The leader of an American state is in the news advocating encryption be added to government compliance requirements. She has pointed blame for a serious breach of confidentiality, under her watch, towards her regulators.
Gov. Nikki Haley's remarks on Tuesday came after a report into the breach revealed that 74.7 GB was stolen from computers belonging to South Carolina's Department of Revenue (DOR) after an employee fell victim to a phishing email.
First, her remarks feel slightly off the mark to me. The incident response report released by her office asserts only a correlation between a phishing email and the breach.
The report very cleary states causation was not found.
The malware likely stole the user’s username and password. This theory is based on other facts discovered during the investigation; however, Mandiant was unable to conclusively determine if this is how the user’s credentials were obtained by the attacker.
The news I have seen consistently refers to a case of malware through phishing, even though the IR report warns that it is only "likely."
Beware the difference.
Why does certainty matter so much here? Because encryption has a well-known and significant weakness: an attacker who can compromise credentials needed for decryption still can steal 74.7GB of confidential data. The strength of a safe's walls are far less relevant if a front door is left open.
Second, if an executive passing the blame on to regulators sounds familiar it might be because Heartland's CEO used similar rhetoric.
In the post-Enron environment, the auditors have contracts with clients that essentially absolve them of gross negligence. The false reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions.
Most people might think Enron was a lesson in detecting executive negligence and fraud. A CEO saying the case centers on "gross negligence" by auditors paints an interesting perspective on management responsibility as well as history.
Consider this brief definition of gross negligence for a physician:
Gross negligence evinces a reckless disregard for the rights of others or smacks of intentional wrongdoing. In other words, gross negligence is an act or omission of an aggravated character, as distinguished from the failure to exercise ordinary care.
Heartland's CEO appears to equate a breach of his systems to this kind of intentional wrongdoing, perhaps even intent to decieve, by those meant to help him assess his compliance with a regulation.
Enron, however, was a very different case. As Time magazine explained in 2002, auditors were found guilty of charges they helped executives of Enron hide risk from the regulators. Executives and auditors were thought to be in cahoots.
Said prosecutor Andrew Weissman: "This is a perfect example of Arthur Andersen sanitizing the record so the SEC would have less information."
It might be useful to also mention that Enron's auditing firm later was found not-guilty and the conviction overturned by unanimous Supreme Court decision (Andersen v. U.S., 04-368).
At trial, Andersen argued that employees who shredded tons of documents followed the policy and there was no intent to thwart the SEC investigation.
A ruling against Andersen could have had onerous consequences for businesses, whose discarding of files is an everyday occurrence. Experts say companies would have had to keep all files for fear that any disposal, however innocent, could subject them to potential prosecution.
In other words the core Enron lesson has to do with the executives intentionally misleading regulators with the help of those working for them. The Andersen case related to questions of client-independence and retention policies with oversight by regulators. The Heartland CEO characterizes the problem as executives who didn't realize they were comitting fraud rather than asking why no one blew the whistle on Enron executives.
Back to South Carolina's Governor, she was quick to throw mud at her regulators: "This is a new era in time where you can't work with 1970 equipment. You can't go with compliance standards of the federal government." See the whole mud-slinging event here:
What she says is true to some degree, you can't go with compliance standards of the federal government to be safe any more than you can take the South Carolina driving test and assume you will be safe on the road. A fair amount of driver intervention is required.
So if a driver has an accident should we expect them to say "…you can't work with 1970 vehicles. You can't just follow government driving compliance standards…?"
Third, given that (1) encryption isn't a proper solution to the loss of credentials and (2) those in charge at the time of a breach sometimes spin blame onto those who try to guide them, do I agree with a Governor's demand that encryption be added to regulation?
I'm obviously pro-regulation for a number of reasons but as I've stated for years encryption is neither difficult nor costly to implement properly. The reasons not to encrypt are fast disappearing, which begs the question of why the Governor wasn't already adopting it. Why did she think she had to wait for regulation by the federal government before she could act?
In 2005 I presented at a conference to card brands and retailers a solution that would allow end-to-end encryption of their customer data.
Although we made great technical progress I will never forget the words of a CFO who reviewed our proposal: "Davi, we don't want to be bleeding edge." That used to be a typical reaction eight years ago and one of the reasons I set out to present to people around the world how to do encryption.
Most recently I ran into this sort of reaction in China, but it seems to have started to wane in America. More and more demand for encryption is starting and regulators have already written it into state laws (e.g. Nevada's 2009 law SB 227 and Massachusetts' 2009 law 201 CMR 17).
And while some states have moved towards explicit encryption, others have implied or suggested encryption laws. Notice, for example, that the 2009 South Carolina breach law offers an encryption safe-harbor clause:
Definition of Personal Information: The first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this State, when the data elements are neither encrypted nor redacted
We can thank California's 2003 SB 1386 for the rise in breach laws and encryption clauses over the past nine years but actually we can thank Heartland for most of the mindset shift after 2008 (more than just coincidence with the timing of encryption laws). In other words, I also will never forget (five years after my presentation on end-to-end encryption for PCI) the CEO of Heartland asking why no one had forced him to spend money on end-to-end encryption.
Heartland Payment Systems, the victim last year of a massive data breach of sensitive card data, vowed after that devastating event to develop new security gear based on end-to-end encryption between itself and its merchants to prevent such a breach from occurring again. That's now taking shape, but slowly.
The fact was no matter how I characterized encryption in terms of a long history of deployment and use (don't get me started on the Roman empire) if the regulators did not demand it now, there were always some executives I consulted with who said they didn't see the "pressure" to do it. There were those who wanted encryption to be so far behind their adoption curve that they could hold up a requirement to prove to their constituents that it was necessary (e.g. low risk to them).
So yes, I think regulators should force South Carolina's Governor to adopt the aging encryption controls because, as with Heartland, some leaders haven't been able to take that step before a breach hits the fan. I also think regulators should demand South Carolina's Governor explain how she will use encryption to protect data if keys to encryption have been stolen (e.g. as described in her incident report).
And try not to look suprised when she asks "What do the requirements say…?"
Updated to add: The IRS apparently has responded with a statement that encryption is required, as reported by WMBF news.
The governor says she's meeting with the state's congressmen to have the IRS require encryption in its standards. But the IRS says that's already on the books.
Unfortunately WMBF has a vague and diplomatic quote from the IRS — no specific requirement is cited.
We have many different systems with a variety of safeguards — including encryption — to protect taxpayer data. The IRS has in a place a robust cyber security of technology, people and processes to monitor IRS systems and networks.
We work closely with the states to ensure the protection of federal tax data. We have a long list of requirements for states to handle and protect federal tax information.