Spanking the pirates of corporate security? Try a Plimsoll
Execs don't care to keep things shipshape if they don't see a return.... so let's MAKE them
Column On New Year's Eve 2019, the good ship Travelex struck the iceberg of ransomware. That's not a good metaphor, to be honest: when the SS Titanic hit its frozen nemesis, it had the good taste to unambiguously sink in two hours and 40 minutes. Not so Travelex.
At the time of writing, more than two weeks after the lights went out, our hapless company remains a ghost ship. A better maritime metaphor is more Johnny Depp than Leonardo DiCaprio: a spectral pirate horde has boarded the ship and through the witchcraft of crypto turned its engines to ectoplasm. What of the lifeboats of backup? Whence the rescue fleet of disaster recovery? While the enchantment persists, none dare tell.
Getting hit by ransomware is a complex business. It's not just that you wake up and find your data turned into gibberish more incomprehensible than a Guardian editorial. If the pirates have done their job, your infrastructure config has gone too. You no longer have a network, you have a global collection of second-hand Dell Optiplexes fit only for eBay. At least they've been securely wiped at no extra charge.
The absolute defence against ransomware is a decent backup strategy. This is like saying the best defence against death is a healthy lifestyle: true but missing the point. A decent backup strategy is very expensive. You must constantly check the backups are sound and can be restored. You must maintain integrity across the dynamism of your changing infrastructure and app framework. You must make sure the backups themselves are secure against intruders.
So it is a cheap shot to say: "Where was your backup?" It's a cruel barb to ask why your company management is incapable of telling anyone, customers or staff, what in Neptune's locker is going on. Let nobody say El Reg is beyond cheap shots or cruel barbs: Travelex, you suck harder than Waterworld. In a competitive field of corporate IT fail, your name will go down in infamy as a lesson for the ages.
Backup a minute - did nobody call the DR?
But why? Why did nobody do the sums comparing the insurance of proper disaster recovery against the massive costs of cocking it up this badly? Depending on which bunch of stat-slingers you suspect of least incompetence, somewhere between a quarter and a third of companies worldwide are hit by ransomware annually – it's just that most of the attacks are limited to a few workstations. Ransomware has been a known and credible threat since 2006, after all. There's no excuse, but there is a reason. This quarter's profit is more important than next year's survival, duh.
In many industries, the Darwinian consequences of 90-day myopia are minimal. It's a tragedy for employees when a company goes bust because of mismanagement, and a problem for customers and suppliers alike, but beyond that? Mehsville. In other industries, where economic disruption or human suffering are in play, we've learned to rein in the unfettered madness of pure capitalism through regulation.
Travelex is a financial company and thus works in a sector more heavily regulated than most. Its failure, like the more serious case of Boeing's 737 Max - we shall be returning to that fustercluck at a later date, oh yes we shall - is not solely its own. Financial regulators seem barely capable of regulating finance, let alone the IT systems behind it.
The failure of regulators to regulate is not new, nor the causes mysterious. Regulators are underfunded, so cannot match the potency in lobbying, PR and straightforward evil of industry. The only pool of top-notch practical expertise that a regulator needs to be effective is the industry it polices, so people move from top jobs as poachers to top jobs as gamekeepers and vice versa through the legendary revolving doors. Regulatory capture – where an industry gains control of its own police force – is one of the primary structural problems of liberal democracy. It may yet kill us all.
There is a fix. Let's return to that early crucible of mercantile commerce, maritime trade. If you're a trader, it's a great temptation to overload your ship. It will probably not sink, so you'll probably make more money. Marine archaeologists have found evidence of the consequences of this philosophy going back millennia. You can't see inside a hull from outside, and it's damnably intrusive to impound a ship on suspicion and force the unloading and weighing of its cargo - although regulators are thought to have tried that since the late Bronze Age. Tax on trade paid for kings, so kings like protecting it.
In those times of surprisingly sophisticated international maritime systems, researchers say that a balance was struck between the laws favoured by states and the "more direct justice" individuals preferred when wronged.
So what could a regulator do in more civilised times to achieve the same balance? Samuel Plimsoll, a 19th century Liberal MP, had the answer – his eponymous Line, a diagram drawn on the side of a ship that showed the maximum displacement for various sea conditions. If a ship was overloaded, then a casual glance at its hull in port would show it sitting too low in the water. Anyone could read them and report the problem – and the knowledge that any pair of curious eyeballs could scupper an overloaded ship was largely enough to discipline the captains.
This principle of open regulation is what's needed in corporate tech. Some companies already recognise this: if you want lots of people to check up on you, have a bug bounty. It's not as if it doesn't happen anyway. Researchers claim to have told Travelex in September that it had five-month old open vulnerabilities known to be exploited by the attackers who got through. Travelex did nothing.
Compulsory bug bounties would fix this. The principle of ethical disclosure of vulnerabilities in software is well known: the vendor is contacted privately with evidence of the problem and given a window to quietly remediate it. If no fix is forthcoming, then the world is told. Apply the same principle but with regulatory force to companies providing any service, and we have a digital Plimsoll line. I find a hole in your security, I tell you and the regulator at the same time. The regulator pays me my bounty, and fines the company – at this stage, a small amount, more a speeding ticket than anything else. Non-payment by the company, and non-remediation, results in heavier sanctions.
That would have saved Travelex. It would promote a cadre of eyeballs and a healthy fear of embarrassment among CIOs. It would give regulators the scope and expertise they need, independent of the companies they regulate. Yes, there would need to be safeguards against malicious or false reporting: no, those aren't onerous.
At sea as in commerce, the best defence against both icebergs and pirates is a sharp look-out. Let's get on watch. ®