July 2016 – Workentin's Cybersecurity Blog

The Senate Armed Services Committee held a hearing on “Cybersecurity and U.S. National Security.” The hearing got most of its coverage because Sen. John McCain used it to repeatedly complain about Apple CEO Tim Cook’s decision to turn down an invitation to testify. But one person who did testify was Cyrus Vance, the Manhattan District Attorney. He has been leading the charge to mandate law enforcement access to tech products, and has testified at Capitol Hill several times. Unfortunately, despite the practice, he hasn’t gotten any better and has a tendency to, purposely or because he just can’t learn, misconstrue the facts and argue against a strawman.

Vance: The debate over encryption and public safety has matured significantly since 2014. The issue has crossed over into mainstream consciousness, owing in large part to Apple’s public refusal to assist the FBI with unlocking a terrorist’s iPhone in San Bernardino.

Fact: “Apple had asked the F.B.I. to issue its application for the tool under seal. But the government made it public, prompting Mr. Cook to go into bunker mode to draft a response.” [http://www.nytimes.com/2016/02/19/technology/how-tim-cook-became-a-bulwark-for-digital-privacy.html]9](http://www.nytimes.com/2016/02/19/technology/how-tim-cook-became-a-bulwark-for-digital-privacy.html)

Vance: Apple and Google’s decisions limit our access to critical information under a questionable claim of an increase in privacy. The encryption Apple provided on its mobile devices pre-iOS 8—that is, up until the end of September, 2014—was both secure for its customers and amenable to court-authorized searches.

Vance uses a bit of a strawman argument here. It’s not just a claim of an increase in privacy, but also of security. People are more likely to lose their phones than they are to be a drug dealer or child pornographer. I have a good passcode and I would turn on encryption on my phone even if it wasn’t the default. But, by going to an encryption-by-default model, Apple is protecting the much larger number of non-tech-savvy people who wouldn’t know or think to do that, but still run the risk of losing their phone.

Vance: We have good cause to believe that because Apple itself characterized its iOS 7 operating system as the ultimate in privacy, touting its proven encryption methods, and assuring users that iOS 7 could be used with confidence in any personal or corporate environment….Which is to say, Apple itself had already demonstrated that strong encryption and compliance with court orders were not incompatible.

It appears that Vance believes that using good encryption is an end-state. However, it is constantly evolving. Due to increases in computing power as well as the simple fact that people’s knowledge and techniques improve, what was considered secured by good encryption 10 years ago is no longer adequate. Microsoft also said that Windows was the most secure operating system ever at various points in time, that doesn’t mean it holds true today.

Vance: But with evidence from that defendant’s smartphone locked behind a passcode known only to him, and existing solely on his device, we could only charge a far less serious offense.

This ignores the times when prosectors can get a contempt of court charge if the person refuses to decrypt their computer, like this case where the defendant will “stay locked up indefintiely until he decrypts the drive.”

Vance: Also consider financial services, one of the most regulated industries in our country. As we learned more about how criminals were using banks to move money, Congress required firms to fight money laundering and to better know their customers – and specifically, to retain customers’ data and make that data available to law enforcement with a court order.

This is really comparing apples to oranges (see what I did right there?). Those are bank records. Apple can be compelled to turn over customer records, which Apple has, which is something Apple already does. If you use iCloud backup, then Apple has information on you. And Apple will turn those records over to law enforcement. That’s a lot different than introducing a vulnerability into the banking system, which would be the equivalent to Apple introducing a vulnerability into their operating system.

Also testifying at the hearing was Kenneth Wainstein, a partner at Cadwalader, Wickersham & Taft and formerly a top lawyer at the Department of Justice. I’ll only focus on his call-to-action at the end of his writtent testimony.

For the tech industry and civil liberties groups, this means laying out technically specific support for the contention that a government accommodation would undermine the integrity of default encryption. They should provide hard data that demonstrates exactly how—and how much—each possible type of accommodation would impact their encryption systems.

Perhaps he missed it, but this has been done. A group of some of the biggest-name cryptographers released a technical report through the Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Laboratory. From it’s conclusion: “This report’s analysis of law enforcement demands for exceptional access to private communications and data shows that such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict. The costs to developed coun- tries’ soft power and to our moral authority would also be considerable. Policy-makers need to be clear-eyed in evaluating the likely costs and benefits.”

The Electricity Information Sharing and Analysis Center (E-ISAC) released Understanding Your E-ISAC (what I’ll refer to as the “Guide”) in June. Note that this isn’t a summary of the Guide, but rather is a collection of observations I made while reading it.

The Introduction of the document includes what is included every time somebody from NERC talks about the E-ISAC, the disclaimer that they are separate from NERC.

The E-ISAC is operated by the North American Electric Reliability Corporation (NERC) and functions as an independent group and is organizationally isolated from NERC’s enforcement processes. This intentional isolation was put in place to assure entities that any information shared with the E-ISAC would not be used for enforcement actions or shared with NERC compliance personnel.

This actually seems like it is less strongly worded than what I have heard in other places, such as at industry events. Normally E-ISAC people emphasize that they are separate from NERC, and wouldn’t use that “operated by NERC” language. This is related to one of my favorite visuals.

E-ISAC 1

I think it’s hilarious that the E-ISAC always talks about how it’s so separate from NERC, yet they use the same template for their reports, albeit with minor tweaks in coloring and what part of the grid pattern is visibile.

Anyway, the Guide starts off by talking about the benefits of information sharing, and includes most of the points that are always used in that discussion. You could basically substitute “ISAO” or “Threat Intelligence” or “CISA” for E-ISAC in this section and it would still make sense.

The Guide then goes on to discuss how the E-ISAC safeguards information. A big emphasis here is on the existence, and the following of, the E-ISAC Code of Conduct. One interesting thing from the Code of Conduct is that it defines “E-ISAC Personnel” as, “The CSO as well as all NERC employees who report to the CSO.” This is mildly interesting because the Guide includes an organizational chart.

E-ISAC2

The Code of Conduct doesn’t seem to include Tim Roxey as E-ISAC personnel, because he reports to Gerry Cauley, NERC’s President and CEO, instead of Marcus Sachs, E-ISAC’s Senior VP and CSO. I’m sure Roxey still follows the Code of Conduct, but I would think NERC would want to make that more clear.

After a section on what the roles of the Watch Operations and Analyst groups are, the Guide talks about who the members of the E-ISAC can be. It says that “Industry members include vetted electricity asset owners and operators (AOO) – or affiliates, such as trade associations and contractors – in North America.” This seems to contradict what the E-ISAC says on their website, which is that, “The E-ISAC portal is currently restricted to owner/operators and selected government partners.” The website description is the one that is actually used, as I know of at least one trade organization which has tried to get involved in E-ISAC activities and was told that it was limited to asset owners and operators.

The Guide hits the separate-from-NERC topic hard, including this part:

No personnel from NERC (including compliance enforcement personnel) and the regional entities are not allowed membership or access to the E-ISAC portal.

I’m reasonably certain this was an editing fail, as it would imply that personnel from NERC are allowed access. As a former English teacher, this made me smile. That pesky double-negative can be difficult to notice when you are reading your own writing, since in your head you know what you mean. That the “no” and the “not” are spread pretty far apart in this sentence probably increased the likelihood of the mistake being missed.

The membership section also talks about access revocation. It is the member organization’s responsibility to notify the E-ISAC if an individual has left their organization and should therefore lose their E-ISAC portal access, which is really the only way that could be done. This part is worth quoting in full, though.

The E-ISAC terminates accounts when notified by a member or partner that an individual has left the organization. It is an organizational responsibility to notify the E-ISAC, recognizing that delays may occur in notification when someone has left an organization. This consideration is why the E-ISAC only allows organizational account domains as one of the first steps an organization takes when an individual departs is to de-provision the individual’s enterprise information technology (IT) access accounts.

This references that owners and operators are vetted partially through their use of corporate emails. That is a valid requirement, and I wouldn’t expect the E-ISAC to just take some random gmail address and believe an assertion that they are in the electric industry. But this reason for requiring corporate emails doesn’t make sense. It seems to imply that because an organization would de-provision corporate email access, that somehow would cause the former employee to also lose access to the E-ISAC portal. But once the employee is verified and provided access to the portal, whether they can subsequently access the email address they used to register has nothing to do with whether they can still log in to the portal.

The Guide then goes into describing the products and services the E-ISAC offers. Among them is webinar access, with a “3,000-person webinar capability is used to host monthly webinars as described in the program section.” As a former math teacher, one of the things I hate is the bad or misleading use of statistics. This number is supposed to be impressive and show capabilities, but it provides no actual information. Does this mean they fill that capacity? What kinds of numbers do they actually see? If the attendance is consistently and considerably less than 3,000 people, then this number means that they are paying for a capability they don’t need, wasting money. If they consistently max out the attendance and end up “sold out” of spots then they are providing a service people want but not reaching as many people as they should be. If they just want to sound cool and have a big number, then they could just as easily pay GoToWebinar or whoever more money and say something like a 10,000-person capacity. Or, maybe, they are consistently at something like 2,700 attendees, in which case they are getting their money’s worth in the capacity and meeting the demand they have. But the 3,000 number doesn’t let us know any of that.

The products and services section also talks about the Cybersecurity Risk Information Sharing Program (CRISP), which allows me the opportunity to draw your attention to this story about a Public Utility District in Washington feeling the need to complain to their congressional delegation and the Department of Energy because NERC was pushing CRISP and pressuring them to sign up for that quite expensive program.

All in all, if you are an asset owner or operator, it’s probably a good idea to get an account with the E-ISAC, and this Guide is probably worth at least a skim. Since they are closed off to trade organizations, though, even those that specifically work on cybersecurity for the electric sector, I can’t say for sure how helpful their information sharing programs may be.