Dec 11, 2018

Cyber executive wants FTC to demand security flaw explanations

At a Federal Trade Commission hearing on Wednesday, Malcolm Harkins, chief security and trust officer at Cylance, will pitch his pet idea: The government should hold companies that make security software — like his — accountable.

The big picture: Harkins is hoping the FTC will require companies to "disclose all of the controls that failed" during a breach — from the security flaws exploited by hackers to the security products that didn't capture them.

  • "Do what the FAA does. They report the primary cause of the problem, like a broken wheel, and all of the contributing factors that didn't stop it," Harkins told Codebook.

To be clear, this isn't the type of idea the FTC usually goes for. The FTC's regulatory powers are largely based on its mandate to fight unfair practices — in cybersecurity that means deceptive claims of privacy protection. It's not an IT advice shop.

  • "The FTC has historically been averse to specifying security measures or products that a company should employ," noted Julie O'Neill, former FTC staff attorney and current privacy and data security partner at Morrison & Foerster.
  • That doesn't make it any less interesting an idea for someone, somewhere to run with.

Why it matters: If Harkins' idea ever gets adopted, we'd know a lot more about blind spots in breach prevention.

  • Organizations typically use multiple security products designed to thwart breaches at different points in the process — one product may detect strange computers trying to log in, another might detect malicious code being run, and a third might detect data being stolen.
  • But when the public hears about breaches, while we might learn about the initial entryway into the network, we don't tend to hear about why none of those products halted the hackers' progress.
  • Harkins compared it to how the government intercedes when there's trouble with automobile parts. "Takata was crucified," he said of the airbag maker forced into a massive recall. "Why aren't we crucified?"

That doesn't mean breaches always result from problems with products. But a company whose product roster matches that of a breached competitor might want to know how that combination failed.

  • This would be a good way to identify less capable systems or show how to improve capable ones.
  • If companies have clear gaps in their security product systems, knowing their negligence would be exposed might motivate some action.

Security vendors would almost definitely push back against any such scheme, as has happened whenever Harkins has brought up his idea in the past.

  • Vendors argue that breaches that circumvent their products often happen thanks to factors beyond their control: misconfigured software, poorly trained IT staff, other user error.
  • Harkins has a different explanation for the resistance: "They're embarrassed about major breaches they didn't prevent. And they should be."

The bottom line: The security industry is not at a point where it's comfortable with the message that "even the best products staffed with the best people will occasionally fail" — nor is the public ready for that nuance.

Go deeper

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 6 p.m. ET: 5,653,821 — Total deaths: 353,414 — Total recoveries — 2,325,989Map.
  2. U.S.: Total confirmed cases as of 6 p.m. ET: 1,694,599 — Total deaths: 100,047 — Total recoveries: 384,902 — Total tested: 14,907,041Map.
  3. Public health: Fauci says data is "really quite evident" against hydroxychloroquine — Nearly half of Americans say someone in their household has delayed medical care.
  4. Business: African American business owners have seen less relief from PPP, Goldman Sachs saysDisney plans phased reopening on July 11Author Ann Patchett says bookstores are innovating to stay connected with customers.
  5. Tech: AI will help in the pandemic — but it might not be in time for this one.
  6. 1 🎶 thing: Local music venues get rocked by coronavirus.
  7. 🎧 Podcast: Trump vs. Twitter ... vs. Trump.
  8. What should I do? When you can be around others after contracting the coronavirus — Traveling, asthma, dishes, disinfectants and being contagiousMasks, lending books and self-isolatingExercise, laundry, what counts as soap — Pets, moving and personal healthAnswers about the virus from Axios expertsWhat to know about social distancingHow to minimize your risk.
  9. Other resources: CDC on how to avoid the virus, what to do if you get it, the right mask to wear.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

Updated 59 mins ago - Politics & Policy

Top Senate Democrat says State Dept. is working on new Saudi arms deal

Secretary of State Mike Pompeo briefs reporters on May 20. Photo: Nicholas Kamm/pool/AFP via Getty Images

Senate Foreign Relations ranking member Bob Menendez (D-N.J.) wrote in a CNN op-ed on Wednesday that he learned that the State Department is currently working to sell thousands of additional precision-guided bombs to Saudi Arabia.

Why it matters: Democrats say that Steve Linick, the State Department inspector general who was ousted on Secretary of State Mike Pompeo's recommendation, was investigating the administration's previous effort to sell weapons to Saudi Arabia without congressional approval.

U.S. coronavirus death toll crosses 100,000

Data: Johns Hopkins University; Chart: Danielle Alberti/Axios

More than 100,000 Americans have died of the coronavirus, according to data from Johns Hopkins — a terrible milestone that puts the death toll far beyond some of the most tragic events in U.S. history.

By the numbers: The death toll from COVID-19 now stands at more than 34 times the number of people who died on 9/11.