Where’s the SOX inverse for cybersecurity?

Cast your mind back to the late ‘90s: WorldCom & Enron imploded due to financial impropriety; government reacted; & IT was left holding the bag.

Cut to now: President Biden signed an executive order to improve government cybersecurity.

Bruce Schneier:

I’m a big fan of these sorts of measures. The US government is a big enough market that vendors will try to comply with procurement regulations, and the improvements will benefit all customers of the software.

Adam Bobrow from Just Security:

The executive order is a good first step, but it won’t stop the constant barrage of cyber incidents that has overwhelmed the United States over the last six months. Unfortunately, the insecurity of networked computer systems is simply too great for any single effort to solve the problem. Instead, the solutions lie on a distant horizon. It is not too soon to start charting a course, and Congress can help.

Both are right, but I’m not sure in what proportion. My thoughts are … drafts.

As I see it, the private sector takes one of four basic approaches to cybersecurity:

  1. Accept cybersecurity is key to doing business, and plans and funds accordingly
  2. Knows cybersecurity is important and spends with no planning (blinking lights or shotgun approach)
  3. Knows cybersecurity is important and plans for it but gets no funding (MacGuyver approach)
  4. Hopes nothing bad happens because they think that they’re not a target (magical thinking approach)

While many companies rely on US government contracts, not all do. I’d be curious to see the breakdown, if such a thing exists. Companies that fall into #4 probably aren’t dealing with government contracts at all, and #2-3 might be in varying amounts.

Back in the day the US government passed something awkwardly but accurately called Sarbaines-Oxley Act (a.k.a. SOX, “Public Company Accounting Reform and Investor Protection Act” [in the Senate] and “Corporate and Auditing Accountability, Responsibility, and Transparency Act” [in the House]). The crux of the bill IMNSHO was defining IT measures for making sure companies have it harder to commit financial fraud.

Every IT and InfoSec (it wasn’t called cybersecurity back then) manager worth their salt ran to Finance & the CFO with a budget for all sorts of things to nominally help comply with SOX. The recipients were eager to appear to embrace enforcement.

Most were pet projects that wouldn’t actually help either with SOX compliance or overall security. I saw a request for a tool for a manager to spy on his own desktop support team, one from another manager to increase the storage capacity for audit purposes (but really for his team to be able to share pirated media among themselves), another to set up shadow IT to get around SOX and other oversight (described a parallel production environment for testing purposes which would, in no way, reflect the production environment, of which we had many), and a lot of small stuff that was tangentially related to SOX compliance. There were also purchases of things that would help, but see #2 above.

BTW, the people IT was supposed to reign in were the same people who would approve their SOX budget. And the Big F accounting firms that went along with Enron and Worldcom and the others got to rebrand, keep selling their services, and add a new line of business – SOX auditor.

This was a massive amount of effort and money put into the wrong area with maybe ok intentions. And remember, the stuff that triggered SOC wasn’t impacting most companies bottom line.

Maybe it’s time for a reverse SOX that places the onus on CEOs and CFOs to take responsibility for cybersecurity since it is impacting the bottom line. I’m thinking:

  • Security reports to a CSO equal to the CIO and COO, never reporting through the CIO or CFO
  • Legal and Risk are executive sponsors

Big think for sure, but such a requirement by the US or EU government would mean that security wouldn’t be limited by the conflicts of interest these other entities have in an organization.

Keen observers will note that I do not describe where money should go or even how much. It will vary by any number of variables for each company. Those that do not know what to do or how to do it should seek out consulting to help.

※ I worked on Enron and WorldCom when I was employed at EDS in the 90’s.

Seoul Dispatch, week 11

It’s raining in Seoul. The forecast said the accumulation this weekend would be slight. It has not been slight yet.

I’ve been bouncing around between my two main customers, working a bunch of extra hours to keep both sides happy. They’re either both happy as they say and keep asking for more, or they are not happy and want me to do more to fix it. I’ll assume the positive. 

Last weekend was fun. I got out and adventurekateered!

IMG 3459IMG 3395IMG 3365IMG 3361IMG 3352IMG 3410IMG 3428IMG 3430IMG 3451IMG 3458

He pulls a Pokémon card, you pull a gun! That’s the Target way!

Pokemon Overboard:

“US retail giant Target will stop selling Pokémon playing cards out of an ‘abundance of caution’ for its staff and other shoppers. The re-sale value of the cards has increased dramatically during the coronavirus pandemic, prompting chaos and threats to staff.” The dramatic rise in the re-sale value of the cards prompted a fight in Wisconsin during which a man pulled a gun. (It’s gonna be pretty hard to come off as tough when telling his cellmate what he got arrested for…)

You know what they say: if you ban Pokémon cards from right thinking people the only ones who will get Pokémon cards are the criminals. How will right thinking people defend themselves against the criminals who have the Pokémon cards?

Such a slippery slope! Thank goodness we’re spending time and resources on limiting the spread of Pokémon cards into the hands of criminals. The only way the situation will change is if we have serious, comprehensive Pokémon card control.

Categorized as I84D

Sanity running on fumes

Oustian Bargain:

“The cyberattack disabled computer systems responsible for fuel production from Texas to the Northeast, and now gas stations in the Southeast are seeing panicked motorists lining up in droves to fill their tanks … Drivers are being turned away from now-empty gas pumps.” Panic Drives Gas Shortages After Colonial Pipeline Ransomware Attack.

+ WaPo: Gas shortages intensify in Southeast, with 28 percent of North Carolina stations now dry. (The frenzied gas buying is one more example of citizens not trusting government officials who are telling them not to panic. This mistrust is a bigger threat than hackers.) [emphasis mine]

That last sentence is killer. Feel free to replace ‘hackers’ with your favorite threat du jour.

Colonial, is this your puddle?

Don’t weep for Colonial … 

naked capitalism:

Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ Biden briefed Reuters. Oddly, Colonial’s enormous leak hasn’t generated the same level of coverage.

If you’re not hip to the ransomware story, ZDNet has a decent writeup.

As to more on the pipeline leak that started August 2020 in Huntersville, North Carolina: WCNC MSN Charlotte Observer

And CNBC has a fascinating eye-opening timeline about the company’s travails. Wow. If it wasn’t for back luck, Colonial wouldn’t have no luck at all. (h/t Cream)

At least the profit seekers behind the ransomware apologized. Right?