David Thaw-Cybersecurity Stovepiping-20151220-Naver...

12/21/2015

1

2015-Dec-22

CYBERSECURITY

STOVEPIPING

Considerations for Developing Cybersecurity Policy in the Global Information Age

DAVID THAW

UNIVERSITY OF PITTSBURGH

2015-Dec-22

OVERVIEW

Issues Addressed:

• What is cybersecurity?

• What is unique about cybersecurity which makes it difficult to connect technical expertise to policymaking outcomes?

• An example of policymaking failure – complex passwords

• Why does cybersecurity (necessarily) involve law?

• How can policymakers engage the necessary expertise when developing cybersecurity policy?

• What is missing from existing technical expertise?

• What can empirical research demonstrate about the effectiveness of various cybersecurity policy approaches?

The Efficacy of Cybersecurity RegulationDavid Thaw, University of Pittsburgh

12/21/2015

2

2015-Dec-22

STARTING POINT

What is “Cybersecurity?”

• To answer this question, we first must understand what is “security”?

• There is no “perfect” security• Security is difficult to define in absolute terms• Instead, it often is defined in relative terms• Security thus becomes about measures designed to achieve

specified goals

• What is “cyber”?• “Cyber” actually is a poorly-descriptive term – it misleads us into

thinking that technical solutions should be the primary focus• Protecting sensitive data and information systems also requires

considering physical and administrative (process) security


2015-Dec-22

STARTING POINT

What is “Cybersecurity”?

• Thus, cybersecurity becomes an exercise in defining goals and ensuring appropriate measures are in place to meet those goals

• Note, again: this is a relative function

• Restated simply:

Cybersecurity is about ensuring that risk mitigatio n techniques(appropriate measures) match an entity’s risk tolerances (goals).

Thus, cybersecurity becomes a question of economic-like tradeoffs.


12/21/2015

3

2015-Dec-22

POLICYMAKING

LESSONS FROM

CYBERSECURITY

Cybersecurity Policy Mistakes Teach Important Lesso ns

• Cybersecurity has two aspects which make it very challenging for legal and organizational policymakers:

• (1) it is a highly technical subject matter

• Requires depth of expertise

• (2) it is a highly complex subject matter interrelated with many other issues

• Requires breadth of expertise

• Concurrently engaging both depth and breadth of expertise is difficult – generally the two types of expertise do not overlap

• Classic example of a mistake when trying to engage such expertise – complex passwords

Cybersecurity StovepipingDavid Thaw, University of Pittsburgh

2015-Dec-22

THE PROBLEM OF

PASSWORD COMPLEXITY


12/21/2015

4

2015-Dec-22

PASSWORD

COMPLEXITY

Should policymakers require “complex passwords” as part of an overall defense strategy?

• Password Complexity : the proposition that requiring certain mathematically-complex characteristics for users’ passwords will increase the overall security of a computing system

• “overall security” is the critical point

• Password complexity requirements certainly can increase the difficulty of certain types of attacks (e.g., “guessing” attacks such as brute-force or dictionary attacks)

• If the overall security of the system is not improved, however, proposition suggesting password complexity requirements is not satisfied


2015-Dec-22

PASSWORD

COMPLEXITY

Should policymakers require “complex passwords” as part of an overall defense strategy?

• Overall Security : the probability, taking into account all vectors of attack, that a system will be compromised

• “online” and “offline” password attacks are important components

• However, other factors such as social engineering and usability must also be considered

• Key question: against what attacks do complex passwords protect, and at what cost?


12/21/2015

5

2015-Dec-22

ATTACK VECTORS

Methods of System Compromise Against Which Complex Passwords Might Defend

• “Online” Attacks• Password guessing methods (via authentication interface)

• brute-force• dictionary attacks• both require “unsecured” authentication interface

• “Offline” Attacks• Password guessing methods (via stolen password storage tables)

• brute-force• Dictionary attacks• both require:

• (1) “weakly secured” password storage tables• (2) access to download the password storage table


2015-Dec-22

ATTACK VECTORS

Methods of Compromise Vulnerable to Complex Password s

• Social Engineering Attacks• Password reset function

• Helpdesk/technical support

• “Shoulder-surfing”

• When passwords are difficult for users to remember (“usability” issue), users are more likely to engage in other practices to circumvent complexity requirements

• Frequently relying on password-reset functions

• Frequently calling the helpdesk/technical support

• Writing down passwords

• Using “common” passwords: “Password1”


12/21/2015

6

2015-Dec-22

ATTACK VECTORS

Efficacy of “Complex Password-Based” Defensive Meas ures

• Proposition: each authentication attack against which complex passwords defend has a superior defensive mechanism

• Corollary: identifying this requires focus “outside” the “depth expertise” of password complexity and cryptology

• Proposition: the differential in overall security achieved by complex passwords is limited by the degree to which users experience usability challenges with complexity requirements

• Corollary: if complex passwords only add marginal value, because other defensive measures are in place, the overall security impact of password complexity requirements may in fact be negative


2015-Dec-22

ATTACK VECTORS

Efficacy of “Complex Password-Based” Defensive Meas ures

• Proposition: usability limitations on complex passwords require the introduction of “secondary authentication measures” when passwords fail

• e.g., the “password reset function”• Because passwords fail so frequently users demand “usable”

reset functionality• Most commonly, this involves asking the user to answer

questions involving details of their personal life

• Vulnerability: details of individuals’ personal lives often are publicly available information!

• e.g., the compromise of then-Vice Presidential Candidate Sarah Palin’s email account in 2008 – achieved through the password reset function!


12/21/2015

7

2015-Dec-22

CHEAPEST-COST

AVOIDER

Complex Passwords Illustrate the “Cheapest-Cost Avo ider” Problem

• Assuming these propositions are true, the following conclusion results:

• Complex passwords may actually weaken system security because system administrators are in a better (economic) position to implement security measures (e.g., securing authentication interfaces) which provide sufficient defense such that any marginal difference afforded by password complexity weakens overall security by introducing new attack vectors

• Key Question: why was this concept “missed” by policymakers and experts?


2015-Dec-22

RESULTS

Considering All Relevant Factors

• The net security benefit of complex passwords is negative• Complex passwords do provide some (very) limited additional security

benefit, albeit not as the cheapest-cost avoider• Complex passwords open up other attack vectors

• What then? More layered authentication? Multi-factor?• No – this also introduces usability problems

• Not only are nominally-complex passwords sufficient , but passwords are a necessary element of system security and should not be replaced

• Passwords are scientifically-unique:• (1) unobservable (when not in use)• (2) inalienable (except when forgotten!)

• Passwords are the only current authentication technology which satisfies both these requirements!


12/21/2015

8

2015-Dec-22

HOW DID WE GET

HERE?

If These Propositions are Correct, How Did This Res ult?

• Surely, computer scientists cannot have missed this problem for over 25 years

• (in fact, they did not – see Florencio, Herley, and Coskun, “Do Strong Web Passwords Accomplish Anything?” (2007))

• Although, notably, research along these lines has not been strongly favored in Computer Science

• Rather, much technical research focuses on alternatives to passwords – instead of examining whether passwords actually are problematic

• How then, has such a policy persisted for so long?


2015-Dec-22

BREADTH VS. DEPTH

EXPERTISE

Lack of “Breadth” (or Interdisciplinary) Expertise

• Examining the “Full Scope” of cybersecurity problems requires looking at questions of computer science, economics, psychology, political science, sociology, law, organizational theory – a full, comprehensive, interdisciplinary approach. Examples from the “Complex Passwords Problem:”

• The concept of the “Cheapest-Cost Avoider” is a principle primarily arising from economics

• The concept of usability arises includes aspects of psychology and sociology

• But cybersecurity expertise and research is highly-focused on technological depth, not interdisciplinary breadth


12/21/2015

9

2015-Dec-22

EXPERTISE AND POLICY

“ENTRENCHMENT”

Computer Scientists Do Recognize the Shortcoming of Passwords

• “Internal” Stovepiping – failing to collaborate within Computer Science – does not explain the whole story

• Why then do ineffective password policies exist?

• 1979 paper by Morris and Thompson – identified vulnerabilities in passwords on UNIX systems

• Correct in the context of the time

• Complex password requirements emerged from this work

• But – completely inapplicable to modern computing sy stems!• So why do these policies still exist?


2015-Dec-22

EXPERTISE AND POLICY

“ENTRENCHMENT”

Consider the concept of “Policy Entrenchment”

• Once in place, it is more difficult to change a policy than it was to enact the policy in the first place

• Thus, reversing a policy requires more than proof that policy no longer is effective

• Reversing a policy requires more – it requires proof that continuing the policy actively is harmful

• “Nobody ever got fired for buying IBM”

The Stovepiping Question is About Policymaking

• Computer scientists did not fail to understand overall system security

• Rather, computer science research failed to overcome policy entrenchment because it did not also incorporate the necessary economic analyses


12/21/2015

10

2015-Dec-22

CYBERSECURITY AND LAW

Why does cybersecurity (necessarily) involve law?

• Cybersecurity comprises three primary elements:• (1) determining risk tolerances (goals)• (2) identifying risk-mitigation techniques (measures)• (3) developing plans and procedures to ensure that risk-mitigation

matches risk tolerance (system of rules)

• This is very similar to lawmaking in society• Furthermore, information systems operate within a global social context –

these technologies are a part of society (and laws are the “policies”) which govern society

Laws function in society similar to how security po licies function in organizational environments

• Many factors must be considered in developing laws• We can borrow from this expertise to learn about developing more

effective cybersecurity policies in organizations


2015-Dec-22

ENGAGING

EXPERTISE

How can policymakers engage the necessary expertise to properly identify risks, set goals, develop proper risk-mitigation techniques, and ensure those techniques match the g oals?

• Need techniques to engage diverse expertise both in the rule-writing process and in the implementation process

• Like in lawmaking, cybersecurity policymakers should consider diverse impacts including principles from:

• Economics

• Usability Studies (UI/UX)

• Psychology

• Additionally, policymakers should require empirical evidence to support specific technical recommendations


12/21/2015

11

2015-Dec-22

AN EXAMPLE…

Consider an example comparison of cybersecurity pol icy in the United States

Compare:

• Healthcare information security (HIPAA)• Flexible regulation• Allows adaptation to the needs of individual organizations• Focuses on risk management

• General data breach regulation (SBNs)• Strict compliance approach• Applies to (almost) all organizations• Focuses on risk prevention


2015-Dec-22

HIPAA SECURITY

RULE

• Health Insurance Portability and Accountability Act (HIPAA)• Requires the Department of Health and Human Services to

promulgate regulations establishing information security standards for the handling of Protected Health Information (PHI)

• “Security Rule”• Requires “Covered Entities” and their “Business Associates” to

conduct risk assessments and develop plans and procedures to protect against:

• (1) Administrative risks;• (2) Technical risks; and• (3) Physical risks

• Plans/procedures must be appropriate to the size, scope and capability of the organization

• Additional detail provided for each category• There has been some enforcement activity (through OCR)


12/21/2015

12

2015-Dec-22

SBN “TRIGGERING”

DATA

Identifier

(usually name)

Sensitive Personal Information

Three Common Types of Sensitive Personal Information:

• Social Security Number

• Payment Card/Account Number*

• Gov’t-Issued ID Number*

But: exception for “encrypted” data!

ReportableBreach

Require organizations to disclose certain types of security incidents involving the unauthorized access of “Personal Information”


2015-Dec-22

QUANTITATIVE

ANALYSIS

Dependent Variable: “Reportable” Security Breach I ncidents

Data source – DataLossDB

• Maintained by the Open Security Foundation• Was an open-source effort, similar to Wikipedia• Claimed to include all reported and/or publicly known security

incidents involving breaches of sensitive personal information• For the examined period, this was largely true• In mid 2011, however, the Open Security Foundation removed

open access to DataLossDB in an effort to monetize their data for profit purposes, precluding further research

• Since that time, the quality of their data has deterioriated

Examined data from January 1, 2000 through February 17, 2011


12/21/2015

13

2015-Dec-22

BREACH INCIDENCE

Challenges:

• No centralized repository of all security incidents• DataLossDB only included reported incidents, most of which

are reported pursuant to SBNs• How do we analyze effects of SBNs?

Solution: compare reporting rates between two grou ps:

• Previously Regulated Entities (PREs): organizations previously subject to management-based regulatory delegation models (healthcare and finance)

• Previously Unregulated Entities (PUEs): organizations not previously subject to regulatory delegation (all others)


2015-Dec-22

BREACH INCIDENCE

Hypotheses:

• At some time t1 SBNs began to take effect (roughly mid-2004)• Before t1 reporting rates were nominal• After t1 reporting rates increased as organizations start to

report

• At some time t2 SBNs’ effect reached saturation (roughly mid-2008)

• Reporting rates decreased after t2 as organizations take steps to reduce the number of breaches they must report


12/21/2015

14

2015-Dec-22

BREACH INCIDENCEFramework for Testing Hypotheses:

• Absolute reporting rates difficult to compare

• Firms will have substantial incentive to reduce their reported breaches

• Comparing the relative decrease in reporting rates between PREs and PUEs will reveal information about their respective capacities to reduce incidents triggering reporting requirements

Observations:

• The more rapidly reporting rates decrease after t2, the more “room for improvement” that group had

• Reporting rates for PUEs decreased nearly four times as rapidly as those for PREs

• The management-based regulatory delegation models of information security to which PREs were subject gave those organizations greater capacity to reduce/prevent security incidents involving breaches of personal information


2015-Dec-22

HEALTHCARE/FINANCEPERIODIC BREACH INCIDENCE


12/21/2015

15

2015-Dec-22

ALL OTHER INDUSTRIAL SECTORSPERIODIC BREACH INCIDENCE


2015-Dec-22

CROSS-SECTOR COMPARISON

IMPROVEMENT REMAINING FOR INDUSTRY


12/21/2015

16

2015-Dec-22

CONCLUSIONS

Focus on Risk Management, Not “Risk Prevention”• Flexible models of information security focused on risk

management (rather than risk prevention) improve organizations’ capacity to address security incidents involving reportable breaches of sensitive personal information

• This flexibility helps organizations focus on the specific threats they individually face, rather than diverting limited security resources to generalized defenses well-known to attackers

• Risk-management approaches “bring security into the (executive) conversation”

• It becomes a “business risk decision” – and, importantly, part of an organization’s overall strategy


2015-Dec-22

QUESTIONS?

Thank you!

David ThawAssistant Professor of Law and Information Sciences University of Pittsburgh

[email protected]

http://www.davidthaw.com


12/21/2015

17

2015-Dec-22

APPENDIX –

EXAMPLE QUOTES

SBNs drive encryption policies:

• “. . . [SBNs] caused us to . . . in a very short period of time, encrypt 40,000 laptops . . .” (CISO of a large healthcare organization)

• “. . . What we have done is all computers now have to be encrypted.” (CISO of a large telecommunications company)


2015-Dec-22

APPENDIX –

EXAMPLE QUOTES

SBNs drive encryption policies:

• “So what’s happened since the Notification Laws have become sort of ubiquitous in the last three years [is] the security investment is moved, essentially to crypto. If it moves, encrypt it. It if stays there, encrypt it. There’s not much reflection on whether or not actually anyone ever uses that data. It’s still a breach.” (CISO of a large healthcare organization)

• “And so what’s been really interesting about the Notification Laws is [they] have come in and [ ] essentially reversed the whole direction security was taking from when I started this job.” (CISO of a large healthcare organization)


12/21/2015

18

2015-Dec-22

APPENDIX –

EXAMPLE QUOTES

CSO of a large healthcare organization

• “They [the Department of Health and Human Services] stayed technology-neutral. They didn’t specify exact levels of encryption. They didn’t specify exact methods of user authentication. A lot of that was in the proposed rule, and they very rightly took it out.”


David Thaw-Cybersecurity Stovepiping-20151220-Naver...

Documents

Transcript of David Thaw-Cybersecurity Stovepiping-20151220-Naver...