Asymmetric Risks in Value Chains

October 28, 2014 / Integration, Security / 0 Comments

Big_&_Small_PumkinsBusiness need to connect with other businesses to trade and add value. Making trading fast and efficient means integrating software systems. And that means risk.

Letters, faxes, and telegrams may seem slow and quaint but at least they had the virtue of being safe. In today’s environment clicking on an unsafe link or opening an innocuous file can potentially lead to a billion dollar loss or even the end of your company.

Following last year’s massive Target breach attention has moved to Wall Street; the JPMorgan breach is causing state and federal regulators to add to the already massive internal pressures to improve security. One particular area of attention is the risk that comes from 3rd party vendors.

New York State’s top financial regulator, Benjamin M. Lawsky, emphasized the gathering danger to the financial system when vendors’ security is lax.

There are several critical problems in dealing with 3rd party risk. The first one is that the risk exposure is hugely asymmetric in most cases: one party has much more to lose than the other. This leads to the second problem which is that the smaller party can’t afford to spend nearly as much as the larger one on cybersecurity. The skill of their security staff will be lower, they will have fewer tools at their disposal, they may even be too small to afford round-the-clock monitoring. They also probably cannot afford enough insurance to compensate their larger partner for losses.

The first instinct of the larger party is to seek to impose their internal security standards on the smaller party; the goal is to avoid the smaller party becoming the weak spot in the fortress wall. This has the effect of raising trading costs. If the smaller party is a vendor then that vendor will need to raise their prices to cover the extra security costs. At some level those costs may become prohibitive; at my previous company we ended up no-bidding certain RFPs because the attendant security overheads were too high relative to the deal size. The next thing to suffer is agility: vendors whose security has been certified become automatically preferred for future work because of the time and expense involved in certifying new vendors. This reinforces the upward pressure on prices as incumbents are protected from new competitors. Innovation suffers as well.

How can businesses integrate with their value chain without taking on untenable, asymmetric risks? The Cloak Labs Global Virtual Bus provides businesses with a way to loosely couple with their partners. Using a combination of cryptographic and network techniques, the Global Virtual Bus can insulate each partner from the security risks of the other. Credentials do not need to be exchanged, firewall ports do not need to be opened, connecting servers do not need public IP addresses.

Learn More! Download the White Paper!

The Feds Fear of Unbreakable Encryption

October 7, 2014 / Conversation, Security / 0 Comments

Safe

Recently Apple announced they have strengthened encryption on its mobile (IOS) devices to the point that it can no longer decrypt their contents on behalf of the government, even when presented with a valid search warrant. Google followed suit, announcing that Android devices would be encrypted by default.

On the heels of the unauthorized release of nude pictures of many celebrities, apparently purloined from iCloud with stolen/hacked credentials, many might see these moves as being strongly in the interest of consumers’ privacy.

The director of the FBI, James Comey, begged to differ. Attorney General Eric Holder followed suit. Both cited concerns about such encryption hindering criminal investigations.

The US government has been fighting strong cryptography for years. Cryptography has been classified as armaments and subject to export controls. The US (and the UK) benefitted strongly from a cryptographic advantage in World War II and through much of the cold war: the US could break its enemies’ cyphers but not vice-versa. In 1993 the NSA introduced the clipper chip and tried to make it a standard. This effort failed spectacularly as the market completely rejected a chip that contained a backdoor for the NSA.

Cloak Labs is committed to protecting data privacy. The very idea of a master key or a backdoor into a security system is anathema to those who are serious about security.

The security industry’s efforts to improve security were bolstered by Edward Snowden’s revelations about widespread NSA wiretapping activities in 2013. For example there are now a number of secure email systems (ex: Proton Mail).

I believe that what is really concerning the US government is the idea that encryption is moving from being something optional that is hard and error-prone to configure to something that is standard, default, and easy (specially given Apple’s focus on ease of use). Criminals might not bother to setup security or might set it up incorrectly. Now Apple and Google are protecting even the dumb criminals who are just buying phones at their local store.

By abusing their surveillance powers so egregiously for so many years the US government has lost significant goodwill with a large segment of the American public. Not only do consumers want to be protected from lawless hackers, many of them no longer trust their own government. Parallel reconstruction, where an intelligence agency that nominally targets foreign intelligence targets provides secret intelligence to domestic law enforcement agencies who then reconstruct it in order to make it admissible in court, makes a mockery of the rules of evidence.

It’s extremely unlikely that congress will pass legislation that requires companies such as Apple and Google to make it possible/easier for the government to access private information. If they did, it would cripple American products in global markets.

Device encryption will force the government to get a suspect to provide their password (or fingerprint) to unlock it to access evidence. In some cases the courts have held that a defendant cannot be compelled to provide a password since they might incriminate themself by doing so. In other cases the courts have compelled a defendant to reveal their password. This might make for an important Supreme Court case someday.