In part one of our conversation with Malcolm Harkins of Cylance, he brought us inside the recent Federal Trade Commission hearings on data security. Harkins shared insights on the costs of security programs, the economic incentives for third party vendors and the cyber insurance industry. He also stressed the importance of having diverse voices in the room when developing your security strategy. This time, he continues his recap of the FTC event by looking at issues ranging from the FTC’s role in enforcement to the risky assumptions made by too many organizations.
Want to find out what Malcolm Harkins has to say, but don’t have time to read? You can listen to the podcast here.
Government Technology Insider (GTI): At the FTC hearings one of the scenarios your panel discussed was about FTC-required assessments. In this particular case, a company believed that one of their systems didn’t need to be assessed because it didn’t contain any consumer personal information. You’ve previously mentioned that seemingly safe systems, like a retailer’s HVAC system, could be used to get to credit card records. So, when making security assumptions, how should organizations gauge the risks?
Malcolm Harkins (MH): Well, it comes from an understanding of the connection between systems. And, as you mentioned, the HVAC system was reported to be the entrance point for what we all know is the Target breach. You would think that there’s no direct correlation between those systems and therefore there’s no need to look at data protection relative to an HVAC system. But at the same time, if it’s connected to the same network where you’re storing personal information or you’re storing sensitive data, there is a potential path then to go from that HVAC to that sensitive information.
So, getting back to that hypothetical, it might not store the data, it might not process it, but, you still have to look at the direct and indirect connections to that system. Do you have enough general controls throughout the environment to mitigate a system that doesn’t directly connect and might be five steps removed from the sensitive systems, to have enough things there and enough proper control to substantially mitigate the risk? And if the organization does that analysis and comes to the determination that they have reasonable controls in place, then it should be okay to be out of scope. And, if they conclude that they don’t have the right key controls in place to properly mitigate the risk, then they need to do something about it.
GTI: Is this a case of, “How do I know what I don’t know” or is this more of a case of, “Well it should have been obvious because there’s a connection from here to there?”.
MH: To a large extent, you can argue it should have been obvious because of the connection from here to there. But if you’re looking at it quickly, which in a lot of cases people are doing that, because it’s a scoping exercise, right? And getting into the discussion we had the last time on throwing bodies at it, the internal resources want to minimize the scope of the audits for PCI and some of these things. The extra resources want to increase the scope because they want to have it as large as possible, in some cases, because it means they can do more billable hours to go dig into things. So, you have this kind of push and pull of incentives and then it’s a negotiation. You even have that internally when you’re looking at controls and compliance activity.
So, there’s not a perfect answer other than it needs to be appropriately scoped, which means you need to have the right people thinking about it. It might be a remote possibility, and if it’s a remote possibility you could argue it’s appropriate to de-scope it from what you’re looking at. But it doesn’t mean that you have to fully de-scope it from your information security program, because it’s still a connected system.
GTI: The question came up in the context of it being an FTC-required assessment. These are obviously based on security standards that somebody has established. What’s your sense of the effectiveness of those standards, if in fact it can allow an organization to say, “No, we’re not going to assess that?”.
MH: The problem that I have seen with what I’d call the ‘broad array of compliance standards’ is that they’re not outcome-based. They are, “Do you have A-B-C-D-E-F?” It’s a ‘check the box’ exercise and when you start getting into a ‘check the box’ exercise, when it comes to looking at controls — meaning, “Is the light blinking? If the light’s blinking, OK, you’re good” — it shuts off your brain to understanding risk, because all you’re trying to do is check the box and do it as quickly as possible so that you can get on with other activities.
Cylance, as a company, has a variety of compliance things that we need to do. We need to do FedRAMP for the federal government, we need to do SOC 2 to help our customers feel confident of our internal controls, we’ve got to do PCI. Some of these things are good activities because they keep you focused and they’re a periodic review to make sure you’ve got adequate control. But in some cases, I’ll be blunt, some of the compliance standards are completely stupid and idiotic. They gear you towards dated controls that we know don’t work.
I’ve had to do a compensating control analysis because some compliance regime asked me how often I update my DAT and definition files. Which is basically saying, “Do I have traditional AV and am I keeping traditional AV up to date?” —when we know traditional AV doesn’t work. And so, there are compliance regimes that point you towards insufficient or flawed controls, but they’re built into the compliance regimes and that perpetuates the problem.
It’s not risk-based, it’s ‘check the box’-based and that’s where we’ve got to rethink the compliance regimes and really determine are they getting us to a better spot, and are they getting us to the right outcome.
GTI: Of course, compliance only works if it’s enforced. In his opening remarks for the event, Andrew Smith, the Director of the Bureau of Consumer Protection at the FTC said that the FTC is the nation’s primary data security law enforcement agency. Is this truly the case and is this where that authority should lie?
MH: I think, by and large, if you think about it in terms of who’s been doing enforcement actions, the FTC has certainly stepped into that space. And I think by default and based upon what they’ve been doing, they have become that data security law enforcement agency. Now the question just becomes, “Are they doing a good job of that, is that truly their scope and should there be other enforcement activities that are done by other agencies?” And I think you get different answers for each of those other questions.
GTI: What should the limits of the government’s authority be when it comes to private businesses?
MH: I think the government certainly has a substantial role to play in holding organizations accountable for a variety of things. In the FTC’s case, if an organization has failed to live up to the promises it’s made to its customers and consumers, that’s certainly something they need to take care of and address. And that’s why I think they’ve stepped into the data security assessment space, to try and protect consumers and hold organizations accountable to what they’ve said they’re doing, and they’ve gone after a variety of organizations.
They’ve gone after large ones. Heck, they’ve gone after organizations that “provide you identity theft protection. A few times and they’ve had to pay out because the FTC found that even though they’re supposedly selling data protection for identity theft that their internal operations weren’t appropriately protecting consumer data or privacy. So, again you have this intermingling of people that are selling you “protection” that haven’t necessarily lived up to data security standards that they’ve told people they were doing.
GTI: There were a lot of different viewpoints on your panel at the hearing. Did you see any common understanding of the issues and any path forward for both the FTC and for industry?
MH: I do think there’s common understanding of the issues. I think we all commonly understand that we’re not doing a good enough job—that’s clear. I think there’s common understanding that aspects of compliance regimes and enforcement are good things to do. But, I think there is sometimes divergence on how to solve the problem. And, getting back to what I’ve said before, is some of that divergence is based upon the incentives of the individuals that that are trying to share their opinion. And it might be more focused on what’s the right thing for their respective industry or their respective profit-loss for their organization, and not necessarily what’s the right thing to do to solve the problems should be.
GTI: Based on what you heard (during the hearing), are we even attempting to solve the right problems?
MH: I think sometimes we are, but by and large, as I said earlier, some of the compliance regimes are ‘check the box’ activities that organizations manage to a compliance risk. It’s not managing to what I’d say is ‘real data security’ or ‘real societal risk’ for the systems. And that’s the difference that we’ve got to do. We’ve got to focus on the outcomes, as I’ve said before: “Does the compliance regime get us to the right outcome to protect the business, protect its customers and protect society?” And if the answer to that is “no,” we should be rethinking that compliance regime.
GTI: Anything you’d like to leave us with?
MH: The thing that we’ve touched on a couple of times is the moral obligation, the ethical responsibilities. And the challenge with all of this is you can technically play by the rules but still be at fault. We’ve seen time after time after time, most of the organizations that have gotten breached have done a reasonable job of meeting the compliance standards. So, then you go, “OK, well, why have they been breached?” Well, the controls weren’t sufficient. That’s where, again, ethics comes in and that’s what it’s all about. You’ve got to go beyond just following the rules and think about ‘are those rules the right rules and are they putting you on the path to manage mitigate the risk properly.’
There was a quote Winston Churchill had sometime during World War 2: “It is no use saying we are doing our best. You have to succeed in doing what is necessary.” I don’t necessarily perceive that we’re going beyond our best. We’re not adequately solving these risk issues, so we’re not doing what is necessary, in some cases, to properly manage and mitigate the risk. And that’s what we need to be focused on.