Unser Blog

Hackers Matter: Issue three — the disclosure game (part two)

k

02 . Mai  2017

Bryan K. Fite

Posts nach Autoren: Bryan K. Fite, Account CISO, BT.

LinkedInTwitter

In the latest instalment of his ‘Hackers Matter’ series, Account CISO Bryan Fite returns to continue his examination of disclosure.

In my previous blog post, I talked about the different forms that disclosure can take — full disclosure, time-bound ‘escrow disclosure’, and bug bounties. But now it’s time to delve deeper into the murky waters of disclosure.    

The genie is out of the bottle.

Whether you’re for or against ‘full disclosure’, one thing is for sure — once the genie is out of the bottle, security practitioners and researchers have to react. And, in that reaction, these community stakeholders have some tough decisions to make.

Not convinced/don’t believe me? One only has to look at recent news to see how one might be impacted, or otherwise forced to take action. Take the CIA ‘hack’ via Wikileaks or the Shadow Brokers dumps, for example. In both cases, theoretical vulnerabilities and capabilities are shown to be practical. No longer the rambles of a fearmongering salesperson, but real capabilities that could be used against you by any number of adversaries. As they say: code doesn’t lie.

Knowledge is power.

Weaponised software, detection tools and patches are the natural evolution of discovered software and system vulnerabilities (aka bugs). According to Sir Francis Bacon, “Knowledge is power”. And, in the case of leaked or dumped data from nation state cyber arsenals, what you don’t know can hurt you. Once public, you too need to know, as your exposure index has likely been impacted. However, we must consider the moral, ethical, legal and practical implications of dealing with leaked and/or stolen information.

An examination of the implications.

Moral.

What are the moral implications of consuming stolen information? Looking at leaked pictures of celebrities is a more obviously deplorable moral decision than reviewing a fatal flaw in a mobile communications device — but, in some respects, these are different sides of the same coin. Assuming you ‘look’, you can’t unsee it. The question then is: how do you communicate with others what you’ve learned about that fatal flaw?

Ethical.

What are the ethical implications of trading in such knowledge? CISSP and GIAC certifications both carry the responsibility of an ethical contract or agreement (as you can see here and here).

Legal.

In this case, the truth might not set you free, but rather compromise your own legal position. Is it legal to obtain, review and hold stolen data?

Practical.

While attribution and motivation are interesting in the ‘disclosure game’, from a practical standpoint does it matter? Proven capabilities exist; they can no longer be viewed as hypotheticals and must be addressed.

Further the conversation.

I won’t use this forum to make declarations on the morals and ethics associated with the disclosure game — but rather leave it to the individual. I am sure these discussions will dominate our conversations in the coming months. However, what I will say is that stakeholders should engage with purpose and acknowledge the decisions they are making.

I would caution all stakeholders to focus less on the attribution and motivation wormholes these leaks and dumps create, and more on the practical implications for themselves and the organisations they’re charged with protecting.

If you happen to attend the upcoming IEEE Invitational Workshop to Create a Building Code for Building Code for Power System Software Security: (BC)2 Power, we can continue the disclosure discourse in San Francisco. I’ll be there, joining the conversation on what cyber security needs to do in order to secure our newly-connected buildings — and disclosure is sure to play a part in that, too.

You can apply for an invitation to the workshop by emailing ieee-cybsi@ieee.org.