wasn't caused by faulty hardware.
Applications on the other hand...
The real problem is economics.
A plane crash is public: everyone involved loses. The plane manufacturer fears competitor hardware getting bought/getting a bad reputation a la the Ford Pinto.
The airline fears passengers choosing other Airlines.
The passengers, thus government, get upset by television reports of grieving widows and children.
None of the above economic and political dynamic exists for cybersecurity.
The software manufacturers, even in sectors not dominated by 1 or 2 companies, have almost nothing to fear from competition (Microsoft, Adobe etc).
The companies affected might fire the CEO, but the largest companies just apply a few ten's of millions and move on - a mere blip on one quarter at worst or even a convenient excuse for a bad earnings period.
The SMBs just suck it up and move on.
I founded and operate a cyber security services company: the SMB customer *never* wants to pay - either in cash or even just access - to discover exactly how an attack occurred. They just want to get back up and running, which is understandable.
This situation will not change until some public or private entity takes on the cyber risk pool and is thus incentivized to pay customer losses in order to discover root cause in order to reduce systemic losses.
The passengers, thus government, get upset by television reports of grieving widows and children.
So get cracking folks: what we need is Youtube videos of people crying over a BSOD! (or IoT device leaking video of their teenage daughter's bedroom antics live on children's TV). However, Amazon Prime's "let the burglars in" door lock may be a good start.
No, what you REALLY need are Breaking News events where hacks KILL PEOPLE...DIRECTLY. Such as a hospital losing control of equipment causing patients to die. Or air traffic controllers getting messed up and causing a mid-air collision. Or a major power plant exploding. It only gets serious when PEOPLE DIE.
Rather than say
"We need to see people dying"
how about
"We don't see anyone dying. Therefore while it may offend your perfectionism to have insecure computers, that's just tough. The rest of the world wants computers which are very much cheaper than planes, despite being just as complex."
You're right. But it's not the case that insecure systems are causing loads of death but it isn't visible. It's just not causing much death. Therefore the right response is don't worry about it. Or more precisely, worry about it but don't spend as much money as you do keeping aircraft safe.
What I'M saying is that this is a subject where there's no middle ground. Either NO attention is paid to it...or ALL EYES are on it, and it all hinges on a crisis. While nothing happens, it's an "out of sight, out of mind" issue to the average user. Then it starts killing people and it pushes everyone's panic button. There's unfortunately no real way to reach a middle ground that the average person can comprehend.
Qualified IT professionals have to abide by the BCS Code of Conduct which in turn needs to meet Engineering Council requirements.
I quote the fist clause
"Public Interest
You shall:
a) have due regard for public health, privacy, security and wellbeing of others and the environment.
b) have due regard for the legitimate rights of Third Parties*.
c) conduct your professional activities without discrimination on the grounds of sex, sexual orientation, marital status, nationality, colour, race, ethnic origin, religion, age or disability, or of any other condition or requirement
d) promote equal access to the benefits of IT and seek to promote the inclusion of all sectors in society wherever opportunities arise."
I think a) and b) set a pretty high bar for anyone who signs off a project that causes loss or harm to members of the public, users or indeed their employer.
Of course many work without a qualification but employers who fail to ensure their staff are adequately qualified could find it difficult to defend a case of negligence. "What proportion of your staff have a professional qualification?", "And the rest we presume are amateurs - we rest our case m'lud"
There got that off my chest.
We have something similar over here for professional engineers:
https://www.nspe.org/resources/ethics/code-ethics
This is usually adopted by states' licensing laws (states are responsible for most PE licensing programs).
Sadly, many IT professions are not covered by state/federal licensing requirements and by extension, the above code of ethics.
Anyone know for example what the real impact was of heartbleed. In theory total meltdown of all internet security. In practice did anything bad happen? Other than increased spend on IT.
Security breach is just not comparable to a plane crash nobody dies. I also suspect often there are no consequences to very hyped bugs. Clearly there are spectacular fails like Sony. Ransomware needs to be in its own category. But there is also massive hype about bugs before there has been any reported impact. I don't think that helps.
I firmly believe that we need to take human performance seriously in software, and part of that is to level-up our game in learning from incidents (not just security/privacy breaches, but all untoward and unexpected events!).
A word of caution to software practitioners is that while other "safety critical" domains (aviation, rail, maritime, medicine, power generation, etc.) provide many different routes for software-centric organizations to explore, investigate, analyze, learn from accidents - we should NOT be simply "cargo-culting" practices as if they're immediately applicable and positive to transplant.
These other fields have been wrestling with many existential conflicts inherent in explaining and describing accidents for some decades now, and those few that have actually made progress past the typical "name/blame/shame" approach of Root Cause Analysis™ have had to learn the hard way what conditions need to be in place in order for real data about real work to see the light of day - which are required for real learning to happen, not to mention prevention of future incidents.
For at least one example: in most countries I'm aware of, software engineers giving detailed descriptions of their work related to an event and given as part of a "post-incident review" cannot be guaranteed protection from civil or criminal proceedings. The NTSB at least provides that by law.
There are many barriers to learning in ways that are productive and truly move the state of the field forward. I also believe these barriers can be moved with effort and focus to do so, so much that the company that I've founded is hoping to be a small part of changing that.
John Allspaw
adaptivecapacitylabs.com
Lol there's a good one.
Locally they take your statement for the insurance claim. Unless you engrave your car rego onto things you'll never get them back. The Feds have a nice little thing where unless you can demonstrate that the perpetrator is from our country they wont do a damned thing as its not their jurisdiction.
(wrt incentives)
IF there will ever be any info sec regulators worth their salt - do you think many of them will choose to eat humble pie every day and keep working for a wonderful public servant package, instead of being "bought over" for a very handsome price by the very companies they would otherwise have to check in their regulator role?
For info security to be like a plane, the plane would still have to be flying with passengers and be expected to continue flying.
Reality is something like a flying squad is required. At the very first instance of the hack, to get out there and re secure systems whilst garnering evidence to pursue the case and lay some active monitored traps in the essential first few hours after the hack.
Late investigation is dumb, is has to be real fast and able to rebuild a system, so that affected hardware can be put aside for deeper investigation.
I think your idea is physically impossible. For a flying squad to be that effective, they'll need response times in MINUTES, not hours (by which time by most measures the hackers have already dug in too deep to remove). Fact is, reaction times are just impossibly slow (by the times symptoms appears, it's usually already too late), and proactive measures won't help against determined and/or resourced adversaries capable of playing perfect imposter. It's much like arriving late to a suicide bombing; after the fact, there's little to be done but pick up the pieces.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
