Information

SecurityMatters

A Fundamental Question
steven J. Ross, cisa, cissP, MBcP, is executive principal of Risk Masters Inc. He can be reached at stross@riskmastersinc.com.

At the time this was written (October 2010), there have been numerous news items about conflicts over encrypted messaging between some national governments and Research in Motion, the manufacturer of BlackBerry personal digital assistants (PDAs), and with other companies that are transforming communications such as Google, Facebook and Skype.1 These stories are rapidly evolving, and my current knowledge Do governments will surely be dated by have the right the time this column to compel is printed. Moreover, the ISACA Journal corporations to takes no position on divulge information geopolitical issues, if governments see and I certainly do not intend to do so now. national (or local) But, this issue does safety at stake? raise what I consider to be a fundamental issue of information security: Do corporations have the right to secure their information? Put another way, do governments have the right to compel corporations to divulge information if governments see national (or local) safety at stake?

do you have something to say about this article? Visit the Journal pages of the ISACA web site (www.isaca.org/journal), find the article, and choose the Comments tab to share your thoughts.
1
ISACA JOURNAL VOLUME 1, 2011

PhilosoPhy and Ethics This is not a question of an individuals right to data privacy, which is established by law in many countries. Nor does it apply to a government agencys need to protect information; it becomes self-referential to question whether a government has the right to see data that the government already has. Corporations, as a group, possess an extraordinary amount of information. If a governmentand not necessarily the government in the location where the company is headquartered or keeps its dataasks to see information, does a company have any recourse except to hand it over? Some of a corporations information concerns its customers, vendors and employees, and so the company has an implicit responsibility to prevent unintended use of its information. The

rest of the information deals with the affairs of the enterprise itself; a corporations shareholders have a reasonable expectation that this intellectual property will be kept secure. At the same time, companies are a part of the world and exist in a society of states and laws. Corporations have officers and employees who must answer to the governments of where they live. So, when a government demands access to a companys information about itself and others, what is the companys ethical obligation? This is as much a philosophical question as one concerning information security. The ancient philosophers also considered it, but there were no corporations in Aristotles time.2 Thousands of years later, the Utilitarians3 found that the greatest good for the greatest number should prevail over what is best for individuals, but Aristotle, Jeremy Bentham or John Stuart Mill had never seen a corporation such as we see today. Much that has been written about the roles of governments and corporations deals with the problems of them working together,4 not about conflicts among them over the security of information. Modern corporations, especially global ones, are a creation of the 20th century and the latter part at that, so there is not a great deal of literature in economics, philosophy or ethics to provide guidance. Nor would such counsel mean much more than the opinion of an individual writer (this column included). The dilemmas some companies face today with regard to state demands for access to information go beyond the day-to-day activities of most information security professionals. When they arise, it is usually senior management or general counsel that must deal with them. But, they do have a practical aspect, as well: How tightly secured should information be? Should access to systems and databases be so strictly controlled that no one can bypass the controls, or should they be designed with a trapdoor that could be exploited by governments and, therefore, by malefactors, as well?

Good Guys and Bad Guys This is not just an academic discussion. It is a problem that affects the telecommunications and financial services industries and many others that form a nations critical infrastructure. As encryption has become more robust and ubiquitous, governments have become increasingly concerned that terrorists and other criminals may use secure means to perpetrate crimes. The US government is seeking to require all services that enable communications to be technically capable of complying if served with a wiretap order, including being able to intercept and unscramble encrypted messages.5 In the recent past, the Dutch and UK governments, among others, have insisted on key escrow so that they can have access to encrypted files and communications.6, 7 Paradoxically, for many security practitioners, it appears that as the protection of information becomes more effective (for the good guys), there will be more government demands to circumvent security (to stop the bad guys). Many multinational corporations do business in countries in which the governments may indeed be counted among the bad guys. Sadly, there are repressive regimes in many parts of the globe. If those states were to be given access to corporate information, they could use it against a corporation not only within their borders, but everywhere it conducts operations. The government could use the information to the benefit of local competitors or, worse, to harm its own citizens. What is the ethical position in circumstances such as those? Practically speaking, what are corporate executives, chief information security officers (CISOs) among them, supposed to do? stRatEGic dEcisions These questions, which seem to me to have fundamental significance for information security, are highly strategic in nature. They need to be considered as a risk in every jurisdiction in which a company does business. Simply put, corporate boards and senior managers must decide the degree to which they will accede to government demands for secured information and the extent to which they will resist. And, if they choose not to comply, they must be prepared for the risk of penalties or even of ceasing operations in those countries.

Corporate CISOs ought to be contributors to these deliberations, if only so that these strategic decisions are made with as much factual understanding of the security systems involved as possible. It is my recommendation that CISOs counsel management to secure information as tightly as possible, but to be prepared to lower barriers to access when presented with legitimate state demands. Even as I write these words, I feel that this is an inadequate response, but it may be the only one. A corporation would maintain high security, except when it does not. And who is to decide when to lower the barriersto open the trapdoor? I believe that this is a major part of the solution. Reduction of security in these special instances should be executed by only a small number of senior executives, such as general counsel or the chief financial officer (CFO). It should not be done by anyone lower, not even the CISO, on the basis of a decision transmitted from above. When the exception mechanism for security is in the hands of the most senior people in a corporation, it is less likely to be abused from below or used without significant and demanding examination of the issues involved. EndnotEs 1 Savage, Charlie; U.S. Tries to Make It Easier to Wiretap the Internet, New York Times, 27 September 2010 2 See my earlier ISACA Journal article, There Oughta Be a Law, vol. 6, 2006, in which I quote Aristotles Nichomachean Ethics. He concludes that the interests of the state outweigh those of the individual. 3 Bentham, Jeremy; An Introduction to the Principles of Morals and Legislation, 1780 4 For example, see Veblen, Thorstein; The Theory of the Leisure Class: An Economic Study of Institutions, 1899. 5 Op cit, Savage 6 Van Buuren, Jelle; Dutch Government Puts Trusted Third Parties Under Pressure, 8 May 2001, www.heise.de/tp/r4/ artikel/7/7571/1.html 7 Parkins, Keith; UK Proposals for a Key Escrow Encryption System, July 1996, http://home.clara.net/heureka/sunrise/ ukescrow.asc

ISACA JOURNAL VOLUME 1, 2011