Wednesday, July 10, 2013

Medical Device Security: Guidelines Released for Comment

In 2003 Barry Eisler released Rain Fall, his first novel.  In it, the assassin John Rain kills his target by hacking into his pacemaker using a program he installed on his PDA.  

In December 2012, the Showtime series Homeland depicted the assassination of the Vice President by having a terrorist group remotely take control of the VP's pacemaker and induce a fatal heart attack.

Last month -- finally -- the Center for Devices and Radiological Health (a department of the US Food and Drug Administration) released for comment a set of proposed guidelines to make medical devices incorporate more protections against cybersecurity attacks.  Just this week the FDA said that it is aware of dozens of cybersecurity attacks which have effected hundred of devices...but to date they are unaware of any patients that have been harmed from such attacks.  

While the proposed guidelines are fairly benign from a security standpoint, their implementation may have a significant impact on the $300 billion medical device industry -- an industry which has always (and somewhat appropriately :) ) tipped the balance toward functionality versus security.  

The guidance is located here.  Give it a looksee...and as security guys, consider commenting if you have concerns. We can only make things beter if we make our voices heard.
Posted by at No comments:

Monday, July 8, 2013

The Misadventures of Edward Snowden

The story of Edward Snowden continues to provide fodder for news pundits, the blogosphere, and security professionals alike.  As Mr. Snowden's exploits continue to play out, I'd like offer some random thoughts and opinions for your consideration.  Fair warning:  it is highly likely that some of what I say will end up annoying and/or upsetting someone at some level.  Remember, these are my opinions only;  they are designed to spark conversation and dialogue.  Feel free to disagree and to (courteously) provide comment to this entry.  Here goes...

  1. Edward Snowden is not a genius.  Mr. Snowden's résumé has yet to be released publically, but a recent New York Times article briefly described his four-year ascension from supervising computer system upgrades to "cyberstrategist."   Many of us have seen this sort of thing before, and more so in recent years.  Information Security remains a hot commodity with  a low unemployment rating (well less than 3% despite the economic downturn).  Many highly talented and highly skilled individuals noticed this trend in the late 2000s and began to re-tool their resumes toward information security.  Mr. Snowden, like many of his ilk, quickly parlayed a little knowledge into an opportunity;  he then continued to take advantage of those opportunities for professional gain.  This does not make Mr. Snowden a sophisticated "hacker;"  indeed, there is little evidence to date to suggest that Mr. Snowden did little more than take advantages of elevated privileges to access information that was poorly compartmentalized and/or poorly secured within NSA's network.  This is less a statement of genius than it is of opportunism (which seems to be Mr. Snowden's guiding force).
  2. Edward Snowden is not a martyr nor a hero.  Let me be clear:  I have genuine and far-reaching concerns about the PRISM program and the data collection activities of our government.  As I have stated in recent posts, I believe that we as a nation surrendered too much power and authority to the federal government in a post 9/11 world...and our government has taken/is taking full advantage of that.  Even if we give Mr. Snowden the benefit of doubt re: (a) naiveté when he went to work for the military industrial complex and/or (b) conscience when we saw what was occurring, my problem with Mr. Snowden is that he ran.  Martyrs don't run;  they suffer for their beliefs.  Heroes don't run either;  they stand in the gap and willingly face the slings and arrows of those who would disagree with their actions.  The fact that Mr. Snowden ran  to foreign soil to escape prosecution for his crime -- and by violating the oaths and agreements he signed in order to receive high clearance he did commit a crime -- labels him as neither martyr nor hero but as criminal and coward.  Worse, it casts doubt upon his motives and leads one to question whether there are other more malevolent motives at play here...or am I the only one who can see the possible hostile intelligence storyline here? :)
  3. Edward Snowden isn't the problem.  While focusing on Mr. Snowden makes for good copy, there are a whole list of other issues/questions that are being overlooked here.  Top of head:
    • How did Mr. Snowden get the information out of NSA?  Most likely, this was via USB device...which means that USB devices were enabled on sensitive computing devices and usage was not being monitored/tracked.
    • Where is the supervision/oversight of the contracting entities and their personnel?  Regardless of duty description (even if said duties included white hat penetration of systems), appropriate oversight and process would have easily raised appropriate flags early on in Mr. Snowden's exploits
    • What were Booz Allen Hamilton's screening and qualification criteria for its employees?  Were they too lax in their zeal to put faces in spaces and keep lucrative contracts?
    • What are the government's screening criteria for clearances these days?  The sad reality of the situation is that there has been a heightened demand for cleared workers since 9/11;  has the government backed off on its clearance requirements in order to keep up the increasing demand for cleared technical workers?
    • Where is the civilian oversight?  The very public face of this scandal for the government has been GEN Keith Alexander, Director of the NSA and head of the US Cyber Command.  While GEN Alexander's testimonies before Congress are appropriate given his posting, there remains this concept of civilian oversight of the military.  Where, then are the various civilian leaders during this scandal?  Other than to call Mr. Snowden a traitor, their presence has been notable by their absence in the hearings and in speaking to the media on PRISM.  (Note:  kudos to a colleague and peer of mine for first pointing this out;  I admit freely that I missed this one out the chute)
While the Snowden debacle remains titillating to most, as security professionals it should remain troubling to us on multiple fronts.  In addition to being a potential case study regarding access control, permissions,  information risk management, and network monitoring ot should also be a call to arms to understand the full scope of the government's powers regarding data and monitoring...and to (legally) cast a light upon potential overreach.

My two cents...
Posted by at No comments:
Subscribe to: Posts (Atom)