Platt Perspective on Business and Technology

From stuxnet to heartbleed – the impact of US national cybersecurity doctrine and practices on businesses and markets 2

Posted in business and convergent technologies, in the News by Timothy Platt on December 13, 2014

This is my 21st installment in an occasional series on international cyber-security and the changing nature of threats faced and responses offered to them (see Ubiquitous Computing and Communications, postings 58 and loosely following for Parts 1-15 and Page 2 of that directory, posting 296 and following for Parts 16-20.) This is also my sixth installment in a sub-series within that, with its posting titles collectively identified as: From Stuxnet to Heartbleed.

One of the core elements of Part 19 to this series was a list of issues to discuss, that I offered at the end of that posting. And I stated there, that I would begin working my way through them in this installment and starting with that list’s first point. After that I will address the second of those points too. Then I will add a concluding note on a recent, as of the date of this writing (September 26, 2014) news event of some relevance to this series. But first that first bullet point, which I repeat as a starting point for this posting’s discussion (with some minor rewording for inclusion in this new context):

• The Obama cyber-doctrine and its implementation through open-ended surveillance programs have raised broad-based civil rights and United States Bill of Rights concerns. And from a business and marketplace perspective, this had led to concern over the capability of businesses to even be able to secure personally identifiable and other confidential customer and employee information. This had led to court challenges and imposed operational restrictions and particularly as US based businesses seek to reach out to and do business with customers in countries that like Canada and the nations of the European Union, have very strong privacy and confidentiality protection laws in place. And it has also led to increased anticompetitive barriers to participation in marketplaces in countries such as China – a complex of issues that I will also delve into as part of this discussion, as well as discussing business and marketplace pushback.

The complex of issues that I raise in the above bullet point have a history that go back to well before the September 11, 2001 terrorist attacks on the United States or the Obama administration, let alone the still emerging Obama cyber-defense doctrine (see the series: Learnable Lessons from Manning, Snowden and Inevitable Others, Part 26, Part 27 and Part 28 for a discussion of that US policy development.) So to build a foundation for discussing the above stated Point 1, I offer a brief and selective historical background note.

The issues that I write of here go back to the beginning of online commerce, and to the explosion of personal information that businesses began to collect from their customers and from both within their own home countries, and from across international borders as they entered into international online commerce. Their reasons for collecting this flood of data were, and I add still are fairly clear-cut and easy to understand. The more a commercial enterprise can know about their customers, the more fully and effectively they can market and sell to them as individuals, drawing in their business and their repeat business. And the more they know of these consumers as individuals the more appropriately focused their marketing outreaches can be for them as individuals and the less wasted and irrelevant marketing they will hit them with. This, I add means both more effective targeted marketing with increased returns from it, and it also and at least as importantly also means reduction of wasted expenditures from marketing to the wrong people and in the wrong ways – which can drive away potential future customers.

The same basic goals and ideas for reaching prospective customers apply when considering them at a demographic level, in shaping overall marketing campaigns and overall messages to be shared. The defining difference between this approach and the explicitly individualized marketing and sales approach that I just noted above is in how this flood of individual consumer-sourced data is brought together for statistical and other demographic modeling analysis in better understanding and connecting with broader market segments. It is at least in principle, fully scrubbed of details that would be connectable to any particular individuals and that could be used for identity theft or other individually targeted malicious purposes. But even here, data collection, processing and analysis, use and retention have to be done correctly so as to limit actual risk of possible malicious use, if a demographic marketing approach is to be done correctly. Online and I add bricks and mortar storefront businesses actively pursue both approaches.

But up to here I have only considered how this data can be used internally within an acquiring business as a means of developing competitive advantage in its own marketplaces. Many businesses also found early on in this endeavor, that the data they were collecting about their customers and the metadata they added to it through their own sorting, filtering, organizing and analysis were in and of themselves a source of potential marketable and sellable commodities too – and certainly when marketed and sold to businesses that were not direct competitors for their own customers in their own markets. And even when they were not selling this data, there was functional value and even need for at least selectively sharing from their consumer data with supply chain partner businesses that they worked with in fulfilling customer orders and delivering products purchased.

And to add one more thread to this skein, I have been writing here of circumstances where an information acquiring and developing business intentionally diffuses out access to their customer data to others, and both within and also at least potentially outside of their own organization.

• Sloppy data management and problematical information technology security policy and practice can lead to loss of control over data, including highly sensitive personally identifiable customer data,
• And both within the business to unauthorized members of their own personnel
• And to others outside of their business – and all without intent and even in ways explicitly contrary to that.
• And I explicitly note here that experience shows internal malicious hackers and their activity in compromising their own employers’ customer and other sensitive data, can be more widespread and common than successful outside hacker assault on business data resources. And I add that carelessness (e.g. employee loss of laptop computers in public places that hold critically sensitive data that is not in any way encrypted or protected, or high risk employee use of third party cloud storage) can be an even bigger problem, and certainly for impact on business reputation.

And this leads me very explicitly to privacy laws and the issues of protecting confidentiality of individually personally identifying information where that includes names and contact information of all sorts, sensitive data that could be used for facilitating identity theft such as US social security numbers, and of course explicit financial information such as credit card numbers. And historically, enough businesses have developed and pursued problematical enough approaches to all of this, and in the United States and I add in many other countries to provoke legislative response. And even early on in the development of online commerce, there were enough large-scale publically noted data breeches of sensitive personal information to prompt national governments to begin to pass privacy and confidentiality laws mandating better managed and more restrictive business practices; the development of such legislative responses go back a long way too now.

I have written most of my From Stuxnet to Heartbleed postings up to here, with a primary focus on the United States government’s cyber-defense policy and its implications and consequences. But the United States does not exist in an information, or an information security concern vacuum, and its actions in conducting widespread and even open-ended surveillance have come to raise red flags, and both within the United States and outside of it, that at the very least closely parallel the concerns I have just been discussing about business practices. The core issues in both cases revolve around security of personal information, and certainly personal information that if misused could cause personal harm.

A progression of privacy and confidentiality laws have been passed and enacted within the United States, and at least initially with a goal of regulating customer data practices followed by American Businesses. They have also been invoked in the context of foreign government action as that is used to surreptitiously gather data about individual citizens and about American based businesses. And I also cite in this context, the two foreign government legal jurisdictions that I noted in my above starting bullet point: Canada and the European Union. They have very actively developed and enforced legal protections over confidential information and both as this would be gathered concerning individual citizens and as this might be gathered in from their businesses too.

• Both Canadian and the European Union courts have taken legal actions against American based companies for what they see as systematic breeches in personal privacy and confidentiality protection as laid out in their laws, and as those businesses gather information about their nations’ citizens.
• Those same legal safeguards and certainly their frameworks of intent can just as easily be seen as being violated by governmental surveillance programs that seek to vacuum in personal data of all types about essentially everyone too.

And this brings be to the second bullet point of my Part 19 list:

• The Obama cyber-doctrine and its implementation, as most recently discussed here in my posting: The Operational Side of National Cybersecurity and its Issues 3 have also directly created avoidable risks for businesses and organizations of all types and for marketplaces and their individual and organizational participants.

When a business gathers sensitive, personally identifiable information about its customers, its employees and at times about others as well, it is legally required to safeguard this trove of potentially damaging data from any and all outside access, except where specifically allowed for and even legally required through approved mechanisms. For governmental access that would, as an allowed exception to enforced confidentiality include divulging data concerning specific named individuals under explicit court order, where those individuals have been brought up on specific criminal charges. A failure to be able to secure data against open ended access, would in most cases be seen as a failure to meet the legal requirements of all of these privacy and confidentiality laws, and regardless of whether these breeches were being conducted by private sector or governmental agents.

And this brings me to that more explicitly In the News item that I said I would address here at the end of this posting: the revelation of a fundamental software flaw in a tremendously widely deployed and used element of the Unix operating system and in Unix-based software of all sorts: Shellshock. Public revelation of this software flaw indicates that a vast number of computers and computer systems have been at risk, and of being coopted and taken over by malicious outside interests as well as of being compromised for information held on them, with this including everything from major corporate networks to government computer systems to much of the internet’s backbone as a worst case possibility.

As of now certainly, I have not seen or heard of any evidence to indicate that the US National Security Agency (NSA) or any other US government agency knew of this software bug, or that it was withholding knowledge of its existence for its potential value in cyber-surveillance or in more active cyber-warfare. But revelations of Stuxnet and of the still recently uncovered Heartbleed bug do indicate that government agencies do gather zero-day attack vulnerability information for possible use and that they do keep these findings to themselves regardless of potential consequences for not sharing this knowledge. I raise this as a matter of credibility and to note how loss of a measure of that can and does spread doubt more widely and to unrelated but similar sounding contexts.

When I first wrote about Stuxnet in this blog I did not have any evidence at hand to suggest that the United States government or any of its agencies had played a direct role in constructing or launching that computer worm as a malware weapon. Then I subsequently learned otherwise and posted that too. Heartbleed does appear to have been a known vulnerability, and to the NSA if nowhere else, and for a significant period of time before its existence became general public knowledge.

I do not know what if anything I will have to add to this brief discussion of Shellshock a year from now. But the still unfolding Heartbleed story does raise questions – and it does highlight the level of challenge faced in rebuilding a fuller credibility again, when that is lost from the way a government agency collects information, including software security vulnerability findings. I may add more on this news story in upcoming installments of this series, as the basic facts of what has happened here become clearer.

I am going to continue this posting’s main points of discussion in a next series installment where I will discuss the third point of Part 19’s list and at least briefly discuss legal frameworks for regulating proper use of personally identifiable information, and for responding to violations of their standards as legally set. And from that starting point I will discuss how businesses based in the United States and following US data practices have been challenged in court when doing business in countries like Canada and member states of the European Union. Then I will raise the specter of the USA PATRIOT Act and how it has come to be interpreted, and how some of the United States’ closest ally governments have come to see the US government itself as violating their privacy and confidentiality laws. And as noted above, I will also discuss China and their actions in this context.

Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: