Category Archives: Economics

Davos discovers cyber attacks

Cyber attacks made the Davos Top 5 Global Risks in Terms of Likelihood. Davos, the annual conclave of the hyper-rich and famously elected, has also discovered Severe income disparity and Water supply crisis, so maybe they’re becoming more realistic.

However, in Figure 17 on page 25 they’ve got Cyber attacks as an origin risk, along with Massive incident of data fraud or theft and Massive digital misinformation. I think they’re missing the point, which is the real origin risk is poor infosec, and the origin of that is vendors like MSFT knowingly shipping systems with design flaws and people and organizations running them while hiding such problems.

Interesting comment on page 26: Continue reading

SEC moving towards breach disclosure requirement?

The 13 October 2011 SEC guidance, CF Disclosure Guidance: Topic No. 2: Cybersecurity, leaves most of the decision of what sort of breaches are significant enough to disclose up to the affected organizations. But look at this:

During and After a Cyber Incident

Registrants may seek to mitigate damages from a cyber incident by providing customers with incentives to maintain the business relationship.
Hm, incentives like showing an improved reputational risk ranking?

Perhaps in order to prevent this sort of thing?

Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory.
The SEC is still missing at least one connection between dots:

Prior to a Cyber Incident

Registrants may incur substantial costs to prevent cyber incidents. Accounting for the capitalization of these costs is addressed by Accounting Standards Codification (ASC) 350-40, Internal-Use Software, to the extent that such costs are related to internal use software.
Sure, infosec costs money. But if infosec actually prevents loss of customer goodwill, infosec could attract and retain customers, so infosec could be a source of profit. If anybody knows about it, that is.

-jsq

Coal company reputation

Good news from the SEC for a change! They’re requiring coal plant operators to report health and safety violations, including fatalities, within a few days of occurence.

FuelFix posted from AP on 23 December 2011, SEC requiring coal firms to report safety problems

Earlier this week, the SEC announced new rules that require mining companies to start reporting any fatalities and all major health and safety violations, mine by mine, in their quarterly and annual financial reports. The filings are mandated in the wide-ranging Dodd-Frank Wall Street Reform and Consumer Protection Act, which Congress passed to try to increase corporate accountability.

The rules take effect 30 days after publication in the Federal Register. They require companies to report within four days any “significant and substantial” violations, citations, flagrant violations and imminent-danger orders issued by the federal Mine Safety and Health Administration.

Coal operators must also include the dollar value of proposed fines, whether the company has been or may be designated a pattern violator by MSHA, and any pending cases with the Federal Mine Safety and Health Review Commission.

What problem does this reporting solve? As the article points out: Continue reading

Cleveland Clinic spewing spam again

Here’s why to look at more than one spam data source: according to the PSBL volume data for November 2011, Cleveland Clinic’s AS 22093 CCF-NETWORK spewed more than a hundred spam messages a day on multiple days, while CBL volume data showed Cleveland Clinic with only 42 spam messages for the entire month. Apparently PSBL’s spamtraps happened to be in the path of this CCF spam.

Now a couple of hundred spam messages a day isn’t much by world organization standards, but compared to what we’d all like to see from medical organizations (zero), it’s a lot.

Also compared to the other medical institutions in the same rankings from the same data, the pie chart looks like Pac Man and the bar graph looks like a hockey stick.

Maybe Cleveland Clinic didn’t get the memo after all.

-jsq

China does not lead Country Rankings from SpamRankings.net

An area where China does not lead the world: Country rankings by SpamRankings.net. China is only #13, but Brazil, Russia, and India (the other three BRICs) are in the top five countries by total spam messages for October 2011. U.S. is #10.

Vietnam came from behind a few months ago to place second for October.

Brazil had slumped as low as #6 in July, but has pulled back up into the leading pack.

After the top five, it’s a long-tail distribution indeed. Continue reading

How to leverage botnet takedowns

What is to be done when botnet takedowns don’t produce lasting benefits?

At the Telecommunications Policy and Research Conference in Arlington, VA in September, I gave a paper about Rustock Botnet and ASNs. Most of the paper is about effects of a specific takedown (March 2011) and a specific slowdown (December 2010) on specific botnets (Rustock, Lethic, Maazben, etc.) and specific ASNs (Korea Telecom’s AS 4766, India’s National Internet Backbone’s AS 9829, and many others).

The detailed drilldowns also motivate a higher level policy discussion.

Knock one down, two more pop up: Whack-a-mole is fun, but not a solution. Need many more takedowns, oor many more organizations playing. How do we get orgs to do that? …
There is extensive theoretical literature that indicates Continue reading

Transparency in Rome

Here’s my presentation, Transparency as Incentive for Internet Security: Organizational Layers for Reputation, from RIPE 61 in Rome. This presentation summarizes the two previous RIPE Labs papers about proposed new organizational layers and outbound spam ranking experiments.

RIPE-NCC is the oldest of the Regional Internet Registries (RIRs), and RIPE is the deliberately unorganized association of interested parties that meets twice a year and holds discussions online in between. It’s a mix of operations, research, and socializing. Topics range from obscure details of deploying IPv6 to organizational proposals such as what I was talking about. 430 people attended the meeting in Rome, which was quite a few more than the dozen or two of the first RIPE meeting I went to many years ago.

Interesting questions were asked. I may blog some of them.

-jsq

Outbound Spam Ranking Experiments

Should Uganda Telecom be counted as a Belgian ISP for outbound spam rankings?

Which matters most: history, topology, business headquarters location, or some other criterion?

These are some questions that come up in designing experiments in rolling out a reputation system for outbound spam. More on this in the RIPE Labs article (8 Nov 2010), Internet Reputation Experiments for Better Security.

Such experiments can draw on fifty years of social science research and literature, first crystalized as Social Comparison Theory by Leon Festinger in 1954, that indicate that making personal reputation transparent changes personal behavior. More recent research indicates that the same applies to organizations. Using anti-spam blocklist data, it is possible to make E-Mail Service Provider (ESP) behavior (banks, stores, universities, etc., not just ISPs) in preventing or stopping outbound spam transparent, and this paper is about experiments to see how the resulting reputation actually changes ESP behavior.

-jsq

Organizing the Cloud Against Spam

In RIPE Labs, here’s a paper on Internet Cloud Layers for Economic Incentives for Internet Security by the IIAR Project (I’m the lead author). Anti-spam blocklists and law enforcement are some Internet organizational layers attempting to deal with the plague of spam, so far reaching a standoff where most users don’t see most spam, yet service providers spend large amounts of computing and people resources blocking it.
The root of the ecrime problem is not technology: it is money.
Continue reading