Will New NY Banking Regulations Actually Tighten Cybersecurity?

Proposed New York banking regulations might not help that much.

New York is proposing new cybersecurity rules that would raise the bar for banks over which they have jurisdiction (wouldn’t that be just about all of them?). On their face, the new regulations would seem to improve overall bank posture, but digging a bit deeper leads me to conclude that these regulations require a bit of work.

A few key new aspects of the new rules are as follows:

Banks must perform annual risk assessments and penetration tests;
New York’s Department of Financial Services (DFS) must be notified within 72 hours of an incident (there are currently numerous timeframes);
Banks must use 2-factor authentication for employee access; and
All non-public data must be encrypted, both in flight and at rest.

The first item on that list is what Chief Information Security Officers (CISOs) already get paid to do. Risk assessment is in particular the most important task on this list, because as banks evolve their service offerings, they must ascertain both evolving threats and potential losses. For example, as banks added iPhone apps, the risk of an iPhone being stolen became relevant, thus impacting app design.

Notification laws exist already in just about all jurisdictions. The proposed banking regulation does not say what the regulator will do with the information or how it will be safeguarded. A premature release can harm ongoing investigations.

Most modern banks outside the United States already use two-factor authentication for employee access, and many require two-factor authentication for customer access.

That last one is a big deal. Encrypting data in flight (e.g., transmissions from one computer to another) protects against eavesdroppers. At the same time, absent other controls, encryption can obscure data exfiltration (information theft). Banks currently have many tools that rely on certain transmissions being “in the clear”, and it may require some redesign of communication paths to address both the encryption in flight requirement and auditing needs. Some information is simply impractical today to encrypt in flight. This includes discovery protocols such as DHCP, name service exchanges (DNS), and certain other network functions. To encrypt much of this information would require yet lower layer protection such as IEEE 802.1AE (MACSEC) hop-by-hop encryption. The regulation is, again, vague on precisely what is necessary. One thing is clear, however: their definition of non-public information is quite broad.

To meet the “data at rest” requirement banks will either have to employ low level disk encryption or higher level object-level encryption. Low level encryption protects against someone stealing a disk or taking it from the trash and reading it, but provides very little protection against someone breaking into a computer when the disk is still spinning. Moreover, banks generally have rules about crushing disks before they can leave a data center. Requiring data at rest to be encrypted in data centers may not provide much risk mitigation. While missing laptops have repeatedly been a source data breaches, how often has a missing data center disk caused a breach?

Object-level encryption, or the encryption of groups of information elements (think Email messages) can provide strong protection should devices be broken into. Object-level encryption is particularly interesting because if done right, it can address both data in flight and data at rest. The challenge with object-level encryption is that the tools for it are quite limited. While there are some tools such as email message encryption, and while there are various ways one can use existing general purpose mechanisms such as OpenSSL to encrypt objects at rest, on object-level encryption remains a challenge because it must be implemented at the application level across all applications. Banks may have tens of thousands of applications running at any one time.

This is an instance where the financial industry could be a technology leader. However, all such development must be grounded in a proper risk assessment. Otherwise we end up in a situation where banks will have expended enormous amounts of resources without having substantially improved security.

Comey and Adult Conversations About Encryption

What does an adult conversation over encryption look like? To start we need to understand what Mr. Comey is seeking. Then we can talk about the risks.

AP and others are reporting that FBI director James Comey has asked for “an adult conversation about encryption.” As I’ve previously opined, we need just such a dialog between policy makers, the technical community, and the law enforcement community, so that the technical community has a clear understanding of what it is that investigators really want, and policy makers and law enforcement have a clear understanding of the limits of technology. At the moment, however, it cannot be about give and take. Just as no one cannot legislate that π = 3, no one can legislate that lawful intercept can be done in a perfectly secure way. Mr. Comey’s comments do not quite seem to grasp that notion. At the same time, some in the technical community do not want to give policy makers to even evaluate the risks for themselves. We have recently seen stories of the government stockpiling malware kits. This should not be too surprising, given that at the moment there are few alternatives to accomplish their goals (whatever they are).

So where to start? It would be helpful to have from Mr. Comey and friends a concise statement as to what access they believe they need, and what problem they think they are solving with that access. Throughout All of This, such a statement has been conspicuous in its absence. In its place we have seen sweeping assertions about grand bargains involving the Fourth Amendment. We need to be specific about what the actual demand from the LI community is before we can have those sorts of debates. Does Mr. Comey want to be able to crack traffic on the wire? Does he want access to end user devices? Does he want access to data that has been encrypted in the cloud? It would be helpful for him to clarify.

Once we have such a statement, the technical community can provide a view as to what the risks of various mechanisms to accomplish policy goals are. We’ve assuredly been around the block on this a few times. The law enforcement community will never obtain a perfect solution. They may not need perfection. So what’s good enough for them and what is safe enough for the Internet? How can we implement such a mechanism in a global context? And how would the mechanism be abused by adversaries?

The devil is assuredly in the details.

Guns and Gun Control: The Numbers Are Beginning To Add Up

Drawing_from_holster Many people have made the claim that they need to own guns to protect themselves, that they can’t leave it to police to protect them, the enormous assumption being that a gun actually does offer some protection. There are a number of scholarly works to test that assertion.

A longitudinal study by Johns Hopkins and Berkeley published in 2015 the American Journal of Public Health shows that Connecticut’s Permit to Purchase law reduced firearm homicide by 40%.
A separate Johns Hopkins study showed that firearm suicide rates in Connecticut dropped 15.4% after that law was passed, while Missouri’s firearm suicide rate increased by 16.1% after they repealed gun control legislation. There was also a lower than expected overall suicide rate in Connecticut.
Missouri also saw a 25% increase in homicides after their background check law was repealed.
An earlier CDC study published in 2004 in the Journal of American Epidemiology showed that simply having a gun in the home, regardless of how it is stored, increases the odds of death by firearm by a factor of 1.9.
A more recent meta-study by Harvard researchers in the Annals of Internal Medicine showed an increase risk of both suicide and homicide in homes where guns are present. In particular, that study found that homicide victimization rates were slightly higher for those who had guns in their homes than those who did not.
A 2011 CMU study did show that having a gun in the home seems to deter certain planned crimes such as burglary, but has no effect for unplanned crimes. Furthermore, it showed that only having a gun in the home does not provide the deterrence, but that this fact needs to be somehow brought to the attention of the burglar.

Summing up: studies thus far demonstrate that having a gun in the house increases the chances of someone in that house dying by firearm, it increases the risk of suicide, and it does not prevent a crime of passion, although it may deter a burglary. More analysis is needed. It is likely, for instance, that the type of gun matters. A lot of studies are needed about open carry laws. Still, if you think a gun offers you any sort of protection against others, consider the risks.

Image courtesy of aliengearholsters.com.

Is Bitcoin Really Money Laundering?

For those who don’t know, BitCoin is an attempt at a new type of currency, one that isn’t linked to any nation. In a way, bitcoin is a lot like gold or other commodities, only it differs in that you don’t actually have to ship anything around or even keep trading futures to stay in the game. Still it accrues similar benefits as gold. In fact there is a bitcoin to gold price, based on milligrams of gold. As you can see the number of milligrams one gets for a bitcoin has gone from about 300 in January to about 3,300 in October. Bitcoins have clearly paid off for some people.

One of the other goals of bitcoin is that they be as anonymous as cash. This is where the problems start. Let’s say you want to sell a few bitcoins, and receive American dollars. One question is simply this: do you have to list the sale on Schedule D? I am no accountant, but I would think the answer would be “yes”. Now let’s say that instead of selling them, you are just holding them, and let’s for the sake of argument say that you have $500,000 worth of bitcoins. Do these represent foreign assets? If so, you are required to file forms with both the Treasury (TD-F 90-22.1) and the relatively new IRS Form 8938.

Those who in any way behave like banks will find that the Treasury department expects them to do all the things banks do. That includes reporting on suspicious transactions or any transaction over $10,000.

This hasn’t stopped people from attempting to hide transactions. Here’s an article from CNN about a guy who attempted to do all sorts of nasty things with Bitcoins. This led to a huge drop in their value, almost overnight.

So, now the question: are bitcoins here to stay or are they a passing fad (read: pyramid scheme)? The entire technical premise of bitcoins is in fact that they can be anonymously traded. The bad news for people with bitcoins is that because there is no single management point that has guns (thus differentiating them from a classic currency), unless the likelihood is that those with the guns will want to limit or prohibit this sort of transaction; especially in large quantities.

A similar situation arose in 2001 when the U.S. government began to crack down on those using the old mechanism known as Hawala, even though the mechanism is legal. And so one question is simply this: are bitcoins really anonymous? A researcher named Sarah Meiklejohn will present a paper at SIGCOMM this month on just what law enforcement capabilities there are. Watch that spot.

Interesting Geoff Huston Posting on CircleID

Geoff Huston has established himself as perhaps the foremost authority on IP address markets. A senior researcher at APNIC, Geoff has tracked this issue for over a decade. He has recently posted a new blog entry at CircleID, to which I’ve commented. Here’s what I wrote there:

The fundamental basis for the article above is a lack of transparency within IP address markets. This is something that Bill Lehr, Tom Vest, and I worried about in our contribution to TPRC in 2008.

Amongst other things, transparency or its lack has the following effects:

Assuming it is a goal, efficiency in markets demands transparency. When markets lack transparency, neither the buyer nor the seller know if they have gotten a good deal, because it could be that there existed either a buyer who would have paid for more, or a seller who would have sold for less, who was simply not identified. Is $10 per address a good price? There is at lest a tidbit of information from some of the brokers that indicates wide variance in the cost of IP address blocks. Whether that information is accurate, who cannot say? It is not required to be so.
Network administrators and owners should be making informed decisions about how and when to move to IPv6. Absent pricing information regarding v4, there is uncertainty that is difficult to price. In this sense, hiding pricing information may actually encourage IPv6 deployment. Keep in mind that large institutions require years if not decades to make this sort of transition. Were I them, given the increased number of devices (if you can believe the numbers above, and I suggest that we take them with a grain of salt), I would start now to get out of this rigamarole. Heck, even with transparency, that only tells you today’s price, and not tomorrow’s. Certainly it is well worth researching methods to price this risk.
It is important to know if there is an actor who is attempting to corner the market. Proper registration of purchases and sales provides an overview of whether dominant players are acquiring addresses beyond the needs of their customer base. Such acquisitions would have the impact of increasing costs for new entrants.
Finally, the Internet Technical Community (whoever we are) need to know if new entrants are in fact unable to access the Internet because IPv4 addresses are too high, if we want to see the safe and secure growth of the Internet everywhere.

The funny aspect of all of this is that governments may already be able to track some pricing information retrospectively through, of all things, compulsory capital asset sale reports, such as the U.S. Form 1040 Schedule D. However, in general this information is confidential and not very fresh, and hence not sufficient to advance policy discussions.