Over the last several years, computing has changed to an almost purely
networked environment, but the technical aspects of information protection
have not kept up. As a result, the success of information security programs
has increasingly become a function of our ability to make prudent management
decisions about organizational activities. Managing Network Security takes
a management view of protection and seeks to reconcile the need for security
with the limitations of technology.
In the last week, I have personally faced three issues of what to report to whom, I have been made aware of at least three others who have similar issues and seek advice, and throughout my career, I seem to face these issues on a daily basis. Now I am not a lawyer, and nothing I am going to say in this article should be construed as legal advice or even demonstrating a clear understanding of legal issues. Furthermore, all of the comments I have of a legal nature are based on the limited venues I have been made aware of, and international legal issues are far too complicated for me to even start to address. Having made my initial limitation of liability statement, I will now press on.
One of the most common issues faced by information security professionals today, is what should be reported to whom, and the area where this seems to come to a head more than anywhere else, is in the case of security incidents. While the average employee probably has a clear duty to report incidents to their next level of management, when things reach a certain level and the information about incidents reaches a certain threshold of pain, the reporting question seems to become extreme.
In this article, I am going to start with a few real-life examples, with the names and some of the facts changed to protect the anonymity of the parties. Nevertheless, I can assure you that (1) each case I am about to discuss is a very close approximation of an actual situation, and (2) at least three people will contact me about each of these cases indicating that they recognized them as their situation and wonder how I gained access to their facts. I'll answer them now to save time. It's not your case I am talking about. It was another person's case that is very similar to yours. But contact me anyway - so I can update my on-line users as to the real number of people who indicated similar situations.
The examples below are representative of moral dilemmas in the information protection business. On a busy week, I might get all of these, but most of the time, it doesn't come that quickly. Most information protection professionals I know encounter situations like one or more of these several times a year.
Case 1: A vendor was supplying security for a distributed database system containing critical medical information about patients with diseases such that, if the details of their cases and identities were publicly released, it could cause devastating effects on their lives. After the system was adequately secured against the identified threats to handle this situation reasonably well, the owners decided that they wanted to turn off various security features and connect the database to the Internet. The vendor was faced with the problem of who to tell and what to tell them AFTER the owners of the system had been notified of the enormous risks and lack of adequate protection and decided to proceed even with these risks present.
Case 2: An assessment of a critical system that could effect millions of peoples' lives and have significant impacts on the global economy produced information that indicated the presence of high-grade threats, ongoing exploitation, and enormous potential for harm. The client indicated that all information provided during the study was confidential, but the people performing the study believe that the only way to track down the attackers and mitigate massive harm may be to tell law enforcement about criminal activity uncovered during the study.
Case 3: An assessment of a small financial system produced information that would tend to indicate that insider fraud had taken place and could still be underway. It was possible, based on these results, that the management chain above the people who sponsored the assessment were participants in the suspected but not proven fraud. The problem came up of who the report should go to, and whether the report should go to the top level management above the managers above the people who sponsored the work.
Case 4: In using a system, a possible input overflow error was found which could be used to remotely crash or break into most of the computers in the world. Who should I tell what about it and when?
Give a person a fish, and they can eat for the day. Teach a person to fish and they can eat for a lifetime. Each of these examples has a range of answers depending on the judgments of consequences and so forth, but rather than try to address them in specific here, I want to discuss the issues that I think have to be considered in making prudent judgments. It may seem backwards, but sometimes it helps to turn things around.
When I encounter these sorts of situations, I use a semi-standard approach that has proven its worth time and again. The basic idea is to consider all points of view in terms of that I call duties and obligations.
Considering all points of view is sometimes discussed in terms of stake-holders - those who have a stake in the outcome. Typical stake-holders include you, your family, your company, your clients, your clients' families, and other parties affected by outcomes. When considering each stake-holder, it is also important to consider that each of them individually may have mixed feelings and many of them are groups of people who almost certainly have differing views.
In addition to the fact that many people may be involved with differing views, there are different aspects of these views that come into play in the form of different sorts of duties. Each view of each stake-holder can be considered in terms of each sort of duty, and then the results can be analyzed and weighed in order to make a prudent decision - in theory.
In practice, we make judgments. These judgments are largely based on experience, and those with less experience tend to make a wider range of choices than those of us who have already felt the pain of certain of them. Fortunately, we tend to forgive youth, but unfortunately, the settings of most organizations eventually squeeze our judgments to the point where we are unlikely to make prudent choices, especially when we need to do it as an organization.
In every job I have worked on, there is a contract of one form or another. The contract normally states what the responsibilities of the parties are. If the contract is well-written, it includes a number of provisions that clarify the duties of the parties, but very few of the contracts I have gotten are well-written. In the normal course of events there is either a purchase order, which is the same form used for buying toilet paper, or there is an employment contract, which is the same one used for the janitor, but usually quite different from the one give to the CEO.
To help demonstrate this issue, here is the full text of an Agreement for Services used to purchase security management consulting - with a few of the names and numbers left out:
XXX agrees to utilize the services of YYY as a Management Consultant.
Terms: (the price per day)
Client: (the client name and address)
Start Date: (whatever)
Duration: OPEN
Direct Report: (name)
Fidelity, Insurance: YYY will be covered under XXX's bond and general liability insurance. YYY will be presented with a hold harmless letter provided by client.
Agreed upon (date and signatures)
It doesn't exactly cover the issues we are discussing, does it? Of course, not all contracts are this way. Here's a different one:
Yep. That's the only thing specified in terms and conditions, it is in very small print at the bottom of a page, and the conditions referred to are not provided with the purchase order. If you ask for them, you may eventually get them, but that might actually bind you in some way, so perhaps ignorance is bliss.
I don't want to get too hung up on contractual issues, but I think it's important to note that not all contracts are this open. Here's one I use with consultants that work with me for clients:
AGREEMENT between you and Fred Cohen:
1) Non-disclosure agreement
In order to protect the extremely valuable information encountered in the course of assessing and addressing security vulnerabilities, you, the consultant agree to hold all information provided to you in relation to any and all work performed for, through, and with Fred Cohen in strictest confidence. This applies both to information that is not generally known and to information that is publicly known, and which might be confirmed or refuted based on your special knowledge of the situation. This confidentiality agreement holds without limit, except in cases, if any, where you are legally compelled to testify by court order. In those cases, you will only reveal information specifically required by the legal process and will tell Fred Cohen and any other affected parties about the situation at the earliest practical moment.
You acknowledge that revealing any of this information in any form could be enormously damaging to all concerned parties and could cause irreparable harm.
2) Limited non-competition agreement
For the period of one year after the last date that you work on a task for, through, or with Fred Cohen, you agree to not offer or provide your services to any other party to this work ... EXCEPT with, for, or through Fred Cohen. If you have worked for any party to the work or are actively engaged in bidding on such work, this will be identified to Fred Cohen as soon as the conflict is known to you and will be dealt with on a case by case basis.
3) Payment terms and conditions / process information
You will bill the party identified by Fred Cohen for the specific work undertaken, and will get payment from them on the terms specified for the particular work. You will have to decide whether to accept the terms of the particular work. You will have to decide whether to accept the terms of each agreement on a case by case basis and you will be responsible for all dealings with the party you are billing, however, Fred Cohen will assist in any reasonable way he can in assuring that everything works out as it should.
4) Tax information required to pay you
You will, no doubt, be required to provide taxpayer ID and similar information to each customer you ultimately work for. You agree to do so on an as needed basis, directly with the concerned party.
5) Other stuff
You, agree to all of these terms and conditions as a condition of your work with, through, or for Fred Cohen. You agree to be legally bound by this agreement. You agree that this agreement superceeds and replaces any and all prior or contemporaneous agreements that may have been had between the parties. You agree that this agreement can only be modified in writing and by the mutual consent of the parties. You agree that if any part of this agreement should be held invalid by any jurisdiction, all parts not held invalid will remain in force, and in jurisdictions where specific parts have not been held invalid, they will remain in force. The headings in this agreement are for informational purposes only. You hold Fred Cohen harmless against any and all actions, costs, and consequences in relation to your work under this agreement or your work that follows from it.
You agree that you will not do, say, write, or otherwise convey or indicate anything that is dangerous or libelous in any way during any work you do for, with, or through Fred Cohen and that you will refuse to do any such things as part of your work through, with, or for Fred Cohen. To the extent that you foresee any such things as possibilities, you will so indicate this to Fred Cohen and all affected parties as soon as you foresee them.
You have read, understood, and agree to all terms and conditions of this agreement...
Now I am clearly not a contract lawyer, but I think this covers the major points. Under such a contract, as I understand it, there is potentially unlimited liability for revealing anything to anyone. But this brings up two other important points about contractual obligations. One is that contracts cannot be so precise as to cover all possible circumstances, and if the do cover all circumstances, they are likely to be held as too broad to be valid. The other is that, in addition to the written contract, if you are going to survive in the information protection business, you had better know how to keep your mouth shut regardless of what the contract says.
To understand the second point, consider how many contracts you will get once you tell the whole world that to take $5M from XXX corporation all you have to do is dial 555-1212 and tell Galinda that Mr. YYY wants the the money for ZZZ sent to your address. Even in cases where I have contracts as loose as some of the examples above, I don't reveal information about clients in any way that could cause them harm. For example, the four cases presented above could be quite damaging if I identified names or enough specifics to derive names, but in generic form, there is no real harm, and there may be some real benefits.
But there are exceptions to this general principal of silence. For example, when you discover a security hole in Windows NT, unless you are under some special agreement with Microsoft, there is no particular contractual obligation that I am aware of that would prevent you from publishing it on the Internet. The rest of this article is about exceptions.
In many venues, criminal statutes overrule civil law in cases where a crime has been observed, is in progress, is about to happen, or other criminal activity may be involved. These duties may rise to the level where you have a greater duty to report the crime than to maintain confidentiality.
This becomes particularly important in cases where not revealing information about a crime may make you a party to the crime. For example, if you are in a room when a criminal conspiracy is being made, you may have an obligation to report the activity and if you don't, you may be criminally liable for the results.
Some might believe that all of the cases above could relate to crimes, but in my non-authoritative opinion, the duties related to crimes in these cases are not adequate to override the contractual duties because none of these cases involve direct knowledge of crimes and none of them seem to indicate that the person in the dilemma could be construed as a participant in the crime in any circumstance. Since the contractual obligation rules, at least as far as we have gone so far, the risk is a law suit and being black balled while the benefit is still questionable.
There are other circumstances where the issue of reckless endangerment may come up. In essence, when dangers are created through a lack of adequate attention to hazards that people are or should be aware of, they may be civilly or criminally liable for the results. If you are aware of such a hazard and don't report it to someone, you may be guilty of this.
Having said this, it is also important to note that, in many venues, there is no duty to act so as to prevent harm if you are not, in any way, part of the cause. The situation described to me by a lawyer as being a standard was the case where a 20-year old, healthy, normal, 6'2 man who is an expert swimmer and dressed for a day at the beach sees a baby sinking into the ocean in 2 feet of water on a sandy, nearly waveless beach. According to the lawyer, unless there is some special relationship between the two, the man can sit there and laugh at the baby as the baby drowns without incurring any criminal or civil liability. Now this might be a good time to enter into our next topic.
While there may be no legal obligation to save the drowning baby when there is no risk to yourself, there is a moral obligation that most people in today's society feel to help those in need. It is this moral obligation that creates many of the ethics problems we face in information protection today. For example, in case 1, sensitive medical records could be released affecting hundreds of thousands of lives. At some point, the moral duty to prevent such an occurrence may seem compelling, but be very careful.
People who work in technical aspects of information protection have a tendency to believe that every vulnerability will be exploited, and that technical security must somehow be perfect in their own area of specialty. In reality, the best technical security in the world will not work if management and employees don't behave properly. If someone wanted to get access to medical records in large quantity, there are a large number of ways they could do it, and only a small number of them involve technical issues.
While it is naive to believe that risk management is properly practiced, risk management is generally the decision and responsibility of management and not the decision of technical experts. Technical experts correctly assert that in many cases, management does not know enough to make prudent decisions, but management might just as well say that technical people don't provide enough information to make their cases in ways that management can definitively understand them and that the technical people don't see the whole risk management picture. Being risk averse is not a winning strategy in most business cases.
Having said all of this, what then is the moral duty of information protection professionals? It's a good question, but I don't have a very good answer. Generally, I think that individuals have to make individual judgments on a case by case basis, and when their moral standards cannot be met, they need to walk away and, if they believe it is important enough, act. We will return to this later.
Employees, and perhaps more importantly, officers of organizations, have a fiduciary duty to assure the well-being of their organizations and shareholder equity. For example, if a top-level manager decides not to use prudent measures that meet the standards of due care, they may become personally liable for losses.
Of course when incidents of real impact happen, this is one of the main reasons that they get covered up by top management. If you see things like one-time write-offs for accounting reasons or similar large losses categorized as miscellaneous or inadequately explained, there is a chance that these are losses from computer crime or other similar things that would be embarrassing or create liability to top management.
Some people take their fiduciary duties seriously, while others are simply unaware of them. Nevertheless, they exist, and they strike fear into the hearts and minds of some top managers.
A lot of people are willing to take risks of being found liable for civil fines and compensation. In fact, most people who have control over very large quantities of resources don't own anything like that quantity of resources on their own. In effect, top managers in most large organizations have so much potential liability that they could not possibly be forced to pay all that they might owe if a major loss occurred. Thus their civil liability is limited by their net worth.
In many cases today, top management has contracts that provide coverage for all personal liability by the corporation. In effect, their contract says that no matter how much they may be personally liable for, when push comes to shove, it's the shareholders who will bear the losses. In these cases, management tends to be fearless in their pursuit of returns, and ignore potential liabilities.
There are, however, limits, even to the relatively unfettered capitalism of today's corporate executives. This is the boundary where criminality enters the picture. The boundary is not very clear in the case of computer crimes, but if history is any indicator, the risk of criminal punishment for inadequate precautions is minimal at best. In order to be criminal, it would seem that the lack of protection would have to be some sort of gross negligence that the responsible parties knew in advance would result in specific criminal behavior by specific individuals. In essence, the person responsible would have to be a willing party to another crime.
In the end, the law has its boundaries. For example, when there is a compelling need that overrides other factors, the individual can choose to risk the consequences of breaking the law in order to do what's right. While this should be a truly rare circumstance for the legitimate professional, many people break the law as almost a matter of course and claim that it has some legitimate purpose because of a compelling need.
In case 2 above, one might argue reasonably (and to the judge) that some actions taken to assure the continuity of critical systems was justified by the compelling greater good even though the way it was done was illegal, but this will likely only succeed in court if it can be shown that all legal methods were first exhausted.
People who work in information protection feel the pressures of these decisions, sometimes on a daily basis. The pressure sometimes builds up, and the results can be rather less than optimal. In many cases, people need some sort of outlet - someone they can talk to to help solve their problems. Sometimes they call me, but I really don't want to become the central station for hard decisions in information security (although an adequate consulting fee might convince me otherwise these discussions usually come without compensation).
This last example is a case of the way things really work. They work through informal channels between people who know each other and trust each other to some extent. Call it the old boys network if you will (of course not all of these people are actually male, but the term has a certain ring to it). Through these informal channels, indirect information has a tendency to leak in one way or another. When it leaks, and if it leaks appropriately, it can have a serious impact on the outcome of situations. But be careful...
You have to be very careful in the use of informal channels. For one thing, the fact that you told me something in confidence does not make it a legal obligation for me to keep it confidential. In fact the reason for the discussion in many cases is to not keep the results confidential. Then there is the question of how the information leaks. For example, the 4 cases described in this article are examples of leaks that are not very useful in terms of solving specific problems, but then they also won't get anyone in trouble. As the information that is leaked becomes more useful in terms of solving he problem, it also has a tendency to become more closely linked to those who were obliged not to leak it.
Another viable technique that also has moral implications is the use of internal force in the form of threats. In many cases, you don't have to leak anything - it is adequate to threaten to leak something. This tactic is highly immoral, unless of course you really intend to carry out the threats, in which case you are asking for big trouble.
In the end, you've got to do what you've got to do. If you see a compelling need, you have to act, but this also means taking a personal risk that must be justified by the need. To date, I have managed to avoid causing any harm while addressing problems internally without the use of threats or intimidation. But it's a day-to-day struggle to keep things in perspective and maintain the balance.
By coincidence, I was watching a review of the Space Shuttle Challenger explosion last night. In this real-world situation, management overruled the judgment of engineers who indicated that a Shuttle launch would not be prudent at the ambient temperatures that morning. The engineers didn't have enough data to prove that it would blow up, and the management thought it was under pressure to launch the teacher into space before the President gave the state of the union address, so they made a bad judgment that killed several people. Someone forgot about the notion of consequences, and decided that organizational prudence was more important than the judgments of the experts. The experts had been selected out over a period of years for their high positions, in part for their willingness to bend to management's will, and they had been trained over the years to let management make such decisions even when they felt it was imprudent. What they needed was management that supported the technical decisions and technical people who refused to back down, but it was probably impossible to attain because of the culture of the situation.
In information protection, the same moral dilemmas are faced daily. It's a tough job, but if you can't take the heat, you should probably not stay in the information protection business.
About The Author:
Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net or visiting /