woensdag 28 maart 2012

regulatory capture in infosec, by example

Note :
I have the utmost respect for the people to be named in this blogpost. I also have friends working for the companies to be named. This is in no way a hate or flame post but with the attention of legislators drawn to all things cyber our industry too will see regulatory capture emerge. I believe it is important enough to point out how it works and why it is bad.

Regulatory capture, as defined on wikipedia :
In economicsregulatory capture occurs when a state regulatory agency created to act in the public interest instead advances the commercial or special interests that dominate the industry or sector it is charged with regulating. Regulatory capture is a form of government failure, as it can act as an encouragement for large firms to produce negative externalities. The agencies are called "captured agencies".
Whenever legislation (or any regulation for that matter) is made, there are parties that have a significant economic interest in the affected area that will try to influence how exactly that law is worded. Sometimes these parties strive to minimize the impact of that particular legislation on their business practices, often through lobbying or otherwise influencing our representatives. Regulatory capture happens when such parties succeed in influencing the legislation process to their benefit.  There are ample examples (see the wikipedia entry) of how government agencies have been subject to regulatory capture. There have been, however, few examples pertaining to our industry, until this week.


On March 26th, Richard Bejtlich, CSO of Mandiant, testified before the U.S.-China Economic and Security Review committee. The full text can be found here. While an interesting read in itself, it is an interesting and textbook example of how regulatory capture manifests itself.  I will illustrate this by quoting paragraphs from the full text. You're free to form your own opinion by reading the text as linked above.


Mr Bejtlich starts by introducing himself :

I am Chief Security Officer at Mandiant, a private company that provides software and services to detect and respond to digital intrusions.

At this moment, this is no longer a personal testimony (which was also maybe never the intention but we are missing that context). Everything the committee hears from now on can, and should, be interpreted with the understanding that commercial interests are at stake. He continues to illustrate what Mandiant does, defines what they regard as APT (it's China, obviously) and how Mandiant detects APT actions. From there on it reads like a long blogpost on the latest M-Trends report. Even the case studies are very similar to those in the report. While I don't doubt the data used to build the report, the methodology used to interpret the data isn't known. I also don't have the faintest idea about the sample size. As the audience has no evidence to compare the M-Trends findings too, for the rest of the testimony the findings are the only truth. It goes downhill to where percentages are stated to illustrate the seriousness of the situation. Percentages, without any view on the sample size, are meaningless beyond the point of making your own truth.


Then there comes an interesting passage :

APT groups use the level of sophistication required to achieve their objective.  For example, in
2011 Mandiant observed an increase in the usage of publicly available malicious tools by APT
actors.
This one isn't related to the point I'm trying to make but as a legislator this would trigger the following thought: "Let's ban the possession, production and use of "malicious" tools."
I'm convinced that this was not the message Mr. Bejtlich wanted to convey. I believe that, as defenders, the ban of such tools would set us back lightyears.  

At the end of his testimony, Mr. Bejtlich runs into the end zone. He isn't here to inform, he's here to sell a product. More precisely he's here to propose that technology, conveniently produced by the company he works for, be required to be used ... by law :


To this end, I recommend Congress consider the integration of an “are you compromised” assessment into any new requirements levied on specific industries.  These assessments should occur no less frequently than once per year, although true continuous assessment on a 30-day cycle is much more effective in my professional judgement and experience.  By requiring processes and technology to answer the “are you compromised” question, regulators, Congress, and other appropriate parties will, for the first time, gather ground-truth knowledge on the state of security in selected industries.  Without knowing the real “score of the game,” it is unreasonable to expect real progress in digital security.
This, my friends, is a textbook example of attempted regulatory capture.  We have seen innovation in our industry stall by regulatory requirements in the past years. So much that the technologies that thrive are those that accomodate a particular compliance use case. While the positive effect for the commercial entity involved is obvious, the negative effect on the profession (and the entities that are subject to the legislation) are immense. 


Again, I am not criticizing Mandiant in particular. The technology they have developed is rad and if applicable to your situation I would suggest to check them out.  Knowing what and who I know within the organisation, I'm also convinced that their services are top-notch. The text as published merely serves as a perfect illustration of how regulatory capture works. I believe it becomes more and more important that we become aware of what it is and how it works. It remains to be seen how the testimony is interpreted and what the committee decides to do with the information.