Category Archives: Security

US Navy Ignores Pirates

Well, I stand corrected. I mentioned earlier that I thought the US would show concern for the problem with pirates near the Horn of Africa. Not so, points out the Danger Room from

“The coalition does not have the resources to provide 24-hour protection for the vast number of merchant vessels in the region,” Combined Maritime Forces commander, U.S. vice admiral Bill Gortney tells Reuters. “The shipping companies must take measures to defend their vessels and their crews.”

Taking a historical view, it pains me to read this. One of the primary reasons he United States of America dumped the Articles of Confederation and wrote the Constitution of the United States was to gain the power of taxation. And the primary reason the founding fathers needed taxation was so the country could build a Navy for the specific purpose of fighting pirates.

I also find it very frustrating that last Thursday, the Admirals stood in front of the American people in Durham and discussed in detail the role of naval power to protect the global system to insure the free flow of trade. Yet here we have a clear example of trade disruption on the seas, and the U.S. Navy basically tells ship owners they can’t solve the problem.

Nicely said. My opinion was biased by speaking with former crew of US warships that patrolled the Indian Ocean. They said special forces teams would often helicopter in (probably from Djibouti), brag about taking out pirates on secret missions, and then disappear again. Perhaps it is only certain merchant ships that get this treatment. France, who actively maintains a large military base in Djibouti and operates an African rapid deployment force (RDF) from there, certainly seems ready and willing to make an impression on the pirates. Perhaps I am also biased there too as I once met a former Foreign Legionnaire stationed in Djibouti who spoke of fighting Somalis.

Why are there more breaches?

Adam has posted a note on Emergent Chaos called 2008 Breaches: More or More Reporting?

I’ll take the bait.

First, I find it interesting that the number he quotes from the ITRC is so far ahead of other accounts. I did a breakdown of all breach data from 2000 to August and the numbers were quite a bit lower at than the ITRC estimates. I will go back and include the September numbers and then cross-reference to ITRC data to see where there might be gaps.

Back to the question at hand, all the evidence I have seen points to the fact that more organizations are gaining the capability/awareness to report breaches.

A couple of years ago many people operated under the idea that the absence of evidence meant they had evidence of absence (to paraphrase Carl Sagan). I have worked with people in important positions in large global organizations, as well as small business, who literally believe that it is better to keep a positive attitude about things until there is absolutely no way to avoid the facts. This rather lazy attitude towards security and investigations means quite a number of breaches relied on sufficient mass of angry consumers complaining to regulators before companies could be bothered to look around. The case against Senator Stevens of Alaska, as well as the evidence of Governor Palin’s management style, are prime examples of the pervasiveness and widely accepted nature of this attitude.

Prior to the California breach law, executives commonly used ignorance of breach evidence, or even harm of breaches, as an excuse for inaction as well as accountability. Destroying evidence and gagging negative data was considered a natural reaction when trying to keep things “on track”. This should no longer be as much a problem wherever executives are responsible for reporting breaches and maintaining awareness of the safety and security of data.

Therefore, I would argue that the breach numbers are increasing because of two things:

  1. The ability of organizations to detect breaches has improved. Due to regulation, an increasing number of companies are starting to actually monitor well enough to detect unauthorized activity and breaches. This includes appointing people who are responsible for determining whether official notification is required — thinking about risk on behalf of those affected.
  2. The underground economy is expanding, meaning more skilled workers are actively trying to breach companies. I believe the actual number of breaches is increasing because the value of assets has been widely demonstrated, while the security of companies holding the assets remains questionable. This is a simple economic model where threats are expected to increase until countermeasures can either reduce the value of the assets (make them harder to use) or control them better (make them harder to steal).

It may also be worth noting here that I found 99% of all reported breaches are in the US, Canada, and UK (90% are in the US). I’m working on a deeper analysis of why and how, so I’ll post more later. Much of the data also will be presented in my webinar next Thursday on PCI DSS 1.2.