Dec 11, 2018

Cyber executive wants FTC to demand security flaw explanations

At a Federal Trade Commission hearing on Wednesday, Malcolm Harkins, chief security and trust officer at Cylance, will pitch his pet idea: The government should hold companies that make security software — like his — accountable.

The big picture: Harkins is hoping the FTC will require companies to "disclose all of the controls that failed" during a breach — from the security flaws exploited by hackers to the security products that didn't capture them.

  • "Do what the FAA does. They report the primary cause of the problem, like a broken wheel, and all of the contributing factors that didn't stop it," Harkins told Codebook.

To be clear, this isn't the type of idea the FTC usually goes for. The FTC's regulatory powers are largely based on its mandate to fight unfair practices — in cybersecurity that means deceptive claims of privacy protection. It's not an IT advice shop.

  • "The FTC has historically been averse to specifying security measures or products that a company should employ," noted Julie O'Neill, former FTC staff attorney and current privacy and data security partner at Morrison & Foerster.
  • That doesn't make it any less interesting an idea for someone, somewhere to run with.

Why it matters: If Harkins' idea ever gets adopted, we'd know a lot more about blind spots in breach prevention.

  • Organizations typically use multiple security products designed to thwart breaches at different points in the process — one product may detect strange computers trying to log in, another might detect malicious code being run, and a third might detect data being stolen.
  • But when the public hears about breaches, while we might learn about the initial entryway into the network, we don't tend to hear about why none of those products halted the hackers' progress.
  • Harkins compared it to how the government intercedes when there's trouble with automobile parts. "Takata was crucified," he said of the airbag maker forced into a massive recall. "Why aren't we crucified?"

That doesn't mean breaches always result from problems with products. But a company whose product roster matches that of a breached competitor might want to know how that combination failed.

  • This would be a good way to identify less capable systems or show how to improve capable ones.
  • If companies have clear gaps in their security product systems, knowing their negligence would be exposed might motivate some action.

Security vendors would almost definitely push back against any such scheme, as has happened whenever Harkins has brought up his idea in the past.

  • Vendors argue that breaches that circumvent their products often happen thanks to factors beyond their control: misconfigured software, poorly trained IT staff, other user error.
  • Harkins has a different explanation for the resistance: "They're embarrassed about major breaches they didn't prevent. And they should be."

The bottom line: The security industry is not at a point where it's comfortable with the message that "even the best products staffed with the best people will occasionally fail" — nor is the public ready for that nuance.

Go deeper