BlackBerry Episode Strikes at IT Security TenetMissing Link in Security Triad of Confidentiality, Integrity, Availability
In the case of BlackBerry, no reports of managers or employees getting fired have surfaced, and organizations that neglected to have a business continuity plan in place in case their cell phones were unusable pointed the finger at Research In Motion, maker of the BlackBerry smartphones and operator of the disrupted e-mail network.
"Accountability in security has been a laugh," Winn Schwartau, cybersecurity and IT architecture practitioner, says in an interview with Information Security Media Group's Eric Chabrow (transcript below). "How many programmers get fired for making a programming error? It doesn't happen. How many CISOs are going to get fired because they mis-architected a particular environment upon the advice of a third-party consultant involved with a vendor? They don't."
The BlackBerry episode is a perfect example for why the architecture of IT systems is so critical, not only for when things work but when they don't. "We spend, as an industry, too much time trying to make things work, and once they work kind of sit back and say, 'Oh, thankfully they work,'" Schwartau says.
Schwartau argues that for the last 30 years, the IT security industry has done a horrendous job in regards to IT architecture. And with no one being held accountable, events like BlackBerry are doomed to occur again. "Accountability is something that we as a Western society are terrified to enforce," Schwartau says. "It's non-politically correct. It creates blame and ultimately the litigation and liability from potential lawsuits outweighs the cost of just letting whatever doofus caused the problem to continue doing it."
In the interview, Schwartau, who's credited with coining the term Cyber Pearl Harbor, also discusses:
- Whether the slowdown in BlackBerry service was caused by faulty architecture or a cyberattack;
- How mobile technologies pose the same business continuity challenges presented by other technologies;
- Why technology and business leaders aren't held accountable when an IT catastrophe happens.
Schwartau is board chairman of the smartphone security provider Mobile Active Defense and a recognized expert on information security, infrastructure protection and electronic privacy. He's one of the first authors to publish books, in the 1990s, about cyberwarfare and cyberterrorism as well as hacking.
BlackBerry DisruptionERIC CHABROW: What does the BlackBerry disruption tell us about our reliance on our mobile devices?
WINN SCHWARTAU: I think the reliance upon mobile devices ... and the proliferation that we're seeing now, I guess in thirty years of doing this, it's the most profound revolution. I hate that word, but it's the most profound impact upon enterprise, certainly that I have ever seen, and that's because of the speed of which the adaptation is. I think that the RIM outages bring an entirely new discussion - and suite of discussions - to the forefront that has thus far been fairly quiet in the background.
CHABROW: Such as?
SCHWARTAU: A lot of us are asking a very fundamental question: what happened here? And for obvious reasons, RIM is being silent; and I'm not trying to be critical of RIM here at all. I'm putting on my pure security hat of, "WTF happened here?" I've had a lot of discussions on this with a lot of really, really smart people and the consensus is as follows.
Their architectural framework of their datacenters and redundancy, whatever it is that they have built up over the last decade of immense success, either they architected it and designed it so poorly that we're seeing complete catastrophic failure of epic proportions or they were under attack. If they were under attack, in everybody's opinion that I'm talking to, and I tend to agree, it would have to be somebody that had an insider involved. Which one of these two is it? Nobody knows yet, nobody knows. But the way that this collapsed, the systemic nature of it and the amount of time it's been taking for them to reload and reboot if you will, and not apparently having enough redundancy, back-up datacenters and recovery mechanisms, is very surprising. That's why we're kind of tending towards the other answer. We don't know, but that's what we're hypothesizing.
What this is suggesting is RIM has had conceptually a potential single point of failure modality, and we saw a little bit of this almost a year ago with some of the international things that were going on over in the Middle East, as well as with who is controlling the keys and that kind of stuff. Now we have this and I can tell you that in the last three days, the number of calls that we've received is, "Okay, we're moving off of RIM." It was like "Wow, where did all of that come from?" I think it has gotten a lot of people off of the dime saying, "This is giving us the impetuous; this is giving us the excuse to move to another set of platforms with distributed controls.
Business Continuity ChallengesCHABROW: From the users' perspective, companies who give their employees BlackBerries or have their employees use their BlackBerries, how much responsibility do they have to assure the continuation of their businesses when they rely on BlackBerry or some other network? Where is the responsibility from the user organization? And is there anything they really can do about that?
SCHWARTAU: This again is a very, very high-level over-arching problem that does not affect only the mobile population, but is endemic throughout every bit of IT that we have built for the last 30 years. I was just out in Vegas and I had checked into one of the hotels. Shortly thereafter, I saw a line at check-in that was hundreds of people long and I kind of asked if it was a conference. I said, "What's going on here?" They said their computers are down. So you mean that they are so reliant upon the technology that they don't have a fall-back position? They have no mechanism for graceful degradation to be able to offer their services an alternative delivery mechanism. That turned out to be true. We see this every which way. I've seen Kmart go down because the AS400, or their back-end servers are down, can't take your money, sorry folks.
That's why the architecture of IT systems is so critical, not only for when things are working but when things stop working. How do you manage that environment? We as an industry have done a horrendous job of this by-in-large in the last 30 years. When we move to the mobile environment, does that rule change? No; same functionalities, same problems, same issues. But how much can the user do? It depends upon the organization's policies and how much empowerment they've given it. Ultimately, if it were me, I would have another phone. I would have another means of communication, some out-of-band mechanism that I can rely on instead of being 100 percent reliant upon a single channel or single point of failure.
CHABROW: And whose responsibility is that? Is that the CEO, CIO?
SCHWARTAU: It depends upon the organization. Every organization has its hierarchy differently organized. It's going to be somewhere between telephony, networking, CISO, CSO, IT guy. It's going to be somewhere in that area, but every company has a different portion of it that's responsible for their mobile networks. There is not a single answer for that.
IT Security ImplicationsCHABROW: What are the implications to an organization's IT security itself when their employees don't have access through networks such as those provided by RIM?
SCHWARTAU: Again, we go back to a fall-back condition. When something goes wrong, what is your response? We spend as an industry too much time trying to make things work, and once they work kind of sit back and say, "Oh, thankfully they work," instead of investigating what happens when things go wrong. In this particular case, since everything is running through the RIM servers, the implication for security is real simple. Its availability, the availability function of the fundamental CIA Triad, has disappeared from their mobile component of their enterprise. Does it affect data breaching? Probably not. Does it affect data confidentiality? Probably not. But having your systems down and having to resort to - my god - a payphone or some other mechanism of communication, a lot of people are jumping through a lot of hoops. We had a few people in our company that are on BlackBerry that had to whip out their Droids and iPhones.
Lack of AccountabilityCHABROW: As I've been covering IT security over the past several years, one thing I seem to hear a lot, and maybe because I'm covering mostly the government space, when something goes wrong no one seems to be punished for it.
SCHWARTAU: Oh, you want to talk about accountability. Accountability in security has been a laugh, absolute laugh. Getting fired for doing something stupid - how many programmers get fired for making a programming error? It doesn't happen. How many CISOs are going to get fired because they mis-architected a particular environment upon the advice of a third-party consultant involved with a vendor? They don't. If you look at some of the government stuff that has happened over the years, the FAA systems, the FBI systems, all of these systems have had billions and billions of dollars totally wasted on them, and yet people keep on moving. Accountability is something that we as a western society are terrified to enforce. It's non-politically correct. It creates blame and ultimately the litigation and liability from potential lawsuits outweighs the cost of just letting whatever doofus caused the problem to continue doing it.