Black Unicorn on "creating liability to cure it" (Y2K/InfoSec)

Rohit Khare (rohit@fdr.ICS.uci.edu)
Tue, 19 May 1998 13:16:12 -0700


[From dee-interest. Black Unicorn knows whereof he speaks. Wanted this in the
archive --RK]

[This gets more interesting as you get further into the message... dee3]

Date: Wed, 13 May 1998 13:48:23 -0500
From: Black Unicorn <unicorn@schloss.li>

At 12:23 PM 5/13/98 , you wrote:
>At 11:52 PM -0500 5/12/98, Black Unicorn replied to Peter Gutmann as follows:
>>
>>This assumption, that this is a clear and obvious case to make in court, is
[that you could sue someone using weak crypto for lack of due care if
valueable information of yours was compromised...]
>>perhaps the cardinal sin of information security "gurus." Look. If 40 bit
>>crypto is your weakest leak you are probably in the 99th percentile of
>>corporate America. There is no case there.
>>
>>Is it secure enough for my taste? No.
>>Is it secure enough for a court? Probably.
>
>There is an article by Laura DiDio in the May 11 Computerworld, p.6, titled
>"Get lawyers, insurers to sell security plans." She cites security managers
>at 25 major corporations as advising: "Enlist the aid of company lawyers
>and insurance carriers who can graphically demonstrate the legal,
>regulatory and financial risks of lax security." You can find the full text
>at http://www.computerworld.com by searching on "lawyers insurers"

Ok, brief digression, but it's an important one. Stick with me a bit here.

I've seen the article, and infact, this approach was probably first adopted
by a friend of mine, Gary Fresen, who's a partner at Baker & McKenzie. The
tactic is a good way to sell security because it preys on business
processes. Study, Evaluate, Decide. That means do a security penetration
test, evaluate the results, and decide on a solution.

Fresen saw that this is exactly what got big automakers in trouble. They
would do a detailed safety study, find a pile of flaws, do a cost analysis,
and then decide it wasn't worth fixing. Courts would jump all over that.
"You KNEW it would save lives, and you did nothing?" The term of art is
the "smoking memo" wherein some enigneer points out that the fuel tank is
aligned wrong or some such. Fresen made his bones doing pre-litigation
defense work in this industry. Setting the firm up with a document
destruction policy, a discovery reading room, and a segregated engineering
and research team which would be covered by attorney - client privledge to
do the sensitive research. This is why sudden accelleration was never a
big case. Plaintiffs would show up with dollarsigns in their eyes and
memories of pinto in their heads and be invited in with open arms to sit
down in the discovery reading room to puruse whatever they liked. They
would find most of the key engineers who they needed for their case were on
the attorney team, and could not be called. They would find the document
destruction policy had been in place for months if not years. They would
find that all the memos which were around were written by litigation savvy
lawyers. They found that the usual leverage of imposing costly discovery
on the defendant wouldn't work anymore, because the reading room was
already there. Most settled and slinked away and sudden accelleration
became a non-issue. It fizzled.

Moving back on point, Fresen made an excellent bet a few years ago. If you
have someone (perhaps the auditors) come in and write a memo about how
horrible the security is, well then, now managers pretty much have to make
the changes don't they? And if that smoking audit memo is sitting around,
well, they need Baker & McKenzie to do pre-litigation defense prep work,
don't they? Y2K is a growing area for this kind of sales tactic. Point
being, this is a sales tactic, not legal advice. It's about _creating_
liability for the firm so you can sell liability reduction services to the
firm.

Ignore this tactic. Avoid it.

Unless your client has been foolish enough to commission an (admissable)
auditor's report detailing all the imperfections of the network, their
liability is pretty limited provided they are trying in something like good
faith to keep their network secure.

The Computer World article is about, whether it knows it or not, everything
that is wrong with the security industry right now. Selling fear, and
creating fear where there often is little. You better have the latest
version of Checkpoint Firewall-1 or your going to get sued for 200 million.

Nonsense.

Would I love to see every firm have PGP installed? Sure. Is this the way
to do it? No.

>While I am no fan of the American tort system, it has forced many sectors
>of the economy to take the potential views of courts into consideration
>when making design decisions. On the whole this has lead to better designs.
>Fear of litigation has proven to be a powerful way to get engineers to do
>their jobs properly and to get their managers to heed safety
>recommendations.

And a powerful way for security professionals to sell their wares to
clients who don't necessarily need them. Ask how many of your clients own
document shreaders which comply with, say, DoD S/TS standards. What the
heck are they spending $200,000 configuring the latest secure network for
if they don't?

>One reason that product liability has not yet affected the computer
>security industry may be the slow speed of our legal system. Look how long
>it took for the Tobacco litigation to come to fruition. But courts have
>shown considerable understanding of technical issues in recent computer
>cases.

It has nothing to do with the speed of the legal system in the United
States. It has everything to do with the dynamic nature of what actually
constitutes "due care" when it comes to information security. Show me a
software firm that will stay in the computer security software market if
you apply products liability to security software. That's a strict
liability standard. To lose a case you have to sell a product and then
have the firm's secret revealed. That's it. No discussion about
negligence. None. How could any revenue stream support that kind of
downside liability? Answer: It can't. No court is going to impose that
kind of liability unless it's through a due care requirement, and that
means taking it out of products liability's reach. It would also open the
door for firms to sue Mircosoft everytime Windows crashed and dumped the
latest merger plan causing the partner to drop out because the deadline for
bids was missed. Good luck seeing that come to pass.

>By the way, the issue here is not 40-bit crypto, but PPTP using RC4 keys
twice.

This is not the issue. Remember, negligence issues are going to be based
on how hard the company tried, not if they succeeded. That's due care.
It's the point. We don't hold them to an absolute strict liability
standard, instead we set a bar up and make them jump over that. Likewise
we don't have a strict notice requirement on potential defendants. We only
have "efforts reasonably calculated to afford notice."

The fact that PPTP is being used at all, regardless of the complex keying
issues and crypto, that it comes from a strong, well known vendor, that it
was recommended by a consultant, that the company knew it had to do
something for data security, evaluated in a cursory way and selected a
solution, that the company is probably in the top 10%, if not the top 1% of
firms, with respect to their efforts.... that is the point. It's just not
much of an effort to meet the due care requirement which, by the way,
hasn't even yet been defined very well for information protection.

>"Is it secure enough for a court?" Does your employer really want to find
out?

Of course they do. Why? It's called risk v. reward analysis. Because not
every firm out there is going to spend the $1 - $2 million needed to have a
internal CA housed in a secure facility, and >$50 a seat to install smart
card readers all over the enterprise, deploy and manage smart cards for
each employee, the thousands to develop a key management policy, comply
with FIPS 140-1 level 2 or 3 for root key generation, and so forth when
they don't even own a single document shreader and they can use PPTP for a
fraction of that kind of cost.

If you really think you're going to get courts to impose what amounts to a
best practices requirements on firms when it comes to information security,
well, you have a surprise coming.

------- End of Forwarded Message